Page MenuHomePhabricator

Add quiddity as toolsadmin in Striker
Closed, ResolvedPublic


I would like to add/improve the .json info for various toolforge tools in Striker.
Please add me as a temporary toolsadmin, so that I can edit this info.
For anything I change, I will let the maintainers know what I've done, and remind them to edit/improve it further themselves.

For the future (better solution) we have T179510: Create a new basic ContentAdmin role in Striker.

Event Timeline

Quiddity created this task.Nov 1 2017, 4:49 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 1 2017, 4:49 PM

This right in Striker is tied to maintainership of the admin tool. In addition to advanced rights in Striker, this membership also grants sudo on Toolforge servers. I personally trust @Quiddity's judgement and expect that he would not abuse this user right. I will bring this up for discussion with the cloud-services-team for approval or denial.

Legoktm added a subscriber: Legoktm.Nov 5 2017, 3:02 AM

Do the two rights need to be tied together? Could we have a psuedo-tool called "striker-admins" or something?

Do the two rights need to be tied together? Could we have a psuedo-tool called "striker-admins" or something?

Yes, this definitely an option that we could look into. The current Striker codebase awkwardly hard codes return user.ldap_dn in Tool.objects.get(cn='tools.admin').members, so we would need a code change rather than just a configuration change to make this happen. Implementing T179510: Create a new basic ContentAdmin role in Striker would also be reasonable.

The non-obvious elevated privileges that come from tools.admin maintainership is something that @chasemp has brought up before as an anti-pattern. It might be better to create a group hierarchy in our LDAP directory that is explicitly tied to Striker rather than making more "magic" tools just to get easier group membership management.

bd808 added a comment.Nov 8 2017, 4:37 PM

I poked around a bit more and I think that I was wrong about maintainership in the 'admin' tool actually granting sudo rights. This seems to properly be a separate sudo policy managed in Horizon just like it would be for any other Cloud VPS project.

bd808 claimed this task.Nov 28 2017, 4:29 PM
bd808 moved this task from Needs discussion to Clinic Duty on the cloud-services-team (Kanban) board.

Mentioned in SAL (#wikimedia-cloud) [2017-11-28T22:05:12Z] <bd808> Added Quiddity as a maintainer (T179511)

bd808 closed this task as Resolved.Nov 28 2017, 10:05 PM