As Leon's manager, I approve and endorse this request.

for other ops: this is about access to maintenance hosts (terbium and wasat) to run MySQL queries against prod dbs from there.

that means: role::mediawiki::maintenance (yea, there is role::mariadb::maintenance on the same hosts and it may sound like it, but that's not where the admin groups are linked.

so, hieradata/role/common/mediawiki/maintenance.yaml. and that has 3 groups:

• restricted
• deployment
• ldap-admins

So this could be "restricted" and that would be enough for right now. ( description: access to terbium, mwlog hosts (private data) and bastion hosts. restricted folks use sudo to access apache / www-data resources). It would not cover the SWAT deploys which are listed as "may be in the future". So we could use that and later upgrade to 'deployment' once that's needed, or do "deployment" right away.

In T161181#3123952, @Dzahn wrote:

So this could be "restricted" and that would be enough for right now. ( description: access to terbium, mwlog hosts (private data) and bastion hosts. restricted folks use sudo to access apache / www-data resources). It would not cover the SWAT deploys which are listed as "may be in the future". So we could use that and later upgrade to 'deployment' once that's needed, or do "deployment" right away.

Fine and dandy by me :) I was encouraged to go ahead and request the whole lot, but at this moment my needs don't extend much beyond prod database access.

Community Tech is losing a deployer (me) in a week. Adding Foundation staff with interest to the deployers group seems like the sort of thing we should encourage rather than discourage. Getting access to the mwdebug* hosts is a very powerful tool for debugging and troubleshooting.

In T161181#3123971, @bd808 wrote:

Adding Foundation staff with interest to the deployers group seems like the sort of thing we should encourage rather than discourage

I'm not discouraging that nor is any of this ever a personal comment about trust or an individual. It's just that as an ops person handling access requests i feel it's our job to follow the principle of least privilege for a specific request. This is a common conflict between requestors and ops who have different incentives.

I take this as a request for "deployers". Then let's do that.

Any request for deployers is a sudo request, and thus have to be reviewed in our weekly operations team meeting. Since I'm on clinic duty, I'll make sure this is listed for meeting review next Monday.

Change 344734 had a related patch set uploaded (by Dzahn):
[operations/puppet@production] admins: add musikanimal to deployers

https://gerrit.wikimedia.org/r/344734

Change 344734 merged by Dzahn:
[operations/puppet@production] admins: add musikanimal to deployers

https://gerrit.wikimedia.org/r/344734

Mentioned in SAL (#wikimedia-operations) [2017-03-27T17:19:14Z] <mutante> tin/mira: welcome new mediawiki deployer 'musikanimal' (T161181)

@MusikAnimal Done. Welcome to the deployers group!

eqiad:

[tin:~] $ id musikanimal
uid=11106(musikanimal) gid=500(wikidev) groups=500(wikidev),705(deployment)

codfw:

[mira:~] $ id musikanimal
uid=11106(musikanimal) gid=500(wikidev) groups=500(wikidev),705(deployment)

Thank you! :)