Page MenuHomePhabricator

WMF or NDA LDAP access request for WMF employee
Closed, ResolvedPublic

Description

This is similar to T148832

Pivot (pivot.wikimedia.org) is a new Analytics UI that shows sensitive data and it is currently gated by an Apache Proxy, that allows access only to users in the wmf (ou=groups,dc=wikimedia,dc=org cn=wmf) or nda (ou=groups,dc=wikimedia,dc=org cn=nda) LDAP groups.

The following people are WMF employee that afaics are not in these groups:

uid: bearloga - mpopov@wikimedia.org
uid: hjiang - hjiang@wikimedia.org
uid: chelsyx - cxie@wikimedia.org
uid: leila - lzia@wikimedia.org (but does not have a wikimedia email address in LDAP)
uid: ellery - ellery@wikimedia.org

These are researchers and data analysts who will benefit a lot from having access to Pivot (and also the other tools listed in https://wikitech.wikimedia.org/wiki/LDAP_Groups for at least wmf).

I am aware of T129786, but in the meantime would it be possible to add these people at least to wmf to unblock them?

I might have missed something trivial so please be patient :)

Thanks in advance!

Luca

Event Timeline

elukey created this task.Oct 26 2016, 1:01 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 26 2016, 1:01 PM
elukey updated the task description. (Show Details)Oct 26 2016, 1:06 PM
elukey updated the task description. (Show Details)

Since all of these researches are WMF staff, they can be added to the cn=wmf group. Usually this should be done as part of onboarding (or when they got cluster acccess), but since most of the services otherwise guarded by cn=wmf (e.g. Kibana, Grafana, Graphite) are probably unused by them, it wasn't noticed so far.

(Non-staff can have access via the cn=nda group in case they've signed the NDA.)

elukey added a comment.EditedOct 26 2016, 2:48 PM

added bearloga and hjiang following https://wikitech.wikimedia.org/wiki/LDAP#Common_LDAP_administrative_actions

sudo -i ldapvi -b ou=groups cn=wmf (on terbium)

Have they all explicitly requested access and justified it?

Have they all explicitly requested access and justified it?

Yes they are data analyst and researchers interested in using Pivot sooner or later, plus they are wmf employees and I don't think a reason why they shouldn't be in the wmf group. Any concern from your side?

Have they all explicitly requested access and justified it?

Yes they are data analyst and researchers interested in using Pivot sooner or later, plus they are wmf employees and I don't think a reason why they shouldn't be in the wmf group. Any concern from your side?

The wmf group in particular gives out a LOT of rights unrelated to pivot (e.g., some code review permissions) and generally shouldn't be granted without specific requests.

Have they all explicitly requested access and justified it?

Yes they are data analyst and researchers interested in using Pivot sooner or later, plus they are wmf employees and I don't think a reason why they shouldn't be in the wmf group. Any concern from your side?

The wmf group in particular gives out a LOT of rights unrelated to pivot (e.g., some code review permissions) and generally shouldn't be granted without specific requests.

I think that it makes sense for WMF employee to be in there, but I got your point about gerrit. Maybe the wmf group has been a bit abused?

Anyhow, for this use case I am inclined to proceed to add the users in the description to wmf unless somebody strongly opposes.

elukey updated the task description. (Show Details)Oct 27 2016, 7:57 AM

Added chelsyx, ellery and leila to wmf. Removed the ones already there, after a review I added more people to the list of requests than necessary.

Cc: @leila, @ellery, @chelsyx - you can now use Pivot :)

elukey closed this task as Resolved.Oct 27 2016, 8:08 AM
elukey claimed this task.
leila added a comment.Oct 28 2016, 7:52 PM

oh! it works. Thanks, @elukey and team.