Page MenuHomePhabricator
Create Task
Maniphest T126283

Requesting restbase-roots access to RESTBase cluster for Petr Pchelko
Closed, ResolvedPublic
Actions

Description

Petr should be able to deploy and otherwise take care of operational tasks on the RESTBase cluster. I am thus requesting to grant him membership of the restbase-roots group.

Username: ppchelko
Full name: Petr Pchelko

Details

SubjectRepoBranchLines +/-
admin: add bast-only group for ppchelkooperations/puppetproduction+1 -1
admin: add ppchelko to restbase-rootsoperations/puppetproduction+1 -1
admin: add user ppchelkooperations/puppetproduction+9 -0
Customize query in gerrit

Related Objects
Search...

StatusSubtypeAssignedTask
 Resolved CmjohnsonT126283 Requesting restbase-roots access to RESTBase cluster for Petr Pchelko
Restricted Task

Event Timeline

Maniphest added a project: SRE-Access-Requests.Feb 8 2016, 10:57 PM
Restricted Application added a project: SRE. · View Herald TranscriptFeb 8 2016, 10:57 PM
Restricted Application added subscribers: StudiesWorld, Aklapper. · View Herald Transcript
GWicke created this task.Feb 8 2016, 10:57 PM
GWicke updated the task description. (Show Details)
GWicke edited projects, added Services; removed SRE.
GWicke changed Security from None to Access Request.
GWicke edited subscribers, added: GWicke, Pchelolo; removed: Aklapper, StudiesWorld.
Restricted Application added a project: SRE. · View Herald TranscriptFeb 8 2016, 10:57 PM
GWicke added a comment.Feb 8 2016, 10:59 PM

@Pchelolo, could you add a public SSH key to use for this? Per 1, it should not be the same as the one used for labs.

Pchelolo added a comment.Feb 8 2016, 11:02 PM

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDSxkE+b4Jc+3FoCgYqZvQJZ8a0Hk2UhC2Qb1zi1CiThsE8oBPf6n1Mki58o/mHBrtfgAPutCFFylkLwuPDE5tDojENvNx3roMxEmpQhDTs3iKTfXF98IVdsrI8gmrpCQoy+fny3K/O89rmAza2WTK2ogB2rDBLRAC0hYz6pzuA38+4ybmYbqVn/SQSDyMsX0366xBsn3r6pEwyttZsLhO/5HDG1O5cUkrxwXr5XACIGGHZyG2ev2uLtZj/6py5skxvp2xLs1/m7qP1Sykvz8QungW7KfyzNCVKb07RxKlsUQEnAqnQY2fnB3VjKSe4FNUafQHkmFJ1MLr0zH31uMOF pchelko@Petrs-MBP.corp.wikimedia.org

mobrovac subscribed.EditedFeb 8 2016, 11:06 PM

@Pchelolo you also need to read and sign {L3}

Pchelolo added a comment.Feb 8 2016, 11:28 PM

@mobrovac read and signed.

Dzahn assigned this task to Cmjohnson.Feb 9 2016, 5:37 AM
Dzahn triaged this task as Medium priority.
Dzahn subscribed.
gerritbot subscribed.Feb 9 2016, 5:46 AM

Change 269368 had a related patch set uploaded (by Dzahn):
admin: add user ppchelko

https://gerrit.wikimedia.org/r/269368

gerritbot added a project: Patch-For-Review.Feb 9 2016, 5:46 AM
gerritbot added a comment.Feb 9 2016, 5:50 AM

Change 269369 had a related patch set uploaded (by Dzahn):
admin: add ppchelko to restbase-admins

https://gerrit.wikimedia.org/r/269369

mobrovac added a comment.Feb 9 2016, 4:29 PM

Hm, actually, with restbase-admins you are not able to deploy, you can:

  • log in,
  • read logs
  • start/stop/restart restbase and cassandra

For deployment, one needs to be in the restbase-roots group, so I'd say to go ahead and retitle this as @Pchelolo needing restbase-roots access.

Dzahn added a comment.Feb 9 2016, 6:23 PM

or maybe an alternative is to amend the permissions the restbase-admins have with the deploy commands, so that all admins can deploy. would it be easy to list the needed command to be added to sudo privileges?

GWicke renamed this task from Requesting restbase-admins access to RESTBase cluster for Petr Pchelko to Requesting restbase-roots access to RESTBase cluster for Petr Pchelko.Feb 9 2016, 6:24 PM
GWicke updated the task description. (Show Details)

Re-titled to ask for restbase-roots access, per @mobrovac.

mobrovac added a comment.Feb 9 2016, 6:32 PM
In T126283#2012043, @Dzahn wrote:

or maybe an alternative is to amend the permissions the restbase-admins have with the deploy commands, so that all admins can deploy. would it be easy to list the needed command to be added to sudo privileges?

That's a bit tricky and error-prone because the target repo is owned by root on the nodes, and we use ansible to deploy, which spawns its own local commands when performing the fetch and check-out phases.

Dzahn added a comment.Feb 9 2016, 7:01 PM

Amended the Gerrit change to become "add to roots" as well.

gerritbot added a comment.Feb 10 2016, 6:10 PM

Change 269368 merged by Cmjohnson:
admin: add user ppchelko

https://gerrit.wikimedia.org/r/269368

Cmjohnson added a comment.Feb 12 2016, 4:15 AM

User added but adding to restbase-roots group will require an approval in ops meeting.

gerritbot added a comment.Feb 22 2016, 6:22 PM

Change 269369 merged by Dzahn:
admin: add ppchelko to restbase-roots

https://gerrit.wikimedia.org/r/269369

gerritbot added a comment.Feb 22 2016, 6:28 PM

Change 272513 had a related patch set uploaded (by Dzahn):
admin: add bast-only group for ppchelko

https://gerrit.wikimedia.org/r/272513

gerritbot added a comment.Feb 22 2016, 6:36 PM

Change 272513 merged by Dzahn:
admin: add bast-only group for ppchelko

https://gerrit.wikimedia.org/r/272513

Dzahn added a comment.Feb 22 2016, 6:38 PM

approved in meeting (https://office.wikimedia.org/wiki/Operations/Operations_Meeting_Notes/TechOps-2016-02-22#Access_Requests)

merged, followed-up with access to bastion hosts

[restbase1001:~] $ id ppchelko
uid=12460(ppchelko) gid=500(wikidev) groups=500(wikidev),744(restbase-roots)
[bast1001:~] $ id ppchelko
uid=12460(ppchelko) gid=500(wikidev) groups=500(wikidev),707(bastiononly)

etc.. the same on all restbase hosts as soon as puppet ran

Dzahn closed this task as Resolved.Feb 22 2016, 6:40 PM
MoritzMuehlenhoff closed subtask Restricted Task as Resolved.Mar 1 2016, 8:36 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL