Page MenuHomePhabricator
Create Task
Maniphest T170592

Requesting access to recommendation-api for nschaaf
Closed, ResolvedPublicRequest
Actions

Description

Username: nschaaf
Full name: Nathaniel Schaaf
IRC: schana
Description: nschaaf needs access to these nodes for operating recommendation-api. We need to be able to read the logs at /srv/log/recommendation-api and be able to start/stop/restart it. The tasks asking for the service's deployment are T165760 and T167664.

I'm creating this task according to https://wikitech.wikimedia.org/wiki/Services/FirstDeployment#Access_Rights, but am otherwise unfamiliar with running/deploying/monitoring services living in WMF infrastructure.

@DarTar can you approve this request?

Details

SubjectRepoBranchLines +/-
adding nschaaf to two sudo groupsoperations/puppetproduction+2 -2
Customize query in gerrit

Related Objects
Search...

Event Timeline

schana created this task.Jul 13 2017, 3:47 PM
Restricted Application added a project: SRE. · View Herald TranscriptJul 13 2017, 3:47 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
schana mentioned this in T167115: Request access rights for service.Jul 13 2017, 3:48 PM
schana added a parent task: T167115: Request access rights for service.
DarTar added a comment.Jul 13 2017, 4:25 PM

Approved, thanks.

RobH subscribed.EditedJul 17 2017, 3:04 PM

Having the ability to restart the api service is a sudo right, and thus we have to review this request in an operations meeting. Additionally, the following will be required from the user, all documented on https://wikitech.wikimedia.org/wiki/Requesting_shell_access. Many of these items have already been done, since this is simply expanding @schana's access.

  • - preferred shell username
  • - wikitech user name
  • - email address to be tied to the shell account
  • - Read, acknowledge, and sign the L3 document.
  • - attach a dedicated public key (not the same key as labs or used elsewhere) for shell access.

Since @DarTar approved the access expansion, all this lacks is ops meeting approval. I'll list on our agenda today.

The group being requested is:

recommendation-admin:
    description: Group of recommendation-api admins
    gid: 794
    members: [gwicke, ppchelko, eevans, mobrovac]
    privileges: ['ALL = NOPASSWD: /usr/sbin/service recommendation_api *',
                 'ALL = (recommendation_api) NOPASSWD: ALL']
RobH added a comment.Jul 17 2017, 4:47 PM

I put in the wrong group, @mobrovac confirmed in ops meeting this is actually requesting service deployer rights. No one in the meeting objected.

mobrovac added a comment.Jul 17 2017, 4:50 PM

Right. @schana is the service owner and maintainer, so he needs to be able to both deploy the service and directly restart it on the SCB hosts. Hence, he needs to be part of both deploy-service and recommendation-admin groups.

RobH claimed this task.Jul 17 2017, 4:52 PM

Thanks! As noted, this was approved in the operations weekly meeting. I'll claim and merge a patchset later today.

RobH triaged this task as Medium priority.Jul 17 2017, 4:52 PM
gerritbot subscribed.Jul 17 2017, 5:21 PM

Change 365658 had a related patch set uploaded (by RobH; owner: RobH):
[operations/puppet@production] adding nschaaf to deploy-service and recommendation-admin groups

https://gerrit.wikimedia.org/r/365658

gerritbot added a project: Patch-For-Review.Jul 17 2017, 5:21 PM
gerritbot added a comment.Jul 17 2017, 5:32 PM

Change 365658 merged by RobH:
[operations/puppet@production] adding nschaaf to two sudo groups

https://gerrit.wikimedia.org/r/365658

RobH closed this task as Resolved.Jul 17 2017, 5:33 PM
RobH removed RobH as the assignee of this task.

This has been merged live, and all affected hosts will get the update within 30 minutes or so when they call in for updates.

If there are any issues, please re-open this task.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits