Page MenuHomePhabricator

Offboard Michael Grosse (WMDE) from WMF systems
Closed, ResolvedPublic

Description

Michael Gross ( https://phabricator.wikimedia.org/p/Michael/ l wikitech: Michael Große ) will no longer be a WMDE employee starting April 1, 2024. As their WMDE Engineering Manager I am requesting their offboarding from WMF systems.

Potentially incomplete list of permissions involved:

  • Remove from wmde LDAP group
  • Remove from nda LDAP group
  • Adjust privileged LDAP access (data.yaml)
  • Revoke permission to create Phabricator projects (acl*Project-Admins)

We might have missed some additional permissions that the user might have been granted. I'd appreciate if WMF staff audited that they no longer have any staff-related access to WMF systems.

A recent example of this offboarding for WMDE employee can be found here: https://phabricator.wikimedia.org/T344766

Event Timeline

Reedy renamed this task from Offboard Michael Grosse fgrom WMF systems to Offboard Michael Grosse from WMF systems.Mar 28 2024, 5:54 PM

Mentioned in SAL (#wikimedia-operations) [2024-04-01T17:58:42Z] <mutante> LDAP - removed uid migr from groups nda and wmde (T361266)

FYI I have disabled the Phabricator account @Michael as it is linked to the WMDE staff account https://www.mediawiki.org/wiki/User:Michael_Gro%C3%9Fe_(WMDE)

Change #1015995 had a related patch set uploaded (by Dzahn; author: Dzahn):

[operations/puppet@production] admin: disable shell user migr

https://gerrit.wikimedia.org/r/1015995

Change #1015995 merged by RLazarus:

[operations/puppet@production] admin: disable shell user migr

https://gerrit.wikimedia.org/r/1015995

Clinic duty SRE here, thanks @karapayneWMDE for the ticket. I merged https://gerrit.wikimedia.org/r/1015995 (thanks @Dzahn!) and followed up with

rzl@krb1001:~$ sudo manage_principals.py delete migr@WIKIMEDIA
Principal successfully deleted. Since the principal seems to be related to a user, make sure to update the krb flag in Puppet's data.yaml.

@MoritzMuehlenhoff Anything else to do here from an offboarding POV?

MoritzMuehlenhoff assigned this task to RLazarus.

Clinic duty SRE here, thanks @karapayneWMDE for the ticket. I merged https://gerrit.wikimedia.org/r/1015995 (thanks @Dzahn!) and followed up with

rzl@krb1001:~$ sudo manage_principals.py delete migr@WIKIMEDIA
Principal successfully deleted. Since the principal seems to be related to a user, make sure to update the krb flag in Puppet's data.yaml.

@MoritzMuehlenhoff Anything else to do here from an offboarding POV?

There were two additional NDA-relevant Phab groups (WMF-NDA and *acl*security_wmde), I've removed them using "offboard-user -p Michael" on mwmaint1002.

One final bit is the cleanup of HDFS data/homes on stat* hosts, I've filed https://phabricator.wikimedia.org/T361581 for this.

Everything else is done, resolving.

Also removed from wmde-mediawiki Gerrit group.

FYI I have disabled the Phabricator account @Michael as it is linked to the WMDE staff account https://www.mediawiki.org/wiki/User:Michael_Gro%C3%9Fe_(WMDE)

To keep the paper-trail happy: Since Michael was hired by WMF, I re-enabled the Phabricator account (per Michael's request), and it was re-linked to his new WMF account.

Aklapper renamed this task from Offboard Michael Grosse from WMF systems to Offboard Michael Grosse (WMDE) from WMF systems.Tue, Apr 16, 9:14 AM

Since Michael was hired by WMF

Do we expect a new access request to add him to "wmf" LDAP group, WMF-NDA in Phabricator etc?

Do we expect a new access request to add him to "wmf" LDAP group, WMF-NDA in Phabricator etc?

Already happened in https://phabricator.wikimedia.org/T362618