Page MenuHomePhabricator

Access to logstash (LDAP group 'nda') for Paladox
Closed, DeclinedPublic

Description

I would like to be able to access logstash to view gerrit's logs please.

This requires membership in NDA LDAP group.

It shows here https://github.com/wikimedia/puppet/blob/production/hieradata/role/common/logstash/collector.yaml#L51
that it requires the nda/ops/wmf group to be able to access logstash.

The reason why is we recently added support for logstash in gerrit T141324

With this support we can now view gerrit's log through logstash allowing users who doint have access to
gerrit's servers to be able to help identify problems and possibly report them upstream for them to be fixed.

I have over the last couple of months spent alot of time contributing upstream in gerrit to add some features
that were reported in our bug tracker here https://phabricator.wikimedia.org/project/board/330/

Username: paladox

Note i did email legal sometime last week, but did not really know where i should have asked for this, since i found this today https://wikitech.wikimedia.org/wiki/Volunteer_NDA#Volunteer_NDA_for_privileged_LDAP_access_or_shell_access i filled a task as per the instructions there.

Event Timeline

Paladox created this task.Nov 27 2017, 10:29 PM
Restricted Application added a project: Operations. · View Herald TranscriptNov 27 2017, 10:29 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Paladox updated the task description. (Show Details)Nov 27 2017, 10:30 PM

Hi @Paladox I know it since we already talked on IRC, but you should add that you already mailed legal and your question if the volunteer NDA is right and all that.

I can just confirm meanwhile that the LDAP group "nda" is for this use case, volunteers with (some kind of) NDA who should have login to logstash (and some other web UIs).

Paladox updated the task description. (Show Details)Nov 27 2017, 10:36 PM
Dzahn renamed this task from Requesting access to the ldap nda group to Access to logstash (LDAP group 'nda') for Paladox.Nov 27 2017, 10:38 PM
faidon added a subscriber: faidon.Nov 27 2017, 10:54 PM

LDAP NDA access effectively means getting access to private and sensitive information, on multiple servers and services, across the board. As such, it's more than just signing a piece of paper or making a good faith promise; it's about one proving they are trustworthy to handle sensitive information (either ours, or of our users'), to be careful with what they access, to listen to instructions about what to do (and not do) with the information they access, and to think carefully before they act.

I do not think the requestor has demonstrated this kind of behavior in our past interactions, and as such I'm afraid I'll have to object to this request. My objection is final -at least as far as LDAP access goes- but not permanent; if @Paladox demonstrates thoughtfulness and cautiousness in the future, this can be revisited in due time.

hashar added a subscriber: hashar.Nov 27 2017, 10:55 PM
MaxSem added a subscriber: MaxSem.Nov 27 2017, 11:28 PM

I think there's probably other ways we can help Paladox contribute in this area that don't require the nda access - is this just about wanting to view the Gerrit exceptions that are now in logstash?

demon added a comment.Nov 28 2017, 3:47 AM

I think there's probably other ways we can help Paladox contribute in this area that don't require the nda access - is this just about wanting to view the Gerrit exceptions that are now in logstash?

That was the impetus yes. Tbh, the vast majority of data in logstash is ridiculously boring and doesn't need to be NDA'd, but let me not sidetrack this discussion.

I was the one who encouraged Paladox to apply for access here as his ability to view log data from Gerrit will greatly benefit everyone -- he's basically my first officer when it comes to the Gerrit :)

Dzahn added a comment.Nov 28 2017, 4:10 AM

Confirmed. This was about Gerrit logs. If there was a way to request "logstash but just Gerrit" then that would have been the request. Paladox is the one who did the majority of the work to move logs into logstash in the first place (to enable volunteers to read them without shell access) and works with Gerrit upstream so i also encouraged him. That said, it doesn't change that the "nda" group does a lot more than that and the permission system is not fine-tuned enough to allow it "per service".

greg closed this task as Declined.Nov 28 2017, 6:36 AM
greg added a subscriber: greg.

Thank you, @Paladox, for all of your help with this effort (and more) with Gerrit. Unfortunately, per @faidon I'm declining this task. I wish there was some way to provide the needed fine-tuned access.

Do we have alerts for Gerrit exceptions? If we could set up IRC alerts (or something else), paladox could follow those and have someone with logstash access look up the traceback for him. It kind of sucks but would at least allow him to continue his work in this area.

demon added a comment.Nov 28 2017, 6:03 PM

Do we have alerts for Gerrit exceptions? If we could set up IRC alerts (or something else), paladox could follow those and have someone with logstash access look up the traceback for him. It kind of sucks but would at least allow him to continue his work in this area.

Not right now, but should be much more possible now that we're on logstash.