Page MenuHomePhabricator

Requesting access to maps servers for pnorman
Closed, ResolvedPublic

Description

Username: pnorman
Full name: Paul Norman

ssh key

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCy7wnX7ck41mKRzXvt5n/2UVEDkK1T9L5iyDFAWgDAbjgWqjBgnfHVq88lX1d/WOUNjNzF1WnRWn1vk6gKk3eoNlIbEcIvfLGYB+e6yGsE9KZWyvcpWcIBhhe9YH4d7nY34ScUIH42bZkXh2iGu5VpQVm8G5Wf9iqSwKFHSAy+Bl3jclaHSPfUmGxTbjC2e20Xns8BvybEW4dBjb79/eHNR1K/9f5JHeLM9ZE3wKVYC07kSnsYCGVWWr2zqyjpmBl2hQe/0C0pvx2AoTzEYK58BZZUkui3aIihSDiDMxDujNypUtePyoCq14t8dLSkIfOh0kRKAVmC/6oVwzSFbvZ7yjyU5ApsUK1DqCmFw/yz9M/nRuAs3qkXwFC1XUyjNBiVBEbWKDGxBx08TjZPKSvbtQD3DaU7RvXJUh3hsDcrgfky6ZlfV9y1bRp7heHVAShVWrsTwoQt/PF6uZ2ud71Ri51bV9qlHdT/BmF+UJ86LSPzTHSKt57GEXguVVPCGgfjFm+WugW4SOC+Bx/IEQC7+hfgXZjr6CQt+zCOExBS6IpknDBIzuvdbrNKG1auBn6nJKCAURRR3q71tCGlihjV39u5ZEmGqacsIYDA1SSTGqUGq5MuaVoVuS0rBPwFjO1enhqDT6wl9qBVuHUDlis9XQ2wOyLT3yqG0sGYxpNF0w== pnorman@pippin

I am requesting access to the maps production servers (maps100*.*) for debugging maps problems when they occur. A couple of recent problems have required looking at the contents of the OSM databases on production, and fixing the problems was delayed because I had to wait for someone with access to log on and check.

@Gehel, can you think of anything I'm missing?

access request checklist

This checklist assumes that Paul Norman is not staff. (I checked and didn't see you on staff list files, but let me know if that is a mistake.) Being staff would change the checklist to require a manager approval for access, and drop the NDA (since all staff sign an NDA when hired.)

  • - please determine (perhaps with @Gehel) exactly what groups you should be added to for access

maps-admin, kartotherian-admin, tilerator-admin

  • - review and sign the L3 document. (done on Thu, Mar 23, 22:53)
  • - NDA confirmation from WMF legal (required for all non-staff) (confirmed by @RStallman-legalteam.)
  • - a WMF employee sponsering access (@Gehel)
  • - request includes admin/sudo, so request requires operations meeting review (next meeting on 2017-03-27)
  • - need email address to tie to @Pnorman's shell account.

Event Timeline

Pnorman created this task.Mar 23 2017, 11:25 PM
Restricted Application added a project: Operations. · View Herald TranscriptMar 23 2017, 11:25 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
RobH added a subscriber: RobH.Mar 24 2017, 3:42 PM

We need a few things for this to be granted:

  • - please determine (perhaps with @Gehel) exactly what groups you should be added to for access
  • - review and sign the L3 document. (done on Thu, Mar 23, 22:53)
  • - NDA confirmation from WMF legal (required for all non-staff)
  • - 3 day business wait for approval (cannot really start until we determine what groups you need access to)
  • - need email address to tie to @Pnorman's shell account.
RobH triaged this task as Normal priority.Mar 24 2017, 3:43 PM
RobH updated the task description. (Show Details)
RobH updated the task description. (Show Details)
Gehel added a comment.Mar 24 2017, 3:53 PM
  • group for access: maps-admin, kartotherian-admin, tilerator-admin
  • NDA confirmation: Paul should have signed an NDA as part of his contractor onboarding, not sure how we need to get legal to confirm this
  • email address: I'll let Paul confirm this
Gehel updated the task description. (Show Details)Mar 24 2017, 3:53 PM
RobH added a subscriber: RStallman-legalteam.EditedMar 24 2017, 3:54 PM

@Gehel,

I've emailed @RStallman-legalteam to comment on this task, they (legal, but more specifically Rachel so far) handle the NDA confirmations.

Gehel added a comment.Mar 24 2017, 3:54 PM

I am very much sponsoring Paul for his SSH access to the maps cluster.

RobH updated the task description. (Show Details)Mar 24 2017, 3:59 PM
Gehel updated the task description. (Show Details)Mar 24 2017, 4:17 PM

Confirming that Paul Norman has a current contract with WMF which includes NDA language. This will cover the NDA requirement until the contract expires.

RobH updated the task description. (Show Details)Mar 24 2017, 5:30 PM
RobH updated the task description. (Show Details)

@RStallman-legalteam Thank you! I see we also have "expiry_date" and "expiry_contact" (email address) in our code for access for contractors and you are a contact for at least one of them. Should we add you for Paul as well and is there an expiry date?

  • need email address to tie to @Pnorman's shell account.

There is an existing wikitech user "pnorman" with a @mac.com email address. UID 16082. That's the right one? @Pnorman

Yes, my email is penorman@mac.com

This access request has been approved in today's ops meeting.

@ Dzhan - I have a record of May 31, 2017 as the current contract expiration. However, legal did not finalize this contract. Depending on the arrangement with the contractor, either legal or HR processes contracts. Paul's was ultimately done through HR, so I wouldn't be in the loop regarding renewal. I believe Katie Horn or Lani Goto would be the best to check in with regarding extension, etc. Thanks!

Change 345066 had a related patch set uploaded (by Dzahn):
[operations/puppet@production] admin: create shell account for Paul Norman

https://gerrit.wikimedia.org/r/345066

Dzahn updated the task description. (Show Details)Mar 27 2017, 10:52 PM

Thank you @RStallman-legalteam (and also for the other approval earlier). I have added hr@wikimedia.org as contact for now.

We need a few things for this to be granted:

  • - please determine (perhaps with @Gehel) exactly what groups you should be added to for access
  • - review and sign the L3 document. (done on Thu, Mar 23, 22:53)
  • - NDA confirmation from WMF legal (required for all non-staff)
  • - 3 day business wait for approval (cannot really start until we determine what groups you need access to)
  • - need email address to tie to @Pnorman's shell account.

^ @Pnorman all looks good, it's just that last check box now. ^. thanks for your patience.

Change 345066 merged by Dzahn:
[operations/puppet@production] admin: create shell account for Paul Norman

https://gerrit.wikimedia.org/r/345066

Change 345196 had a related patch set uploaded (by Dzahn):
[operations/puppet@production] admin: add pnorman to maps/kartotherian/tilerator-admins

https://gerrit.wikimedia.org/r/345196

Change 345196 merged by Dzahn:
[operations/puppet@production] admin: add pnorman to maps/kartotherian/tilerator-admins

https://gerrit.wikimedia.org/r/345196

Dzahn added a comment.EditedMar 28 2017, 6:29 PM

Hi @Pnorman,

so after this merge your shell user has been created on the bastion hosts. From there on you should have been able to SSH to them. See ssh config examples on wikitech.

Then since this merge your user is now being created on the maps servers (for example maps1001.eqiad.wmnet and the others). I have already confirmed it on maps1001 and the others will follow within the next 30 min max. automatically.

In the ssh config above you can see how to use ProxyCommand to jump via the bastion hosts to the internal servers.

If you look here in the repository operations/puppet for your own user name, you can see which commands exactly you can run with sudo.

And in site.pp if you look for nodes using the role maps::server you can see the host names/regexes of everything you have access to.

Let us know if any trouble connecting.

Daniel

Dzahn added a subscriber: akosiaris.
Dzahn closed this task as Resolved.Mar 28 2017, 7:34 PM