Page MenuHomePhabricator

Grant Joseph and Dan deploy permissions on aqs100[1-3]
Closed, ResolvedPublic

Description

@Milimetric and @JAllemandou have permission to restart RESTBase and Cassandra and do basic administration on aqs100[1-3]. But they also need the right to deploy the service, otherwise they have to rely on @Ottomata for every deployment. Since RESTBase has a lot of deployment steps that are mostly done by @Milimetric and/or @JAllemandou, it can be confusing and dangerous to coordinate instead of just having one person do the whole deploy.

@kevinator, could you please approve?

Related Objects

Event Timeline

Milimetric raised the priority of this task from to Needs Triage.
Milimetric updated the task description. (Show Details)
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Dzahn triaged this task as Medium priority.Oct 21 2015, 4:26 PM

This sounds like we need a new admin group that does not exist yet.

@Milimetric or @Ottomata could you list the commands needed for deployment?

@Dzahn, I'm not sure if you're familiar with the deployment tool that RESTBase is using, the command would be this:

ansible-playbook -i production -e target=aqs roles/restbase/deploy.yml

I believe it just runs stuff with sudo over ssh, but I'm not sure of the exact details. The deploy role that's being used is here:

https://github.com/wikimedia/ansible-deploy/blob/master/roles/restbase/deploy.yml

And if I read it correctly, the only tasks that are being executed are deploy and restart:

https://github.com/wikimedia/ansible-deploy/blob/master/roles/restbase/tasks/deploy.yml
https://github.com/wikimedia/ansible-deploy/blob/master/roles/restbase/tasks/restart.yml

Change 248378 had a related patch set uploaded (by Dzahn):
admin: create group aqs-restbase-deployers

https://gerrit.wikimedia.org/r/248378

@Milimetric no, i'm not familiar with ansible deployment. the command line is very helpful. see my gerrit change above, that would be a suggestion to add a new admin group with sudo permissions to run the ansible-playbook command.

another step would then be to add that group to the aqs nodes via the role in Hiera (hieradata/role/common/aqs.yaml ..)
and finally to add you guys as group members

I'll add a bit of context here, ansible can't be "locked down" or restricted in its actions with sudo because it executes a custom python program. IOW, we'd need to allow arbitrary commands as sudo root for deployers, which isn't something reasonable to do

Dzahn removed Dzahn as the assignee of this task.Oct 25 2015, 8:00 PM
Dzahn added a subscriber: Dzahn.
chasemp added subscribers: akosiaris, chasemp.

Status as of now: not directly accepted, some extra information since the idea was the AQS requires scap3 and not ansible

@akosiaris I think you were going to inquire about scap3 and aqs?

Status as of now: not directly accepted, some extra information since the idea was the AQS requires scap3 and not ansible

@akosiaris I think you were going to inquire about scap3 and aqs?

Indeed.

@mobrovac, IIRC, the initial deployment of restbase on AQS was done using scap3 since ansible would not work due to the lack of sudo privileges for the services team on those boxes. Am I remembering correctly ?

Change 248378 abandoned by Dzahn:
admin: create group aqs-restbase-deployers

https://gerrit.wikimedia.org/r/248378

akosiaris changed the task status from Open to Stalled.Oct 27 2015, 9:50 AM

After some IRC talk with @mobrovac this is currently deployed with Ansible still. There is a blocking task T114999 to migrate this to scap3. As already pointed out by @fgiunchedi ansible is not really sudo friendly, so this isn't really doable. I propose we stay with the current status quo for now, while restbase deployment moves on to scap3 and revisit this as soon as that happens

Setting to stalled, feel free to change

Dzahn changed the task status from Stalled to Open.Mar 15 2016, 7:24 PM

setting stalled -> open because the blocking task has been resolved

Hi all, so do you still want this access request processed now that AQS is deployed with scap?

This comment was removed by Dzahn.

I don't think we need this access any more, @Dzahn. Thanks for following up, if I understand the scap process correctly, we can deploy without this. I'll let @JAllemandou comment if he wants rights to administer the boxes otherwise.

I don't know scap3 enough (or at all to be precise), but if no special right is needed for deploy with it, then I don't need any :) Thanks @Dzahn

I would say you're good now if you are able to restart AQS and Cassandra and use cqlsh.

Thank you all for clarification. I'm closing the ticket as resolved then.

I would say you're good now if you are able to restart AQS and Cassandra and use cqlsh.

joal is in the group aqs-admins:

root@aqs1001:/etc/sudoers.d# id joal
uid=11654(joal) gid=500(wikidev) groups=500(wikidev),764(aqs-admins)

the aqs-admins can do this:

root@aqs1001:/etc/sudoers.d# cat aqs-admins 
# This file is managed by Puppet!

%aqs-admins ALL = NOPASSWD: /usr/sbin/service cassandra *
%aqs-admins ALL = (cassandra) NOPASSWD: ALL
%aqs-admins ALL = NOPASSWD: /usr/sbin/service restbase *
%aqs-admins ALL = (restbase) NOPASSWD: ALL
%aqs-admins ALL = NOPASSWD: /bin/journalctl *
root@aqs1001:/etc/sudoers.d#

Is that missing the cqlsh part you mention?

So it definitely let's you restart the services which this ticket was originally about.

Maybe best if you try a deploy and if you find you need more permissions, please reopen it or make a new ticket like "give aqs-admins missing deploy rights"