Page MenuHomePhabricator

Requesting access to recommendation-api for nschaaf
Closed, ResolvedPublicRequest

Description

Username: nschaaf
Full name: Nathaniel Schaaf
IRC: schana
Description: nschaaf needs access to these nodes for operating recommendation-api. We need to be able to read the logs at /srv/log/recommendation-api and be able to start/stop/restart it. The tasks asking for the service's deployment are T165760 and T167664.

I'm creating this task according to https://wikitech.wikimedia.org/wiki/Services/FirstDeployment#Access_Rights, but am otherwise unfamiliar with running/deploying/monitoring services living in WMF infrastructure.

@DarTar can you approve this request?

Details

Related Gerrit Patches:
operations/puppet : productionadding nschaaf to two sudo groups

Event Timeline

Restricted Application added a project: Operations. · View Herald TranscriptJul 13 2017, 3:47 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript

Approved, thanks.

RobH added a subscriber: RobH.EditedJul 17 2017, 3:04 PM

Having the ability to restart the api service is a sudo right, and thus we have to review this request in an operations meeting. Additionally, the following will be required from the user, all documented on https://wikitech.wikimedia.org/wiki/Requesting_shell_access. Many of these items have already been done, since this is simply expanding @schana's access.

  • - preferred shell username
  • - wikitech user name
  • - email address to be tied to the shell account
  • - Read, acknowledge, and sign the L3 document.
  • - attach a dedicated public key (not the same key as labs or used elsewhere) for shell access.

Since @DarTar approved the access expansion, all this lacks is ops meeting approval. I'll list on our agenda today.

The group being requested is:

recommendation-admin:
    description: Group of recommendation-api admins
    gid: 794
    members: [gwicke, ppchelko, eevans, mobrovac]
    privileges: ['ALL = NOPASSWD: /usr/sbin/service recommendation_api *',
                 'ALL = (recommendation_api) NOPASSWD: ALL']
RobH added a comment.Jul 17 2017, 4:47 PM

I put in the wrong group, @mobrovac confirmed in ops meeting this is actually requesting service deployer rights. No one in the meeting objected.

Right. @schana is the service owner and maintainer, so he needs to be able to both deploy the service and directly restart it on the SCB hosts. Hence, he needs to be part of both deploy-service and recommendation-admin groups.

RobH claimed this task.Jul 17 2017, 4:52 PM

Thanks! As noted, this was approved in the operations weekly meeting. I'll claim and merge a patchset later today.

RobH triaged this task as Normal priority.Jul 17 2017, 4:52 PM

Change 365658 had a related patch set uploaded (by RobH; owner: RobH):
[operations/puppet@production] adding nschaaf to deploy-service and recommendation-admin groups

https://gerrit.wikimedia.org/r/365658

Change 365658 merged by RobH:
[operations/puppet@production] adding nschaaf to two sudo groups

https://gerrit.wikimedia.org/r/365658

RobH closed this task as Resolved.Jul 17 2017, 5:33 PM
RobH removed RobH as the assignee of this task.

This has been merged live, and all affected hosts will get the update within 30 minutes or so when they call in for updates.

If there are any issues, please re-open this task.