Page MenuHomePhabricator
Create Task
Maniphest T149187

WMF or NDA LDAP access request for WMF employee
Closed, ResolvedPublic
Actions

Description

This is similar to T148832

Pivot (pivot.wikimedia.org) is a new Analytics UI that shows sensitive data and it is currently gated by an Apache Proxy, that allows access only to users in the wmf (ou=groups,dc=wikimedia,dc=org cn=wmf) or nda (ou=groups,dc=wikimedia,dc=org cn=nda) LDAP groups.

The following people are WMF employee that afaics are not in these groups:

uid: bearloga - mpopov@wikimedia.org
uid: hjiang - hjiang@wikimedia.org
uid: chelsyx - cxie@wikimedia.org
uid: leila - lzia@wikimedia.org (but does not have a wikimedia email address in LDAP)
uid: ellery - ellery@wikimedia.org

These are researchers and data analysts who will benefit a lot from having access to Pivot (and also the other tools listed in https://wikitech.wikimedia.org/wiki/LDAP_Groups for at least wmf).

I am aware of T129786, but in the meantime would it be possible to add these people at least to wmf to unblock them?

I might have missed something trivial so please be patient :)

Thanks in advance!

Luca

Related Objects

Event Timeline

elukey created this task.Oct 26 2016, 1:01 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 26 2016, 1:01 PM
elukey updated the task description. (Show Details)Oct 26 2016, 1:06 PM
elukey updated the task description. (Show Details)
MoritzMuehlenhoff added a subscriber: MoritzMuehlenhoff.Oct 26 2016, 1:15 PM

Since all of these researches are WMF staff, they can be added to the cn=wmf group. Usually this should be done as part of onboarding (or when they got cluster acccess), but since most of the services otherwise guarded by cn=wmf (e.g. Kibana, Grafana, Graphite) are probably unused by them, it wasn't noticed so far.

(Non-staff can have access via the cn=nda group in case they've signed the NDA.)

elukey added a comment.EditedOct 26 2016, 2:48 PM

added bearloga and hjiang following https://wikitech.wikimedia.org/wiki/LDAP#Common_LDAP_administrative_actions

sudo -i ldapvi -b ou=groups cn=wmf (on terbium)

Krenair added a subscriber: Krenair.Oct 26 2016, 4:44 PM

Have they all explicitly requested access and justified it?

elukey added a comment.Oct 26 2016, 5:05 PM
In T149187#2745392, @Krenair wrote:

Have they all explicitly requested access and justified it?

Yes they are data analyst and researchers interested in using Pivot sooner or later, plus they are wmf employees and I don't think a reason why they shouldn't be in the wmf group. Any concern from your side?

elukey merged a task: T149144: Pivot access for Discovery's Analysis team.Oct 26 2016, 5:09 PM
elukey added subscribers: mpopov, Milimetric, Nuria, chelsyx.
Krenair added a comment.Oct 26 2016, 5:18 PM
In T149187#2745475, @elukey wrote:
In T149187#2745392, @Krenair wrote:

Have they all explicitly requested access and justified it?

Yes they are data analyst and researchers interested in using Pivot sooner or later, plus they are wmf employees and I don't think a reason why they shouldn't be in the wmf group. Any concern from your side?

The wmf group in particular gives out a LOT of rights unrelated to pivot (e.g., some code review permissions) and generally shouldn't be granted without specific requests.

elukey added a comment.Oct 26 2016, 5:58 PM
In T149187#2745541, @Krenair wrote:
In T149187#2745475, @elukey wrote:
In T149187#2745392, @Krenair wrote:

Have they all explicitly requested access and justified it?

Yes they are data analyst and researchers interested in using Pivot sooner or later, plus they are wmf employees and I don't think a reason why they shouldn't be in the wmf group. Any concern from your side?

The wmf group in particular gives out a LOT of rights unrelated to pivot (e.g., some code review permissions) and generally shouldn't be granted without specific requests.

I think that it makes sense for WMF employee to be in there, but I got your point about gerrit. Maybe the wmf group has been a bit abused?

Anyhow, for this use case I am inclined to proceed to add the users in the description to wmf unless somebody strongly opposes.

elukey updated the task description. (Show Details)Oct 27 2016, 7:57 AM
elukey added subscribers: ellery, leila.Oct 27 2016, 8:08 AM

Added chelsyx, ellery and leila to wmf. Removed the ones already there, after a review I added more people to the list of requests than necessary.

Cc: @leila, @ellery, @chelsyx - you can now use Pivot :)

elukey closed this task as Resolved.Oct 27 2016, 8:08 AM
elukey claimed this task.
leila added a comment.Oct 28 2016, 7:52 PM

oh! it works. Thanks, @elukey and team.

chelsyx added a comment.Oct 29 2016, 2:09 AM

Thank you @elukey !

elukey mentioned this in T150790: Give me permissions in LDAP [Please don't use this anymore].Nov 17 2016, 8:54 AM
Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL