Page MenuHomePhabricator
Create Task
Maniphest T161274

Requesting access to maps servers for pnorman
Closed, ResolvedPublic
Actions

Description

Username: pnorman
Full name: Paul Norman

ssh key

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCy7wnX7ck41mKRzXvt5n/2UVEDkK1T9L5iyDFAWgDAbjgWqjBgnfHVq88lX1d/WOUNjNzF1WnRWn1vk6gKk3eoNlIbEcIvfLGYB+e6yGsE9KZWyvcpWcIBhhe9YH4d7nY34ScUIH42bZkXh2iGu5VpQVm8G5Wf9iqSwKFHSAy+Bl3jclaHSPfUmGxTbjC2e20Xns8BvybEW4dBjb79/eHNR1K/9f5JHeLM9ZE3wKVYC07kSnsYCGVWWr2zqyjpmBl2hQe/0C0pvx2AoTzEYK58BZZUkui3aIihSDiDMxDujNypUtePyoCq14t8dLSkIfOh0kRKAVmC/6oVwzSFbvZ7yjyU5ApsUK1DqCmFw/yz9M/nRuAs3qkXwFC1XUyjNBiVBEbWKDGxBx08TjZPKSvbtQD3DaU7RvXJUh3hsDcrgfky6ZlfV9y1bRp7heHVAShVWrsTwoQt/PF6uZ2ud71Ri51bV9qlHdT/BmF+UJ86LSPzTHSKt57GEXguVVPCGgfjFm+WugW4SOC+Bx/IEQC7+hfgXZjr6CQt+zCOExBS6IpknDBIzuvdbrNKG1auBn6nJKCAURRR3q71tCGlihjV39u5ZEmGqacsIYDA1SSTGqUGq5MuaVoVuS0rBPwFjO1enhqDT6wl9qBVuHUDlis9XQ2wOyLT3yqG0sGYxpNF0w== pnorman@pippin

I am requesting access to the maps production servers (maps100*.*) for debugging maps problems when they occur. A couple of recent problems have required looking at the contents of the OSM databases on production, and fixing the problems was delayed because I had to wait for someone with access to log on and check.

@Gehel, can you think of anything I'm missing?

access request checklist

This checklist assumes that Paul Norman is not staff. (I checked and didn't see you on staff list files, but let me know if that is a mistake.) Being staff would change the checklist to require a manager approval for access, and drop the NDA (since all staff sign an NDA when hired.)

  • - please determine (perhaps with @Gehel) exactly what groups you should be added to for access

maps-admin, kartotherian-admin, tilerator-admin

  • - review and sign the L3 document. (done on Thu, Mar 23, 22:53)
  • - NDA confirmation from WMF legal (required for all non-staff) (confirmed by @RStallman-legalteam.)
  • - a WMF employee sponsering access (@Gehel)
  • - request includes admin/sudo, so request requires operations meeting review (next meeting on 2017-03-27)
  • - need email address to tie to @Pnorman's shell account.

Details

SubjectRepoBranchLines +/-
admin: add pnorman to maps/kartotherian/tilerator-adminsoperations/puppetproduction+3 -3
admin: create shell account for Paul Normanoperations/puppetproduction+11 -0
Customize query in gerrit

Related Objects

Event Timeline

Pnorman created this task.Mar 23 2017, 11:25 PM
Restricted Application added a project: SRE. · View Herald TranscriptMar 23 2017, 11:25 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
RobH subscribed.Mar 24 2017, 3:42 PM

We need a few things for this to be granted:

  • - please determine (perhaps with @Gehel) exactly what groups you should be added to for access
  • - review and sign the L3 document. (done on Thu, Mar 23, 22:53)
  • - NDA confirmation from WMF legal (required for all non-staff)
  • - 3 day business wait for approval (cannot really start until we determine what groups you need access to)
  • - need email address to tie to @Pnorman's shell account.
RobH triaged this task as Medium priority.Mar 24 2017, 3:43 PM
RobH updated the task description. (Show Details)
RobH updated the task description. (Show Details)
Gehel added a comment.Mar 24 2017, 3:53 PM
  • group for access: maps-admin, kartotherian-admin, tilerator-admin
  • NDA confirmation: Paul should have signed an NDA as part of his contractor onboarding, not sure how we need to get legal to confirm this
  • email address: I'll let Paul confirm this
Gehel updated the task description. (Show Details)Mar 24 2017, 3:53 PM
RobH added a subscriber: RStallman-legalteam.EditedMar 24 2017, 3:54 PM

@Gehel,

I've emailed @RStallman-legalteam to comment on this task, they (legal, but more specifically Rachel so far) handle the NDA confirmations.

Gehel added a comment.Mar 24 2017, 3:54 PM

I am very much sponsoring Paul for his SSH access to the maps cluster.

RobH updated the task description. (Show Details)Mar 24 2017, 3:59 PM
Gehel updated the task description. (Show Details)Mar 24 2017, 4:17 PM
RStallman-legalteam added a comment.Mar 24 2017, 5:21 PM

Confirming that Paul Norman has a current contract with WMF which includes NDA language. This will cover the NDA requirement until the contract expires.

RobH updated the task description. (Show Details)Mar 24 2017, 5:30 PM
RobH updated the task description. (Show Details)
Dzahn subscribed.Mar 25 2017, 1:31 AM

@RStallman-legalteam Thank you! I see we also have "expiry_date" and "expiry_contact" (email address) in our code for access for contractors and you are a contact for at least one of them. Should we add you for Paul as well and is there an expiry date?

Dzahn added a comment.Mar 25 2017, 1:43 AM
  • need email address to tie to @Pnorman's shell account.

There is an existing wikitech user "pnorman" with a @mac.com email address. UID 16082. That's the right one? @Pnorman

Pnorman added a comment.Mar 25 2017, 3:33 AM

Yes, my email is penorman@mac.com

RobH moved this task from Untriaged to Group Manager Approval Pending on the SRE-Access-Requests board.Mar 27 2017, 4:59 PM
Dzahn added a comment.Mar 27 2017, 5:31 PM

This access request has been approved in today's ops meeting.

Dzahn claimed this task.Mar 27 2017, 5:31 PM
RStallman-legalteam added a comment.Mar 27 2017, 5:59 PM

@ Dzhan - I have a record of May 31, 2017 as the current contract expiration. However, legal did not finalize this contract. Depending on the arrangement with the contractor, either legal or HR processes contracts. Paul's was ultimately done through HR, so I wouldn't be in the loop regarding renewal. I believe Katie Horn or Lani Goto would be the best to check in with regarding extension, etc. Thanks!

gerritbot subscribed.Mar 27 2017, 10:48 PM

Change 345066 had a related patch set uploaded (by Dzahn):
[operations/puppet@production] admin: create shell account for Paul Norman

https://gerrit.wikimedia.org/r/345066

gerritbot added a project: Patch-For-Review.Mar 27 2017, 10:48 PM
Dzahn updated the task description. (Show Details)Mar 27 2017, 10:52 PM

Thank you @RStallman-legalteam (and also for the other approval earlier). I have added hr@wikimedia.org as contact for now.

Dzahn added a comment.Mar 27 2017, 10:57 PM
In T161274#3128369, @RobH wrote:

We need a few things for this to be granted:

  • - please determine (perhaps with @Gehel) exactly what groups you should be added to for access
  • - review and sign the L3 document. (done on Thu, Mar 23, 22:53)
  • - NDA confirmation from WMF legal (required for all non-staff)
  • - 3 day business wait for approval (cannot really start until we determine what groups you need access to)
  • - need email address to tie to @Pnorman's shell account.

^ @Pnorman all looks good, it's just that last check box now. ^. thanks for your patience.

gerritbot added a comment.Mar 28 2017, 6:09 PM

Change 345066 merged by Dzahn:
[operations/puppet@production] admin: create shell account for Paul Norman

https://gerrit.wikimedia.org/r/345066

gerritbot added a comment.Mar 28 2017, 6:16 PM

Change 345196 had a related patch set uploaded (by Dzahn):
[operations/puppet@production] admin: add pnorman to maps/kartotherian/tilerator-admins

https://gerrit.wikimedia.org/r/345196

gerritbot added a comment.Mar 28 2017, 6:18 PM

Change 345196 merged by Dzahn:
[operations/puppet@production] admin: add pnorman to maps/kartotherian/tilerator-admins

https://gerrit.wikimedia.org/r/345196

Dzahn added a comment.EditedMar 28 2017, 6:29 PM

Hi @Pnorman,

so after this merge your shell user has been created on the bastion hosts. From there on you should have been able to SSH to them. See ssh config examples on wikitech.

Then since this merge your user is now being created on the maps servers (for example maps1001.eqiad.wmnet and the others). I have already confirmed it on maps1001 and the others will follow within the next 30 min max. automatically.

In the ssh config above you can see how to use ProxyCommand to jump via the bastion hosts to the internal servers.

If you look here in the repository operations/puppet for your own user name, you can see which commands exactly you can run with sudo.

And in site.pp if you look for nodes using the role maps::server you can see the host names/regexes of everything you have access to.

Let us know if any trouble connecting.

Daniel

Dzahn added subscribers: MaxSem, Eevans.Mar 28 2017, 6:35 PM
Dzahn added a subscriber: akosiaris.
Dzahn closed this task as Resolved.Mar 28 2017, 7:34 PM
fgiunchedi mentioned this in T187161: Paul Norman should be a member of the LDAP "wmf" group.Feb 13 2018, 11:07 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL