Page MenuHomePhabricator

determine nik everett's shell/production access levels
Closed, ResolvedPublic


I'm trying to audit our access lists, and document any non-employee access. Part of that turned up Nik Everett (manybubbles)'s account.

My understanding is he is to retain all production login rights, which include the following:


I'd also like to get some kind of management note on this task that Nik's access should indeed stay intact and with the above groups. I'll assign this to the director of discovery for his approval (@Tfinc).

Tomasz: please comment about NIk's access. If he is to retain it all, please confirm. If he is a volunteer, please let me know (assign back to me) and I'll get him in the proper groups to view/sign the NDA. Once he is in that group, I'll assign this task to him for signature on the NDA.

Event Timeline

RobH assigned this task to tomasz.
RobH raised the priority of this task from to Medium.
RobH updated the task description. (Show Details)
RobH added a project: acl*sre-team.
RobH added subscribers: Aklapper, RobH, Matanya and 4 others.

I talked with nik about this before he departed, it makes sense for him to retain shell access for now. He has by far the most knowledge of our existing search infrastructure if things are burning down. Hopefully wont ever be necessary, but for now seems prudent to keep.

@EBernhardson: I'm not sure that covers all the use-cases those groups give him. If you guys are fine with him retaining the full sudo level rights (logstash roots, full mediawiki deployment, etc...) then that is fine.

@EBernhardson: Can hou confirm he'll be 100% volunteer? In which case, we'll need to have him sign the volunteer NDA.

Thanks for all the quick feedback!

100% volunteer confirmed.

I'm fine with him retaining full sudo level rights.

I'll outline what each group does:

wikidata-query-roots: Full root on the Wikidata Query Service nodes
statistics-privatedata-users: Have access to so that they can do analysis on webrequest logs and other private data.
logstash-roots: users with root access on logstash nodes
udp2log-users: general user tasks for udp2log
elasticsearch-roots: manage elasticsearch nodes
deployment: mediawiki deployment access

Any of the above not needed for his volunteer support of search should be removed.

I'll go ahead now and follow up with Nik on getting the NDA signed.

wikidata-query-roots: Kill
statistics-privatedata-users: Kill
logstash-roots: Necessary
udp2log-users: kill?
elasticsearch-roots: Necessary
deployment: Necessary?

Tbh, i'm not sure about deployment or udp2log-users. I could see deployment being necessary when fixing some issue, not sure about udp2log.

@EBernhardson: Thanks for the feedback, it was quite useful!

I've gone ahead and removed him from all the groups listed (wikidatea-query-roots, statistics-privatedata-users, and udp2log-users)

If it turns out the last one (udp2log-users) is needed, just reopen this task (or create a new one) and reference this task for the change. That way it can be shown its removal was overzealous and can be added back. (If it turns out it wasn't needed, so much the better.)

@RobH: So... what's left to do here?
(Task is still open but last comment says "just reopen this task".)

@Aklapper nothing. seems he just forgot to resolve the task.