Page MenuHomePhabricator

Requesting access to restricted and analytics-privatedata-users for Joe Sutherland (foks)
Closed, ResolvedPublic

Description

original request

Joe just joined us on the Support & Safety team and given his technical knowledge is learning to do a lot of the work that I've been the only one on the team able to do for quite a while. As part of that I want to mirror the access I have on the servers right now so that he can learn/help on tasks which require database, maintenance script or analytics access. He'll be working closely with me to ensure he knows what to touch/not to touch and has been around enough technical work that I trust he won't touch what he doesn't know enough about yet. Some of this will be longer term (such as learning to operated SecurePoll during the next election) but he can be useful with access very quickly for ongoing tasks such as emergency/legal data needs (such as looking up email addresses, permanently deleting illegal images or reviewing what hadoop information we have for a wiki page).

Maggie is his direct supervisor and will reply here for manager approval. As always let us know if you have any questions.

Full name: Joe Sutherland
Preferred shell username: foks
Labs username/wikitech username: https://wikitech.wikimedia.org/wiki/User:Foks
SSH public key: https://office.wikimedia.org/wiki/User:JSutherland_(WMF)/production (let one of us know if he should post here/on a public wiki)

Joe has already signed the Acknowledgement of Wikimedia Server Access Responsibilities.

ops clinic followup

  • patchset prepared https://gerrit.wikimedia.org/r/#/c/290599/
  • patch includes restricted, which is a sudo group to apache/www-data
    • All sudo requests must be approved in ops team meeting. Next meeting is 2016-05-30 and this will be listed on the meeting agenda.

Details

Related Gerrit Patches:
operations/puppet : productionadmin: access request for Joe Sutherland

Event Timeline

Restricted Application added a project: Operations. · View Herald TranscriptMay 24 2016, 9:53 PM
Restricted Application added subscribers: Zppix, Aklapper. · View Herald Transcript
RobH claimed this task.May 24 2016, 10:15 PM
RobH added a comment.May 24 2016, 10:37 PM

restricted allows a user to sudo as www-data and apache users, so it technically requires a review in the operations meeting.

The addition to analytics-privatedata-users doesn't require ops meeting review, and can go into place after a 3 day wait without objections. So that could merge on Friday. Since the meeting is Monday, unless having half of this a week day sooner is worth it, I'm planning to list this access request (for both groups) for ops meeting review on Monday. If no objections are raised then (or on this task), this will merge next Monday.

Change 290599 had a related patch set uploaded (by RobH):
access request for joe sutherland

https://gerrit.wikimedia.org/r/290599

RobH changed the task status from Open to Stalled.May 24 2016, 10:42 PM

restricted allows a user to sudo as www-data and apache users, so it technically requires a review in the operations meeting.
The addition to analytics-privatedata-users doesn't require ops meeting review, and can go into place after a 3 day wait without objections. So that could merge on Friday. Since the meeting is Monday, unless having half of this a week day sooner is worth it, I'm planning to list this access request (for both groups) for ops meeting review on Monday. If no objections are raised then (or on this task), this will merge next Monday.

Thanks, that makes sense given it's ability to do maintenance scripts (which needs apache/www-data I believe). Waiting until after the meeting for both is totally fine. I'm hoping to have it done by next Wednesday (June 1) since we already have a training meeting then to go over ssh config and some of the more basic requests but we can easily push that back if it's not ready by then.

RobH updated the task description. (Show Details)May 25 2016, 9:18 PM
RobH triaged this task as Medium priority.May 25 2016, 9:56 PM
jcrespo reassigned this task from RobH to elukey.May 30 2016, 5:23 PM
jcrespo added subscribers: elukey, RobH, jcrespo.

@elukey will have a detailed look at this this week. Please reassign it to me when done.

jcrespo changed the task status from Stalled to Open.May 30 2016, 5:24 PM

@Jalexander, really sorry for the delay in the answer, I completely missed the phab assigned to me and only asked @Ottomata to review the patch for the analytics part of the access request (that is super fine).

The only remaining concern is about the restricted group, because it seems to span multiple hosts like mw1152 and fluorine (plus bastions) and I am not super familiar with access policies on those. I don't see any big red flag after reading puppet but I'd prefer to get a review also from @faidon that is doing ops clinic duties this week. We should have discussed this request again today during the ops meeting but at the time I haven't realized yet that I should have progressed the task, my bad.

Thanks and sorry again for the delay!

Thanks guys, do we have sense on the time line for now? I've delayed more on-boarding a couple times now and so while I'd prefer to try and get it done this week mostly just need to know when I can reasonably expect it so that we can schedule around that.

Change 290599 merged by Faidon Liambotis:
admin: access request for Joe Sutherland

https://gerrit.wikimedia.org/r/290599

faidon closed this task as Resolved.Jun 7 2016, 3:39 PM

This is now done, pending a puppet run across the fleet (~30 minutes from now).