(Could you explain why this is tagged with WMF-NDA-Requests?)

In T177599#3664427, @Aklapper wrote:

(Could you explain why this is tagged with WMF-NDA-Requests?)

This requires an NDA to be signed, both L2 and L4 I believe now, hence the tag.

Hi, re: "to be able to contribute to AdvancedSearch" does this mean you want the +2 permissions to be able to merge changes in Gerrit in a wikidata-related repo?

And that repo has access controls based on the group "wikidata" (https://gerrit.wikimedia.org/r/#/admin/groups/32,members) or "tcb-team" (https://gerrit.wikimedia.org/r/#/admin/groups/1200,members).

Is that what the request is about?

Asking this way because that is all i see that the "wmde" LDAP group does on https://wikitech.wikimedia.org/wiki/LDAP_Groups

I am not sure if that has any relation to the "nda" group though.

@Pablo-WMDE: You should be able to access L2 now

@Dzahn Yes, I am asking for +2 permissions to be able to perform code review for my team mates.
Phrased the ticket the way it was recommended to me; I am not aware which memberships entitle to which privileges.

Signed L2.

In T177599#3666657, @Dzahn wrote:

Hi, re: "to be able to contribute to AdvancedSearch" does this mean you want the +2 permissions to be able to merge changes in Gerrit in a wikidata-related repo?

And that repo has access controls based on the group "wikidata" (https://gerrit.wikimedia.org/r/#/admin/groups/32,members) or "tcb-team" (https://gerrit.wikimedia.org/r/#/admin/groups/1200,members).

Is that what the request is about?

Asking this way because that is all i see that the "wmde" LDAP group does on https://wikitech.wikimedia.org/wiki/LDAP_Groups

I am not sure if that has any relation to the "nda" group though.

Indeed ldap/wmde is included in the team-tcb and wikidata gerrit groups.

AFAIK you need to sign an NDA to be included in any LDAP group.

@Dzahn exactly. The ldap/wmde group is used to control access of WMDE employees to repositories that WMDE has ownership for. That includes the Wikidata repositories as well as extensions and tools WMDE develops for the Technical Wishes Project. AFAIK signing the L2 NDA is needed for getting added to any ldap group.

Confirming that @Pablo-WMDE is a WMDE employee since April already, so please add him to the group after the NDA has been signed.

@Tobi_WMDE_SW Ok, got it. Thanks for explaining and confirming that.

I could also confirm now that Pablo has signed L2.

I have contacted WMF legal to reach out to Pablo so he can sign the right NDA. I asked and L2 is only for Phabricator access to non-public tickets, but if LDAP groups are involved a different kind of NDA must be signed directly with legal.

In T177599#3673991, @Dzahn wrote:

I have contacted WMF legal to reach out to Pablo so he can sign the right NDA. I asked and L2 is only for Phabricator access to non-public tickets, but if LDAP groups are involved a different kind of NDA must be signed directly with legal.

Is L2 enough to get into the ldap/nda group?
If so we might look at killing the ldap/wmde group as it no longer really gives us any extra accesses anywhere (that I am aware of).

In T177599#3673997, @Addshore wrote:

Is L2 enough to get into the ldap/nda group?

Afaict, no, it's not. I was told L2 is only for membership in the Phabricator "WMF-NDA" group for access to restricted tickets but any LDAP group membership means now being listed in the "admins" module in puppet and signing a different NDA with Legal.

any LDAP group membership means now being listed in the "admins" module in puppet and signing a different NDA with Legal.

I don't see the wmde LDAP group in the admins puppet module.

As we have to get this different NDA signed with legal even for the nda LDAP group access then we can probably keep the wmde group.

For the past year or so, we have had WMDE staff requiring LDAP access sign an NDA with legal.

@Pablo-WMDE: I can route the NDA to your wikimedia.de email address for electronic signature.

Pablo has signed the NDA for LDAP access and it's on file in our contracts software. Thanks!

Mentioned in SAL (#wikimedia-operations) [2017-10-12T18:28:32Z] <mutante> added Pablo (pgrass) to LDAP group 'wmde' (T177599)

@Dzahn has @Pablo-WMDE automatically been added to the nda ldap group as part of this ticket or not?

@Addshore : I just checked, he's currently not a member of that group.

No, sorry, the nda group was never requested and is used for different things, not for controlling access to repos.

In T177599#3674032, @Addshore wrote:

I don't see the wmde LDAP group in the admins puppet module.

You are right! I was going to fix this and started working on a change to add them all, but figured before i do that and upload them all i should ask @MoritzMuehlenhoff

Would it make sense if i add the wmde group members? "ldap_wmde_users" on the same hierarchy level as "ldap_only_users"? should we just do one section per LDAP group?

In T177599#3684322, @Dzahn wrote:

Would it make sense if i add the wmde group members? "ldap_wmde_users" on the same hierarchy level as "ldap_only_users"? should we just do one section per LDAP group?

You don't need to explicitly add LDAP group memberships to data.yaml, if they are in at least one sensitive LDAP group but don't have shell access, they need to be added to "ldap_only_users" (but it doesn't matter which group(s) in particular as long as they are listed as having signed the NDA at https://docs.google.com/spreadsheets/d/1xQNx5s2yErvayCMzvk9VkIA2ZihFXSBEhT5Z5ziCsi4/edit#gid=1925010937). The purpose of that table is to have a fixed reference in git along with contact details in addition to what we store in LDAP (it's used by the cross-check tools and by offboarding tools).

Alright, thanks. So all members of 'wmde' should be added to ldap_only_users. I will add a patch to do that.

Pablo is listed as "has LDAP NDA access" in that doc. I think that makes it a bit more confusing since he is _not_ in the group called "nda" but in another group, "wmde".

In T177599#3687404, @Dzahn wrote:

Pablo is listed as "has LDAP NDA access" in that doc.

That means "had access to an LDAP group requiring LDAP access", not necessarily cn=nda only.