Page MenuHomePhabricator

'prometheus' service user vs. actual human account 'prometheus'
Closed, ResolvedPublic


The Prometheus monitoring packages use a service user name 'Prometheus'. But, on labs we already have a user by that name.

That produced some conflicts during package installation, which is probably not a huge deal. On the other hand, the fact that someone can log in as a service/monitoring user is probably not great.

It's not their fault, of course, since their account predates our use of Prometheus software.

Event Timeline

I've emailed prometheus (the user) to see if I can just delete their account. If the answer is 'no' then I'm not sure how to proceed.

I think renaming the shell account name should be enough; deleting should not be necessary.

Quite ironic for an unforeseen conflict to concern a name meaning "forethought", isn't it?

bd808 claimed this task.
bd808 subscribed.

I rediscovered this problem while working on T170178: Update wikitech Titleblacklist. My first change was T170178#3436416 where I just changed the uid for the account. That turned out to be problematic because the missing prometheus LDAP account broke Puppet runs where it is used. Looking deeper I found that we actually have files owned by the numeric uid as well. Here's what I came up with as the fix:

  • rename prometheus to jberkley
  • change home dir and numeric uid for jberkley
  • add a new prometheus user with the old numeric uid
dn: uid=prometheus,ou=people,dc=wikimedia,dc=org
changetype: add
objectClass: inetorgperson
objectClass: posixAccount
uidNumber: 14736
gidNumber: 500
homeDirectory: /var/lib/prometheus
loginShell: /bin/false
uid: prometheus
cn: Prometheus daemon
sn: Prometheus daemon
description: Hack to clean up T170178