Page MenuHomePhabricator
Create Task
Maniphest T109390

determine nik everett's shell/production access levels
Closed, ResolvedPublic
Actions

Description

I'm trying to audit our access lists, and document any non-employee access. Part of that turned up Nik Everett (manybubbles)'s account.

My understanding is he is to retain all production login rights, which include the following:

wikidata-query-roots:
statistics-privatedata-users:
logstash-roots:
udp2log-users:
elasticsearch-roots:
deployment:

I'd also like to get some kind of management note on this task that Nik's access should indeed stay intact and with the above groups. I'll assign this to the director of discovery for his approval (@Tfinc).

Tomasz: please comment about NIk's access. If he is to retain it all, please confirm. If he is a volunteer, please let me know (assign back to me) and I'll get him in the proper groups to view/sign the NDA. Once he is in that group, I'll assign this task to him for signature on the NDA.

Related Objects
Search...

Event Timeline

RobH created this task.Aug 17 2015, 10:51 PM
RobH assigned this task to tomasz.
RobH raised the priority of this task from to Medium.
RobH updated the task description. (Show Details)
RobH added a project: acl*sre-team.
RobH added subscribers: Aklapper, RobH, Matanya and 4 others.
JohnLewis reassigned this task from tomasz to Tfinc.Aug 17 2015, 10:59 PM
JohnLewis added subscribers: tomasz, JohnLewis.
Tfinc added a subscriber: EBernhardson.Aug 17 2015, 11:00 PM

@EBernhardson Can you comment on this?

EBernhardson added a comment.Aug 17 2015, 11:05 PM

I talked with nik about this before he departed, it makes sense for him to retain shell access for now. He has by far the most knowledge of our existing search infrastructure if things are burning down. Hopefully wont ever be necessary, but for now seems prudent to keep.

RobH added a comment.Aug 17 2015, 11:09 PM

@EBernhardson: I'm not sure that covers all the use-cases those groups give him. If you guys are fine with him retaining the full sudo level rights (logstash roots, full mediawiki deployment, etc...) then that is fine.

@EBernhardson: Can hou confirm he'll be 100% volunteer? In which case, we'll need to have him sign the volunteer NDA.

Thanks for all the quick feedback!

EBernhardson added a comment.Aug 17 2015, 11:13 PM

100% volunteer confirmed.

I'm fine with him retaining full sudo level rights.

RobH added a comment.Aug 17 2015, 11:13 PM

I'll outline what each group does:

wikidata-query-roots: Full root on the Wikidata Query Service nodes
statistics-privatedata-users: Have access to so that they can do analysis on webrequest logs and other private data.
logstash-roots: users with root access on logstash nodes
udp2log-users: general user tasks for udp2log
elasticsearch-roots: manage elasticsearch nodes
deployment: mediawiki deployment access

Any of the above not needed for his volunteer support of search should be removed.

RobH claimed this task.Aug 17 2015, 11:15 PM

I'll go ahead now and follow up with Nik on getting the NDA signed.

RobH mentioned this in T109391: add manybubbles to #wmf-nda-requests.Aug 17 2015, 11:17 PM
EBernhardson added a comment.Aug 24 2015, 10:01 PM

wikidata-query-roots: Kill
statistics-privatedata-users: Kill
logstash-roots: Necessary
udp2log-users: kill?
elasticsearch-roots: Necessary
deployment: Necessary?

Tbh, i'm not sure about deployment or udp2log-users. I could see deployment being necessary when fixing some issue, not sure about udp2log.

RobH mentioned this in rOPUP57d16c17e9ec: updating nik everett's access.Aug 31 2015, 9:07 PM
RobH added a comment.Aug 31 2015, 9:07 PM

@EBernhardson: Thanks for the feedback, it was quite useful!

I've gone ahead and removed him from all the groups listed (wikidatea-query-roots, statistics-privatedata-users, and udp2log-users)

If it turns out the last one (udp2log-users) is needed, just reopen this task (or create a new one) and reference this task for the change. That way it can be shown its removal was overzealous and can be added back. (If it turns out it wasn't needed, so much the better.)

Aklapper added a comment.Sep 13 2015, 9:03 PM

@RobH: So... what's left to do here?
(Task is still open but last comment says "just reopen this task".)

JohnLewis closed this task as Resolved.Sep 13 2015, 9:08 PM

@Aklapper nothing. seems he just forgot to resolve the task.

Krenair mentioned this in T97869: Review access to security tasks.Jan 26 2016, 7:28 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL