Page MenuHomePhabricator

Granting wmde group access to grafana-admin.wikimedia.org
Closed, DeclinedPublic

Description

Proposed by Adam Shorland in https://gerrit.wikimedia.org/r/#/c/333024/ and making a ticket for today's Ops meeting:
Allow the members of cn=wmde access to grafana-admin.wikimedia.org. grafana-admin doesn't hold any PII data, it only grants the possibility to define custom workboards, it's simply an anti-vandalism measure. There's a separate group in LDAP (cn=grafana-admin) to grant access to grafana-admin to people who are not members of the wmf or nda groups, but it's simpler to grant access to the entire wmde group instead of replicating that all.

Event Timeline

Restricted Application added a project: Operations. · View Herald TranscriptMar 27 2017, 7:16 AM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript

Change 333024 had a related patch set uploaded (by Peachey88; owner: Addshore):
[operations/puppet@production] Add wmde ldap group to grafana

https://gerrit.wikimedia.org/r/333024

MoritzMuehlenhoff renamed this task from Granting wmde group access to to Granting wmde group access to grafana-admin.wikimedia.org.Mar 27 2017, 9:47 AM
Dzahn added a subscriber: Dzahn.Mar 29 2017, 12:49 AM

It has been said in ops meeting that NDA is needed for grafana-admin. It looks like we'll have to start that process with all the group members that don't have it yet. The group currently has 23 members. Not sure yet how this would work best. @MoritzMuehlenhoff thoughts?

MoritzMuehlenhoff closed this task as Declined.Mar 30 2017, 10:30 AM

@Addshore: I'm sorry, but we have to decline that request: We've discussed this in the TechOps meeting and since the feature to edit custom dashboards in Grafana-Admin allows full access to the underlying metrics and since we cannot rule out for sure that any of these metrics contain PII data, we need to treat the access to grafana-admin as potentially sensitive. I contacted the WMF Legal department and members of that group need to sign an NDA. (The process is fairly lightweight, the signature is done online).

There are three members of WMDE which currently have access to Grafana-Admin, which don't have an NDA. I'll reach out to those seperatately via mail.

If additional WMDE members need access to grafana-admin, please open a separate Ops-Access-Request ticket. Sorry for the extra overhead, but we're erring on the side of caution here.

Change 333024 abandoned by Addshore:
Add wmde ldap group to grafana

https://gerrit.wikimedia.org/r/333024