Remove cloud-admin rights from YuviPanda
Closed, ResolvedPublic

Description

I'm doing an audit of access I have to various sensitive projects and removing myself to potentially reduce the amount of security precautions I have to take.

I think for now, I'd like to get all my wikimedia access revoked except for admin on ToolForge. I've opened https://gerrit.wikimedia.org/r/#/c/407577/ to remove my prod access, and this task to remove various LDAP bits / access I might have on cloud.

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 2 2018, 1:17 AM
bd808 triaged this task as Normal priority.Feb 9 2018, 12:35 AM
bd808 claimed this task.
bd808 added a comment.Feb 9 2018, 12:39 AM
2018-02-09T00:38:45 BryanDavis (talk | contribs | block) changed group membership for Yuvipanda from cloud administrator, OAuth administrator, shell user and administrator to shell user (Removing rights per user request phab:T186289; glad to give any/all back at user request as well)

Mentioned in SAL (#wikimedia-cloud) [2018-02-09T00:50:05Z] <bd808> Removed Yuvipanda at user request (T186289)

Mentioned in SAL (#wikimedia-cloud) [2018-02-09T00:54:20Z] <bd808> Removed Yuvipanda at user request (T186289)

Mentioned in SAL (#wikimedia-cloud) [2018-02-09T00:56:22Z] <bd808> Removed Yuvipanda at user request (T186289)

Mentioned in SAL (#wikimedia-cloud) [2018-02-09T00:57:09Z] <bd808> Removed Yuvipanda at user request (T186289)

Mentioned in SAL (#wikimedia-cloud) [2018-02-09T00:57:22Z] <bd808> Removed Yuvipanda at user request (T186289)

Mentioned in SAL (#wikimedia-cloud) [2018-02-09T00:58:14Z] <bd808> Removed Yuvipanda at user request (T186289)

Mentioned in SAL (#wikimedia-cloud) [2018-02-09T00:59:17Z] <bd808> Removed Yuvipanda at user request (T186289)

Mentioned in SAL (#wikimedia-cloud) [2018-02-09T01:00:02Z] <bd808> Removed Yuvipanda at user request (T186289)

Mentioned in SAL (#wikimedia-cloud) [2018-02-09T01:00:40Z] <bd808> Removed Yuvipanda at user request (T186289)

Mentioned in SAL (#wikimedia-cloud) [2018-02-09T01:01:16Z] <bd808> Removed Yuvipanda at user request (T186289)

Mentioned in SAL (#wikimedia-cloud) [2018-02-09T01:01:57Z] <bd808> Removed Yuvipanda at user request (T186289)

Mentioned in SAL (#wikimedia-cloud) [2018-02-09T01:02:34Z] <bd808> Removed Yuvipanda at user request (T186289)

Mentioned in SAL (#wikimedia-cloud) [2018-02-09T01:03:14Z] <bd808> Removed Yuvipanda at user request (T186289)

Mentioned in SAL (#wikimedia-cloud) [2018-02-09T01:03:56Z] <bd808> Removed Yuvipanda at user request (T186289)

Mentioned in SAL (#wikimedia-cloud) [2018-02-09T01:04:37Z] <bd808> Removed Yuvipanda at user request (T186289)

Mentioned in SAL (#wikimedia-cloud) [2018-02-09T01:06:01Z] <bd808> Removed Yuvipanda at user request (T186289)

Mentioned in SAL (#wikimedia-cloud) [2018-02-09T01:06:57Z] <bd808> Removed TestingAccount2 at user request (T186289)

Mentioned in SAL (#wikimedia-cloud) [2018-02-09T01:08:03Z] <bd808> Removed Yuvipanda at user request (T186289)

Mentioned in SAL (#wikimedia-cloud) [2018-02-09T01:09:27Z] <bd808> Removed Yuvipanda at user request (T186289)

Mentioned in SAL (#wikimedia-cloud) [2018-02-09T01:11:13Z] <bd808> Removed Yuvipanda at user request (T186289)

Mentioned in SAL (#wikimedia-cloud) [2018-02-09T01:11:53Z] <bd808> Removed Yuvipanda at user request (T186289)

Mentioned in SAL (#wikimedia-cloud) [2018-02-09T01:12:28Z] <bd808> Removed Yuvipanda at user request (T186289)

Change 407577 had a related patch set uploaded (by BryanDavis; owner: Yuvipanda):
[operations/puppet@production] Remove access for myself

https://gerrit.wikimedia.org/r/407577

@MoritzMuehlenhoff could you take care of removing @yuvipanda from the ops LDAP group? This ldif should do it, but I wasn't sure if that happening before the pending Puppet patch would cause problems anywhere:

T186289-remove-yuvi-from-admin.ldif
dn: cn=ops,ou=groups,dc=wikimedia,dc=org
changetype: modify
delete: member
member: uid=yuvipanda,ou=people,dc=wikimedia,dc=org

If you have time it would be awesome if you could handle the merge of https://gerrit.wikimedia.org/r/407577 as well.

Note: @yuvipanda is also in the cn=nda group. Yuvi is keeping his Toolforge admin rights, so having the NDA on file is important. I'm not sure if the LDAP nda group is actually used to track anything officially however or if it just used to grant access to various LDAP auth protected services. If it's only for the latter, then that membership can probably be revoked as well.

Mentioned in SAL (#wikimedia-cloud) [2018-02-09T02:01:15Z] <bd808> Removed Yuvipanda at user request (T186289)

bd808 added a comment.Feb 9 2018, 2:05 AM

@yuvipanda, you are the only admin of the matrix and jupyter projects. It looks like maybe matrix can just be deleted. I'm not sure what to do about the jupyter one, please advise.

Also, do you want to be removed from the magic wmflabsdotorg project too?

Tgr added a subscriber: Tgr.Feb 9 2018, 2:33 AM

The matrix project might be useful for T186061: Evaluate Matrix / Riot.im (although I'm not sure if taking over / upgrading an existing installation would be less effort than setting up a new one, or that we even want to experiment with the hosted version of Matrix).

@MoritzMuehlenhoff could you take care of removing @yuvipanda from the ops LDAP group?

I just did that.

This ldif should do it, but I wasn't sure if that happening before the pending Puppet patch would cause problems anywhere:

BTW, you can also simply run "offboard-user -l yuvipanda" on terbium, it'll search for all privileged LDAP groups and create an LDIF for you. I even prints out the ldapmodify command to run.

If you have time it would be awesome if you could handle the merge of https://gerrit.wikimedia.org/r/407577 as well.

Will do in a bit.

Note: @yuvipanda is also in the cn=nda group. Yuvi is keeping his Toolforge admin rights, so having the NDA on file is important. I'm not sure if the LDAP nda group is actually used to track anything officially however or if it just used to grant access to various LDAP auth protected services. If it's only for the latter, then that membership can probably be revoked as well.

cn=nda controls the access to the PII-relevant web services listed at https://wikitech.wikimedia.org/wiki/LDAP_Groups, it's independant of whether someone has signed an NDA/MOU (some people only have shell access to stat hosts e.g. and don't use LDAP services at all).

@yuvipanda, can you please confirm that you don't need access to any of those services below, then I'll also drop you from cn=ldap:

  • Logstash
  • Tendril
  • Graphite
  • Grafana-admin
  • Icinga
  • Piwik
  • Hadoop Yarn
  • Druid's Pivot UI

Change 407577 merged by Muehlenhoff:
[operations/puppet@production] Remove access for myself

https://gerrit.wikimedia.org/r/407577

Yuvi's shell access was removed via https://gerrit.wikimedia.org/r/407577 and I've also just removed him from the wmflabs.org root mail alias and from the cn=nda LDAP group.

@bd808, I think the task can be resolved?

bd808 closed this task as Resolved.Feb 14 2018, 12:14 AM

Let's call this done until @yuvipanda stumbles on something that we missed.