Page MenuHomePhabricator

determine validity of Christian Aistleitner (qchris's) shell account
Closed, ResolvedPublic

Description

Currently there is an open task T104023 to disable a number of staff accounts.

QChris is still a volunteer, but I have no idea if his shell rights were granted as a part of his volunteering or his staff rights. If it was staff, we need to disable his access.

Kevin, please advise. Feel free to assign this back to 'nobody' when done or assign back to me.

Thanks!

Event Timeline

RobH created this task.Jun 29 2015, 9:50 PM
RobH updated the task description. (Show Details)
RobH raised the priority of this task from to High.
RobH assigned this task to kevinator.
RobH changed the visibility from "Public (No Login Required)" to "Custom Policy".
RobH changed the edit policy from "All Users" to "Custom Policy".
RobH added subscribers: greg, Jalexander, Krenair and 5 others.
RobH closed this task as Declined.Jun 29 2015, 9:52 PM

Ok, I think I may have been overly paranoid, since his account has admin rights we wouldnt give volunteers, this seems a holdover from staff.

If this turns out wrong, we can reopen and revert.

I have no idea if his shell rights were granted as a part of his volunteering or his staff rights. If it was staff, we need to disable his access.

We have people who originally got root as staff and continue to hold it as a volunteer, so I don't think so.

his account has admin rights we wouldnt give volunteers

What?

RobH reopened this task as Open.Jun 29 2015, 10:05 PM

Chatting in IRC, Chris still does a ton of high impact work as a volunteer. As such, I'll list off his access rights here for individual review:

Chris belongs to the following shell groups:

gerrit-admin

description: assist in managing gerrit server

deployment

description: replaces 'mortals' for software deployment

restricted

description: access to terbium, fluorine (private data) and bastion hosts restricted folks use sudo to access apache / www-data resources

researchers

description: users with access to research db

statistics-web-users

description: access for stats.wikimedia.org

statistics-privatedata-users

description: Have access to so that they can do analysis on webrequest logs and other private data.

statistics-admins

description: access files created by stats user cron jobs

analytics-privatedata-users:

description: Gives access to the Analytics (Hadoop) cluster as well as private data within.
             This will grant shell access on Hadoop client nodes (stat1002) and on
             Hadoop NameNodes.  Some files in HDFS have sensitive data in them.
             Those files are group readable by the analytics-privatedata-users group.

analytics-admins:

description: Admin access to analytics cluster.
             This will grant shell access on all Analytics Cluster nodes, as well
             as the ability to sudo to certain Analytics Cluster system users.

analytics-roots:

description: Full root access to Analytics Cluster nodes.

So, we would need to know which of these groups he should keep, and which should he should be removed from.

RobH changed the visibility from "Custom Policy" to "Public (No Login Required)".
RobH changed the edit policy from "Custom Policy" to "All Users".
RobH set Security to None.
Restricted Application added a subscriber: Matanya. · View Herald TranscriptJun 29 2015, 10:10 PM

I only still use

gerrit-admin

and I still use access to the bastion hosts to connect to ytterbium. If I read it correctly, I currently have bastion host access through the restricted group. I do not need restricted's "private data" part, so I guess one can demote it like

restricted -> bastiononly

.

Please remove me from the other groups.

(Adding @Ottomata, as (after I left WMF) he wanted me to retain analytics cluster+deploy grants for some time. But after joal joined the team, I guess it's fine if I drop the analytics permissions)

Change 221786 had a related patch set uploaded (by Matanya):
access: remove qchris from all groups except gerrit-admin and bastiononly

https://gerrit.wikimedia.org/r/221786

Change 221786 merged by RobH:
access: remove qchris from all groups except gerrit-admin and bastiononly

https://gerrit.wikimedia.org/r/221786

RobH closed this task as Resolved.Jun 29 2015, 10:55 PM

I've gone ahead and merge'd Matanya's patchset live, after @QChris's update to the task. Thanks guys! (Resolving task.)

Thanks Krenair - qchris has my complete trust and support for any access he
feels is appropriate.

[continued] so I would support keeping the status quo for now.