Page MenuHomePhabricator
Create Task
Maniphest T108111

Replace jdouglas's production ssh key - it matched labs key
Closed, ResolvedPublic
Actions

Description

It seems that @Jdouglas has the same ssh key in labs and in production. As this is in violation of the L3 document (and overall server responsibilities outlined on https://phabricator.wikimedia.org/T88464 ), & user has deployment access, we'll need to remove his production SSH key immediately.

@Jdouglas will need to update this task (via web) with a new production SSH public key (not used in any other labs or third party systems).

Details

SubjectRepoBranchLines +/-
Mark jdouglas as absent, remove from all groups.operations/puppetproduction+8 -8
Customize query in gerrit

Related Objects
Search...

Event Timeline

RobH created this task.Aug 5 2015, 9:24 PM
RobH claimed this task.
RobH raised the priority of this task from to High.
RobH updated the task description. (Show Details)
RobH added a project: acl*sre-team.
RobH added subscribers: gerritbot, Krenair, Jdouglas and 4 others.
RobH mentioned this in rOPUP5948bbc7d4d2: revoke jdouglas ssh key.Aug 5 2015, 9:28 PM
RobH reassigned this task from RobH to Jdouglas.Aug 5 2015, 9:31 PM

Assigning this to @Jdouglas so he can update with his ssh key. Additionally, I'm adding this to ops-access-requests, just so it gets triaged and his new key is pushed in immediately by anyone in ops who is around.

The old key's revocation is now live on the cluster. You'll find yourself unable to login. Once you update this task with your new key, please place this task up for grabs (assigned to no one). This ensures someone will pick it up (clinic duty or other opsen), rather than wait for a single ops person to fix it.

Note to other ops: He doesn't need to wait for the 3 day period, as this is simply replacing his key. Anyone in ops can create/merge the update immediately.

RobH added a project: SRE-Access-Requests.Aug 5 2015, 9:31 PM
Dzahn subscribed.Aug 6 2015, 4:28 PM

09:21 < mutante> is "jdouglas" around, maybe using a different nick?
09:21 < guillom> mutante: I think he left the WMF a couple of weeks ago.

09:24 < guillom> mutante: https://wikimediafoundation.org/w/index.php?diff=102858

Dzahn removed Jdouglas as the assignee of this task.Aug 6 2015, 4:29 PM

so we don't have to re-enable any access it looks. re-assigning "for grabs" for him then.

Andrew claimed this task.Aug 6 2015, 4:44 PM
Andrew set Security to None.
Dzahn added a comment.Aug 6 2015, 4:46 PM

09:43 < Krenair> guillom, mutante: They still have wiki accounts open and are in the wmf ldap group
09:44 < Krenair> if they have been offboarded it was not done properly

for the offboarding issue in general, also see T108131

gerritbot added a comment.Aug 6 2015, 5:19 PM

Change 229755 had a related patch set uploaded (by Andrew Bogott):
Mark jdouglas as absent, remove from all groups.

https://gerrit.wikimedia.org/r/229755

gerritbot added a project: Patch-For-Review.Aug 6 2015, 5:19 PM
gerritbot added a comment.Aug 6 2015, 6:43 PM

Change 229755 merged by Andrew Bogott:
Mark jdouglas as absent, remove from all groups.

https://gerrit.wikimedia.org/r/229755

Andrew mentioned this in rOPUPb5616d2b4683: Mark jdouglas as absent, remove from all groups..Aug 6 2015, 6:43 PM
Andrew closed subtask T108203: Ops offboarding for jdouglas as Resolved.Aug 6 2015, 7:21 PM
Andrew closed this task as Resolved.Aug 7 2015, 5:22 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL