Page MenuHomePhabricator

Requesting access to deploy hosts for musikanimal
Closed, ResolvedPublic

Description

Username: musikanimal
Full name: Leon Ziemba

Public key (not the same used to access Labs):

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC5jAvhIngD3svnIyBaHkhZTPEJc80jM363NfWUaFNcdi7n/VudTa3t8vL9jb1OZBUWnL/gfIW4VeLU4rKsfQkcpw6BpL9Qmr50Ewex9eU2pN3/tu1JN9OGNoJry8q81ZaxpH2wJD0JmCC4nlL84Ie7YjZQdcDpeDp4NL/eqEN30DilejVc34cMFpxcH2UYtJnoHGgSPBNsRvftrSniENKlWBrNF+Gjeg+awidUnlpTfGA0q8AGa5Fo69GkHxAzUymgNgeCY6w2H/HqgFcKT53YWgkViBZC0vi3Y0X0EDxnTgYbbKmSij7JU7Z4qJzzd+Tscd/xcO20hPsAYXcW/nF5 musikanimal@wikimedia.org

I do use this same keypair to access stat1002, which I am told is OK.

I am staff and mostly just want to be able to help my team debug and maintain production software. I thought stat1002 with analytics-store would suffice for my purposes, but I'm already running into situations where legit prod db access would really help – specifically T156318 where I was assumed to have access. SWAT deploys and other fun things may be in my future as well.

Details

Related Gerrit Patches:
operations/puppet : productionadmins: add musikanimal to deployers

Event Timeline

Restricted Application added a project: Operations. · View Herald TranscriptMar 23 2017, 12:25 AM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript

As Leon's manager, I approve and endorse this request.

Dzahn added a subscriber: Dzahn.Mar 23 2017, 12:37 AM

for other ops: this is about access to maintenance hosts (terbium and wasat) to run MySQL queries against prod dbs from there.

that means: role::mediawiki::maintenance (yea, there is role::mariadb::maintenance on the same hosts and it may sound like it, but that's not where the admin groups are linked.

so, hieradata/role/common/mediawiki/maintenance.yaml. and that has 3 groups:

  • restricted
  • deployment
  • ldap-admins

So this could be "restricted" and that would be enough for right now. ( description: access to terbium, mwlog hosts (private data) and bastion hosts. restricted folks use sudo to access apache / www-data resources). It would not cover the SWAT deploys which are listed as "may be in the future". So we could use that and later upgrade to 'deployment' once that's needed, or do "deployment" right away.

So this could be "restricted" and that would be enough for right now. ( description: access to terbium, mwlog hosts (private data) and bastion hosts. restricted folks use sudo to access apache / www-data resources). It would not cover the SWAT deploys which are listed as "may be in the future". So we could use that and later upgrade to 'deployment' once that's needed, or do "deployment" right away.

Fine and dandy by me :) I was encouraged to go ahead and request the whole lot, but at this moment my needs don't extend much beyond prod database access.

Community Tech is losing a deployer (me) in a week. Adding Foundation staff with interest to the deployers group seems like the sort of thing we should encourage rather than discourage. Getting access to the mwdebug* hosts is a very powerful tool for debugging and troubleshooting.

Dzahn added a comment.Mar 23 2017, 1:27 AM

Adding Foundation staff with interest to the deployers group seems like the sort of thing we should encourage rather than discourage

I'm not discouraging that nor is any of this ever a personal comment about trust or an individual. It's just that as an ops person handling access requests i feel it's our job to follow the principle of least privilege for a specific request. This is a common conflict between requestors and ops who have different incentives.

I take this as a request for "deployers". Then let's do that.

RobH added a subscriber: RobH.Mar 23 2017, 9:09 PM

Any request for deployers is a sudo request, and thus have to be reviewed in our weekly operations team meeting. Since I'm on clinic duty, I'll make sure this is listed for meeting review next Monday.

Change 344734 had a related patch set uploaded (by Dzahn):
[operations/puppet@production] admins: add musikanimal to deployers

https://gerrit.wikimedia.org/r/344734

Dzahn claimed this task.Mar 27 2017, 5:13 PM

access request has been approved in today's ops meeting

Change 344734 merged by Dzahn:
[operations/puppet@production] admins: add musikanimal to deployers

https://gerrit.wikimedia.org/r/344734

Mentioned in SAL (#wikimedia-operations) [2017-03-27T17:19:14Z] <mutante> tin/mira: welcome new mediawiki deployer 'musikanimal' (T161181)

Dzahn added a comment.Mar 27 2017, 5:21 PM

@MusikAnimal Done. Welcome to the deployers group!

eqiad:

[tin:~] $ id musikanimal
uid=11106(musikanimal) gid=500(wikidev) groups=500(wikidev),705(deployment)

codfw:

[mira:~] $ id musikanimal
uid=11106(musikanimal) gid=500(wikidev) groups=500(wikidev),705(deployment)
Dzahn closed this task as Resolved.Mar 27 2017, 5:21 PM
Dzahn removed a project: Patch-For-Review.

You should be able to ssh to tin.eqiad.wmnet and mira.codfw.wmnet, via the bastions as you already did for other hosts, now. Let us know if any questions or problems connecting. Cheers.