Do not require people to be explicitly added to the bastiononly group
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	yuvipanda
	Sep 29 2015, 7:24 PM

Description

Currently people who need access to stat* or other boxes need to be added manually to the particular target group and also to the bastiononly group, and a lot of times people trip up on the latter. Why is this manual addition required? Shouldn't giving access to any other group automatically imply access to bastion? If not why not?

Details

Subject	Repo	Branch	Lines +/-
admin: allow all active users to be applied	operations/puppet	production	+29 -15
Replace manually-maintained bastiononly group with the new 'all-users'	operations/puppet	production	+1 -19
Add all groups to general bastions, mostly empty bastiononly group	operations/puppet	production	+16 -15

Customize query in gerrit

Related Objects
Search...

		Status	Subtype	Assigned	Task
		Open		None	T142815 Enhance account handling (meta bug)
		Resolved		• AlexMonk-WMF	T114161 Do not require people to be explicitly added to the bastiononly group

Event Timeline

yuvipanda created this task.Sep 29 2015, 7:24 PM

yuvipanda raised the priority of this task from to Needs Triage.

yuvipanda updated the task description. (Show Details)

yuvipanda added a project: acl*sre-team.

yuvipanda subscribed.

Restricted Application added subscribers: Matanya, Aklapper. · View Herald TranscriptSep 29 2015, 7:24 PM

Krenair subscribed.Sep 29 2015, 9:00 PM

Change 227327 had a related patch set uploaded (by Alex Monk):
Add all groups to general bastions, mostly empty bastiononly group

https://gerrit.wikimedia.org/r/227327

gerritbot added a project: Patch-For-Review.Sep 29 2015, 10:28 PM

The main challenge with this is ensuring that while (almost?) all groups imply bastion access, only ops gets their sudo rules applied on bastions. Most users shouldn't have root access on bastions just because their group is intended to give them full sudo access on other machines.

I am thinking something more like https://gerrit.wikimedia.org/r/#/c/244471/

Dzahn triaged this task as Medium priority.Oct 19 2015, 11:22 PM

Dzahn subscribed.

Change 244471 had a related patch set uploaded (by Alex Monk):
admin: allow all active users to be applied

https://gerrit.wikimedia.org/r/244471

Change 227327 abandoned by Alex Monk:
Add all groups to general bastions, mostly empty bastiononly group

Reason:
in favour of I8f984e51

https://gerrit.wikimedia.org/r/227327

Change 301149 had a related patch set uploaded (by Alex Monk):
Replace manually-maintained bastiononly group with the new 'all-users'

https://gerrit.wikimedia.org/r/301149

• AlexMonk-WMF claimed this task.Jul 26 2016, 4:30 PM

Krenair mentioned this in rOPUP1c760a0d73b0: Replace manually-maintained bastiononly group with the new 'all-users'.Jul 26 2016, 4:36 PM

• AlexMonk-WMF added a parent task: T142815: Enhance account handling (meta bug).Aug 12 2016, 1:59 PM

Dzahn mentioned this in rOPUP85378fe2aad4: Replace manually-maintained bastiononly group with the new 'all-users'.Aug 19 2016, 10:44 PM

Change 301149 merged by Dzahn:
Replace manually-maintained bastiononly group with the new 'all-users'

https://gerrit.wikimedia.org/r/301149

Dzahn mentioned this in rOPUP2c6101d2ed7e: Replace manually-maintained bastiononly group with the new 'all-users'.Aug 19 2016, 10:55 PM

Merged that one after it had a couple +1, checked on bastions. It really just created the "dkg" user as expected. No other change. And now there is no more "bastiononly" group.

I think that resolves the ticket.

• AlexMonk-WMF closed this task as Resolved.Aug 20 2016, 8:02 AM

Change 244471 abandoned by Rush:
admin: allow all active users to be applied

Reason:
hooray, already done

https://gerrit.wikimedia.org/r/244471

• Phabricator_maintenance removed a subscriber: yuvipanda.Jun 7 2017, 6:47 PM