$Cambridge: hermes/doc/misc/trust.txt,v 1.18 2005/11/08 11:42:52 dpc22 Exp $ Introduction ============ This document documents the trust dependancies between different systems in the Hermes and PPSW cluster The eventual goal is that all systems in the cluster trust Canvas, but Canvas trusts no other systems. Search for "cyrus-upload" for temporary dependancies that need to be in place until 01/09/2004. Trust is SSH authorized keys in all cases. All SuSE systems (including canvas itself) trust root@canvas ============================================================ root@canvas -> root@ Used for system postinstall. /export/autoyast is exported no_root_squash PPSW-N: ======= crsadmin@canvas -> dist@ppsw-N: (was .rhosts, now SSH) Used to distribute cyrus maps and passwords crsadmin@canvas -> msupport@ppsw-N: Used to check for active accounts by cyrus_move.pl dist@canvas -> dist@ppsw-N: Used to distribute lists, managed mail domains etc msupport@canvas-intramail -> msupport@ppsw-N-intramail (was .rhosts, now ssh) Used for statistics gathering and log scanning. Hermes-N: ======== crsadmin@canvas -> dist@hermes-N-intramail (was .rhosts, now ssh) Used to distribute NIS maps etc. crsadmin@canvas -> msupport@hermes.cam.ac.uk Used to check for active accounts by cyrus_move.pl dist@canvas -> dist@hermes-N-intramail Used to fetch @lists and managed mail domain maps before push to PPSW. (key was incorrectly labelled as dist@ppsw: now fixed) msupport@canvas-intramail -> msupport@hermes-N-intramail (was .rhosts) Statistics gathering and log gathering root@hermes-N-intramail -> root@hermes-N-intramail rsync replications between the two hermes-N systems. lists@hermes-N-intramail -> lists@lists-N-intramail Temporary dependancy. Hermes downloads lists of active Mailman lists from lists-N-intramail once an hour, stores it in /data/lists/extra/mailman so we can block any further attempt to update that list using MSshell. Fixed command="ls /var/spool/mailman/lists" used at the lists end. Cyrus-N: ======== cyrus@cyrus-N <-> cyrus@cyrus-N: All Cyrus accounts trust each other for replication, backup purposes. Done across public (Cambrideg wide private) network to leave private network for user traffic from PPSW. crsadmin@canvas -> cyrus@cyrus-N-intramail: (SSH) Used to run mkuser to create new users on Cyrus systems Used to check for active accounts by cyrus_move.pl (use msupport?) crsadmin@canvas -> cyrus@cyrus-N-intramail: (was .rhosts, now SSH) Used to distribute master maps from Canvas. Should probably be no cyrus account: cyrus user just needs readonly access Used to push passwords to SuSE 9.0 systems (/var/imap-hermes/passwords) crsadmin@canvas -> dist@cyrus-N-intramail: (was .rhosts, now SSH) Used to distribute passwords every 30 minutes Should probably use SSH, but not really a bit deal over private network Systems with /opt only. msupport@canvas-intramail -> msupport@cyrus-N-intramail (was .rhosts, now SSH) Used for quota changes by reception (setuid msupport script on Canvas calls setuid cyrus script on cyrus-N which is restricted to group cyrus, of which msupport is a member. Arguable that a dedicated group should be used). Used for log scanning Otanes ====== cyrus@cyrus-N <-> cyrus@otanes: Otanes schedules backups for cyrus-1 -> 16 onto its local disk overnight. dump@canvas-intramail -> dump@otanes-N-intramail: Dump canvas -> otanes once a day dump@hermes-N-intramail -> dump@otanes-N-intramail: Replica Hermes system spools to Otanes once a day. root@canvas-intramail -> root@otanes-intramail: Will be used for daily rsync canvas:/data -> otanes:/data dump@sesame.csx.cam.ac.uk -> dump@otanes Dump sesame -> otanes daily Otanes outgoing to run dumps? dump@otanes -> dump@sesame.csx.cam.ac.uk dump@otanes -> dump@canvas dump@otanes -> dump@hermes-1-intramail dump@otanes -> dump@magenta Canvas ====== root@otanes -> root@canvas Used for immediate postinstall. /export/autoyast on Otanes is exported no_root_squash to canvas. crsadmin@canvas-intramail -> dist@canvas-intramail (was .rhosts, now SSH) Maps push to allow crsadmin to run as dist SSH keys used to talk with jackdaw: crsadmin@canvas -> hermes@jackdaw crsadmin@canvas -> ppsw@jackdaw dist@canvas -> ppsw@jackdaw CVS repository system@hermes-N-intramail -> ucvs@canvas system@ppsw-N-intramail -> ucvs@canvas system@cyrus-N-intramail -> ucvs@canvas system@lists-N-intramail -> ucvs@canvas ** END **