RT-EGI Upgrade and Customize Daniel Kouil, Michal ava EGI - - PowerPoint PPT Presentation

rt egi
SMART_READER_LITE
LIVE PREVIEW

RT-EGI Upgrade and Customize Daniel Kouil, Michal ava EGI - - PowerPoint PPT Presentation

Sep 25, 2023 178 likes •318 views

RT-EGI Upgrade and Customize Daniel Kouil, Michal ava EGI Back-office EGI web pages Web forum/blogs OpenCMS, WordPress Pebble, LimeSurvey EGI Wiki EGI IdM/SSO Mailing lists LDAP, Shibboleth IdP, Mailman

slide-1
SLIDE 1

RT-EGI

Upgrade and Customize Daniel Kouřil, Michal Šťava

slide-2
SLIDE 2

EGI Back-office

  • Web forum/blogs

○ Pebble, LimeSurvey

  • EGI IdM/SSO

○ LDAP, Shibboleth IdP, Eduroam radius

  • Jabber server
  • Confluence
  • DNS
  • EGI web pages

○ OpenCMS, WordPress

  • EGI Wiki
  • Mailing lists

○ Mailman

  • Conference Agenda

○ Indico

  • Documentation server
  • RT(IR)
slide-3
SLIDE 3

Transition to latest RTIR

slide-4
SLIDE 4

Upgrading in place

  • Move existing RT 3.8 with DB to new system

with Debian 8 (run it there)

  • Upgrade RT 3.8 to RT 4.2 and fix all behavior

○ Pros.: preserve all history, 2 small server

  • utages (1-3h each), almost unnoticeable for

RT users ○ Cons.: probably problem with moving old RT with old libraries to new system by copy, all at once - can’t use features before process

slide-5
SLIDE 5

Installing new instance from scratch

  • Create new RT 4.2 on Debian 8 system with new

address space (ex. rt-new.egi.eu)

  • Move RT Groups one by one
  • When done, switch addresses between them

○ Pros.: install from package, using features for some Groups even before end of process ○ Cons.: probably not preserve history, 2 parallel instances, users will notice, manual transition of configurations

slide-6
SLIDE 6

Summary

  • Timeline

○ Upgrading RT ■ move RT to Debian 8 - 2.-3.2016 ■ upgrade RT to 4.2 - 4.-5.2016 ○ New instance ■ new RT on Debian 8 - 2.-3.2016 ■ moving RT Groups - 4.-5.2016

  • Decision about the way - beginning Feb (TBC)

○ sync with other RT users

slide-7
SLIDE 7

Access control to tickets

slide-8
SLIDE 8

Goal

  • grant access to Security officers to their tickets

in Investigations RT Queue ○ reflect GOC DB changes of security officers in tickets ○ limit sending email twice or more to same person (for example one by alias, one by security officer email address)

slide-9
SLIDE 9

CSIRT Customization to RT-EGI

  • How RT authorization works:

○ Rights for whole queue ■ rights for groups (ex. irtf) ■ rights for users (bad scaling) ■ rights for roles on tickets:

  • Requestor
  • AdminCc - can see comments
  • Cc

○ Based heavily on mail addresses

slide-10
SLIDE 10

CSIRT Customization to RT-EGI

  • Possible solution - with respect to CSIRT

○ use roles on tickets (Req, Cc, AdminCc) ○ when creating new ticket set: ■ SITE and NGI security contacts to Requestor (to get emails about changes without comments) ■ set all SITE and NGI SO’s emails to Cc (set rights on Cc and turn off sending mails to Cc by RT) ■ No change in AdminCc

slide-11
SLIDE 11

CSIRT Customization to RT-EGI

  • How to dynamically change security officers in

ticket Cc? ○ RT 4.2 can set Group of users to Cc ○ we can synchronize groups from GocDB to RT ○ when creating a new ticket, we will set the right Group by choosing NGI and SITE (probably by name of Group)

  • Timeline: partially until 3.2016
slide-12
SLIDE 12

Reqs., discussions

  • Access to development instance - needed?
  • Toby’s massticket machinery - anything

missing, Rest changes?

  • Statistics on tickets
  • Mail storms on changes of ownership (Sophie)
  • Automatic closing empty incidents
  • Reply/comment when resolving
  • PGP/X.509 signing/encryption (to RT/users)
  • ….?
slide-13
SLIDE 13

CSIRT Customization to RT-EGI

  • Ideal solution with respect to RT:

○ queue for every SITE (separate addresses) ○ set groups with rights for every queue ○ synchronize members of queue from GocDB ○ let the other setting to be as it is