Currently there is an open task T104023 to disable a number of staff accounts.
QChris is still a volunteer, but I have no idea if his shell rights were granted as a part of his volunteering or his staff rights. If it was staff, we need to disable his access.
Kevin, please advise. Feel free to assign this back to 'nobody' when done or assign back to me.
Thanks!
| Subject | Repo | Branch | Lines +/- | |
|---|---|---|---|---|
| access: remove qchris from all groups except gerrit-admin and bastiononly | operations/puppet | production | +12 -13 |
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Restricted Task | |||||
| Resolved | • kevinator | T104254 determine validity of Christian Aistleitner (qchris's) shell account |
Ok, I think I may have been overly paranoid, since his account has admin rights we wouldnt give volunteers, this seems a holdover from staff.
If this turns out wrong, we can reopen and revert.
I have no idea if his shell rights were granted as a part of his volunteering or his staff rights. If it was staff, we need to disable his access.
We have people who originally got root as staff and continue to hold it as a volunteer, so I don't think so.
his account has admin rights we wouldnt give volunteers
What?
Chatting in IRC, Chris still does a ton of high impact work as a volunteer. As such, I'll list off his access rights here for individual review:
Chris belongs to the following shell groups:
gerrit-admin
description: assist in managing gerrit server
deployment
description: replaces 'mortals' for software deployment
restricted
description: access to terbium, fluorine (private data) and bastion hosts restricted folks use sudo to access apache / www-data resources
researchers
description: users with access to research db
statistics-web-users
description: access for stats.wikimedia.org
statistics-privatedata-users
description: Have access to so that they can do analysis on webrequest logs and other private data.
statistics-admins
description: access files created by stats user cron jobs
analytics-privatedata-users:
description: Gives access to the Analytics (Hadoop) cluster as well as private data within.
This will grant shell access on Hadoop client nodes (stat1002) and on
Hadoop NameNodes. Some files in HDFS have sensitive data in them.
Those files are group readable by the analytics-privatedata-users group.analytics-admins:
description: Admin access to analytics cluster.
This will grant shell access on all Analytics Cluster nodes, as well
as the ability to sudo to certain Analytics Cluster system users.analytics-roots:
description: Full root access to Analytics Cluster nodes.
So, we would need to know which of these groups he should keep, and which should he should be removed from.
I only still use
gerrit-admin
and I still use access to the bastion hosts to connect to ytterbium. If I read it correctly, I currently have bastion host access through the restricted group. I do not need restricted's "private data" part, so I guess one can demote it like
restricted -> bastiononly
.
Please remove me from the other groups.
(Adding @Ottomata, as (after I left WMF) he wanted me to retain analytics cluster+deploy grants for some time. But after joal joined the team, I guess it's fine if I drop the analytics permissions)
Change 221786 had a related patch set uploaded (by Matanya):
access: remove qchris from all groups except gerrit-admin and bastiononly
Change 221786 merged by RobH:
access: remove qchris from all groups except gerrit-admin and bastiononly
I've gone ahead and merge'd Matanya's patchset live, after @QChris's update to the task. Thanks guys! (Resolving task.)
Thanks Krenair - qchris has my complete trust and support for any access he
feels is appropriate.