Page MenuHomePhabricator
Create Task
Maniphest T361266

Offboard Michael Grosse (WMDE) from WMF systems
Closed, ResolvedPublic
Actions

Description

Michael Gross ( https://phabricator.wikimedia.org/p/Michael/ l wikitech: Michael Große ) will no longer be a WMDE employee starting April 1, 2024. As their WMDE Engineering Manager I am requesting their offboarding from WMF systems.

Potentially incomplete list of permissions involved:

  • Remove from wmde LDAP group
  • Remove from nda LDAP group
  • Adjust privileged LDAP access (data.yaml)
  • Revoke permission to create Phabricator projects (acl*Project-Admins)

We might have missed some additional permissions that the user might have been granted. I'd appreciate if WMF staff audited that they no longer have any staff-related access to WMF systems.

A recent example of this offboarding for WMDE employee can be found here: https://phabricator.wikimedia.org/T344766

Details

SubjectRepoBranchLines +/-
admin: disable shell user migroperations/puppetproduction+6 -7
Customize query in gerrit

Related Objects

Event Timeline

karapayneWMDE created this task.Mar 28 2024, 5:44 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 28 2024, 5:44 PM
Reedy renamed this task from Offboard Michael Grosse fgrom WMF systems to Offboard Michael Grosse from WMF systems.Mar 28 2024, 5:54 PM
Maintenance_bot added a project: SRE.Mar 28 2024, 6:29 PM
Stashbot added a comment.Apr 1 2024, 5:58 PM

Mentioned in SAL (#wikimedia-operations) [2024-04-01T17:58:42Z] <mutante> LDAP - removed uid migr from groups nda and wmde (T361266)

Aklapper updated the task description. (Show Details)Apr 1 2024, 6:04 PM
Dzahn updated the task description. (Show Details)Apr 1 2024, 6:07 PM
Aklapper added a subscriber: Michael.Apr 1 2024, 6:11 PM

FYI I have disabled the Phabricator account @Michael as it is linked to the WMDE staff account https://www.mediawiki.org/wiki/User:Michael_Gro%C3%9Fe_(WMDE)

gerritbot added a comment.Apr 1 2024, 6:25 PM

Change #1015995 had a related patch set uploaded (by Dzahn; author: Dzahn):

[operations/puppet@production] admin: disable shell user migr

https://gerrit.wikimedia.org/r/1015995

gerritbot added a project: Patch-For-Review.Apr 1 2024, 6:25 PM
gerritbot added a comment.Apr 1 2024, 7:28 PM

Change #1015995 merged by RLazarus:

[operations/puppet@production] admin: disable shell user migr

https://gerrit.wikimedia.org/r/1015995

RLazarus updated the task description. (Show Details)Apr 1 2024, 7:31 PM
RLazarus added subscribers: MoritzMuehlenhoff, Dzahn, RLazarus.Apr 1 2024, 7:34 PM

Clinic duty SRE here, thanks @karapayneWMDE for the ticket. I merged https://gerrit.wikimedia.org/r/1015995 (thanks @Dzahn!) and followed up with

rzl@krb1001:~$ sudo manage_principals.py delete migr@WIKIMEDIA
Principal successfully deleted. Since the principal seems to be related to a user, make sure to update the krb flag in Puppet's data.yaml.

@MoritzMuehlenhoff Anything else to do here from an offboarding POV?

MoritzMuehlenhoff closed this task as Resolved.Apr 2 2024, 12:01 PM
MoritzMuehlenhoff assigned this task to RLazarus.
In T361266#9677523, @RLazarus wrote:

Clinic duty SRE here, thanks @karapayneWMDE for the ticket. I merged https://gerrit.wikimedia.org/r/1015995 (thanks @Dzahn!) and followed up with

rzl@krb1001:~$ sudo manage_principals.py delete migr@WIKIMEDIA
Principal successfully deleted. Since the principal seems to be related to a user, make sure to update the krb flag in Puppet's data.yaml.

@MoritzMuehlenhoff Anything else to do here from an offboarding POV?

There were two additional NDA-relevant Phab groups (WMF-NDA and *acl*security_wmde), I've removed them using "offboard-user -p Michael" on mwmaint1002.

One final bit is the cleanup of HDFS data/homes on stat* hosts, I've filed https://phabricator.wikimedia.org/T361581 for this.

Everything else is done, resolving.

Michael mentioned this in T362618: Grant Access to 'wmf' ldap group for Michael to allow logstash access.Tue, Apr 16, 8:58 AM
taavi subscribed.Tue, Apr 16, 9:04 AM

Also removed from wmde-mediawiki Gerrit group.

Urbanecm_WMF subscribed.EditedTue, Apr 16, 9:11 AM
In T361266#9677105, @Aklapper wrote:

FYI I have disabled the Phabricator account @Michael as it is linked to the WMDE staff account https://www.mediawiki.org/wiki/User:Michael_Gro%C3%9Fe_(WMDE)

To keep the paper-trail happy: Since Michael was hired by WMF, I re-enabled the Phabricator account (per Michael's request), and it was re-linked to his new WMF account.

Aklapper renamed this task from Offboard Michael Grosse from WMF systems to Offboard Michael Grosse (WMDE) from WMF systems.Tue, Apr 16, 9:14 AM
Dzahn added a comment.Tue, Apr 16, 9:05 PM
In T361266#9716925, @Urbanecm_WMF wrote:

Since Michael was hired by WMF

Do we expect a new access request to add him to "wmf" LDAP group, WMF-NDA in Phabricator etc?

MoritzMuehlenhoff added a comment.Tue, Apr 16, 9:41 PM

Do we expect a new access request to add him to "wmf" LDAP group, WMF-NDA in Phabricator etc?

Already happened in https://phabricator.wikimedia.org/T362618

Maintenance_bot removed a project: Patch-For-Review.Fri, Apr 26, 6:04 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL