Page MenuHomePhabricator

Request "wmf" group assignments for account "sniedzielski"
Closed, ResolvedPublic


Hello! I'm trying to access a Jenkins job configuration page and @hashar kindly informed me my groups aren't configured properly for my account, sniedzielski. This ticket is too add me to the wmf and nda groups.

Background from

Since you are a WMF staff your labs account should be in the ldap groups 'wmf' and 'nda' , the 'wmf' group would grant you full admin rights on jenkins :}

Event Timeline

Niedzielski raised the priority of this task from to Needs Triage.
Niedzielski updated the task description. (Show Details)
Niedzielski added a project: acl*sre-team.
Niedzielski added subscribers: Niedzielski, hashar, demon.

That will let @Niedzielski get access to the Jenkins configuration which rely on users being in the wmf LDAP group :-}

Krenair added a subscriber: Krenair.

I don't think you need the 'nda' group, just the 'wmf' one? I think 'nda' is only really for people who signed the volunteer NDA... (Although I'm not in it, because I'm already in the 'wmf' one)

Ok, let's try wmf then. Thanks!

The first rule of NDA is: you do not talk about NDA.

Dzahn renamed this task from Request "wmf" and "nda" group assignments for account "sniedzielski" to Request "wmf" group assignments for account "sniedzielski".Jun 19 2015, 10:42 PM
Dzahn set Security to None.
Dzahn added a subscriber: Dzahn.


caveat here:

Sniedzielski is the WMF account:

mail: sniedzielski@wikimedia
cn: Sniedzielski

uidNumber: 12119

Niedzielski is the private one:

mail: stephen@niedzielski
cn: Niedzielski
uidNumber: 11833

I added Sniedzielski, as requested, and checked, to see:

[terbium:~] $ ldaplist -l group wmf | grep niedzielski
member: uid=niedzielski,ou=people,dc=wikimedia,dc=org
member: uid=sniedzielski,ou=people,dc=wikimedia,dc=org

both accounts were member in WMF, so it looks the wrong one was added by mistake in the past


modify-ldap-group --deletemembers niedzielski wmf
modify-ldap-group --addmembers Sniedzielski wmf

and now it is as it should have been in the first place.

Dzahn claimed this task.

(Sorry, reopening.) @Dzahn, would you mind leaving my niedzielski membership? It allows me to +2 in Gerrit which is part of certain Android release processes.

@Niedzielski I would prefer if we can just add the user into the WMF group, could you use that one on Gerrit or would that be a big problem?

@Dzahn, it's not a problem but a strong preference. I have ~50 patches in Gerrit already under my niedzielski account and it's the same handle I use on IRC.

Can we rename your Gerrit user instead?

It would require some steps but is documented on

Would have to get in the queue first: T85913

I'll add that this isn't just Daniel's suggestion; this was discussed during the operations meeting and having a personal user account of a staff user have those rights in the first place seems to have been a mistake. (Unless you were granted those rights as a volunteer on said account; and said rights had nothing to do with your role as staff.)

We realize it stinks to have to deal with having to migrate over to using the staff account, and apologize for the inconvenience. Having a single user one-off policy exception gets very unwieldy, as its never just one.

@Dzahn, @Krenair, @RobH, ok that's a bummer but I can work around it. Thanks for the help!

@Niedzielski Thanks for understanding. Sorry, it was our fault to do it wrong in the first place.