Page MenuHomePhabricator
Create Task
Maniphest T186289

Remove cloud-admin rights from YuviPanda
Closed, ResolvedPublic
Actions

Description

I'm doing an audit of access I have to various sensitive projects and removing myself to potentially reduce the amount of security precautions I have to take.

I think for now, I'd like to get all my wikimedia access revoked except for admin on ToolForge. I've opened https://gerrit.wikimedia.org/r/#/c/407577/ to remove my prod access, and this task to remove various LDAP bits / access I might have on cloud.

Details

SubjectRepoBranchLines +/-
Remove access for myselfoperations/puppetproduction+12 -12
Customize query in gerrit

Related Objects

Event Timeline

yuvipanda created this task.Feb 2 2018, 1:17 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 2 2018, 1:17 AM
MarcoAurelio edited projects, added wikitech.wikimedia.org; removed Cloud-Services.Feb 2 2018, 11:38 AM
MarcoAurelio subscribed.Feb 2 2018, 11:40 AM

As for wikitech, any user from https://wikitech.wikimedia.org/wiki/Special:ListUsers?group=cloudadmin can do that.

bd808 claimed this task.Feb 9 2018, 12:35 AM
bd808 triaged this task as Medium priority.
bd808 added a project: cloud-services-team (Kanban).
bd808 added a comment.Feb 9 2018, 12:39 AM
2018-02-09T00:38:45 BryanDavis (talk | contribs | block) changed group membership for Yuvipanda from cloud administrator, OAuth administrator, shell user and administrator to shell user (Removing rights per user request phab:T186289; glad to give any/all back at user request as well)
Stashbot subscribed.Feb 9 2018, 12:50 AM

Mentioned in SAL (#wikimedia-cloud) [2018-02-09T00:50:05Z] <bd808> Removed Yuvipanda at user request (T186289)

Stashbot added a comment.Feb 9 2018, 12:54 AM

Mentioned in SAL (#wikimedia-cloud) [2018-02-09T00:54:20Z] <bd808> Removed Yuvipanda at user request (T186289)

Stashbot added a comment.Feb 9 2018, 12:56 AM

Mentioned in SAL (#wikimedia-cloud) [2018-02-09T00:56:22Z] <bd808> Removed Yuvipanda at user request (T186289)

Stashbot added a comment.Feb 9 2018, 12:57 AM

Mentioned in SAL (#wikimedia-cloud) [2018-02-09T00:57:09Z] <bd808> Removed Yuvipanda at user request (T186289)

Stashbot added a comment.Feb 9 2018, 12:57 AM

Mentioned in SAL (#wikimedia-cloud) [2018-02-09T00:57:22Z] <bd808> Removed Yuvipanda at user request (T186289)

Stashbot added a comment.Feb 9 2018, 12:58 AM

Mentioned in SAL (#wikimedia-cloud) [2018-02-09T00:58:14Z] <bd808> Removed Yuvipanda at user request (T186289)

Stashbot added a comment.Feb 9 2018, 12:59 AM

Mentioned in SAL (#wikimedia-cloud) [2018-02-09T00:59:17Z] <bd808> Removed Yuvipanda at user request (T186289)

Stashbot added a comment.Feb 9 2018, 1:00 AM

Mentioned in SAL (#wikimedia-cloud) [2018-02-09T01:00:02Z] <bd808> Removed Yuvipanda at user request (T186289)

Stashbot added a comment.Feb 9 2018, 1:00 AM

Mentioned in SAL (#wikimedia-cloud) [2018-02-09T01:00:40Z] <bd808> Removed Yuvipanda at user request (T186289)

Stashbot added a comment.Feb 9 2018, 1:01 AM

Mentioned in SAL (#wikimedia-cloud) [2018-02-09T01:01:16Z] <bd808> Removed Yuvipanda at user request (T186289)

Stashbot added a comment.Feb 9 2018, 1:01 AM

Mentioned in SAL (#wikimedia-cloud) [2018-02-09T01:01:57Z] <bd808> Removed Yuvipanda at user request (T186289)

Stashbot added a comment.Feb 9 2018, 1:02 AM

Mentioned in SAL (#wikimedia-cloud) [2018-02-09T01:02:34Z] <bd808> Removed Yuvipanda at user request (T186289)

Stashbot added a comment.Feb 9 2018, 1:03 AM

Mentioned in SAL (#wikimedia-cloud) [2018-02-09T01:03:14Z] <bd808> Removed Yuvipanda at user request (T186289)

Stashbot added a comment.Feb 9 2018, 1:03 AM

Mentioned in SAL (#wikimedia-cloud) [2018-02-09T01:03:56Z] <bd808> Removed Yuvipanda at user request (T186289)

Stashbot added a comment.Feb 9 2018, 1:04 AM

Mentioned in SAL (#wikimedia-cloud) [2018-02-09T01:04:37Z] <bd808> Removed Yuvipanda at user request (T186289)

Stashbot added a comment.Feb 9 2018, 1:06 AM

Mentioned in SAL (#wikimedia-cloud) [2018-02-09T01:06:01Z] <bd808> Removed Yuvipanda at user request (T186289)

Stashbot added a comment.Feb 9 2018, 1:06 AM

Mentioned in SAL (#wikimedia-cloud) [2018-02-09T01:06:57Z] <bd808> Removed TestingAccount2 at user request (T186289)

Stashbot added a comment.Feb 9 2018, 1:08 AM

Mentioned in SAL (#wikimedia-cloud) [2018-02-09T01:08:03Z] <bd808> Removed Yuvipanda at user request (T186289)

Stashbot added a comment.Feb 9 2018, 1:09 AM

Mentioned in SAL (#wikimedia-cloud) [2018-02-09T01:09:27Z] <bd808> Removed Yuvipanda at user request (T186289)

Stashbot added a comment.Feb 9 2018, 1:11 AM

Mentioned in SAL (#wikimedia-cloud) [2018-02-09T01:11:13Z] <bd808> Removed Yuvipanda at user request (T186289)

Stashbot added a comment.Feb 9 2018, 1:11 AM

Mentioned in SAL (#wikimedia-cloud) [2018-02-09T01:11:53Z] <bd808> Removed Yuvipanda at user request (T186289)

Stashbot added a comment.Feb 9 2018, 1:12 AM

Mentioned in SAL (#wikimedia-cloud) [2018-02-09T01:12:28Z] <bd808> Removed Yuvipanda at user request (T186289)

gerritbot subscribed.Feb 9 2018, 1:27 AM

Change 407577 had a related patch set uploaded (by BryanDavis; owner: Yuvipanda):
[operations/puppet@production] Remove access for myself

https://gerrit.wikimedia.org/r/407577

gerritbot added a project: Patch-For-Review.Feb 9 2018, 1:27 AM
bd808 added a subscriber: MoritzMuehlenhoff.Feb 9 2018, 1:33 AM

@MoritzMuehlenhoff could you take care of removing @yuvipanda from the ops LDAP group? This ldif should do it, but I wasn't sure if that happening before the pending Puppet patch would cause problems anywhere:

T186289-remove-yuvi-from-admin.ldif
dn: cn=ops,ou=groups,dc=wikimedia,dc=org
changetype: modify
delete: member
member: uid=yuvipanda,ou=people,dc=wikimedia,dc=org

If you have time it would be awesome if you could handle the merge of https://gerrit.wikimedia.org/r/407577 as well.

Note: @yuvipanda is also in the cn=nda group. Yuvi is keeping his Toolforge admin rights, so having the NDA on file is important. I'm not sure if the LDAP nda group is actually used to track anything officially however or if it just used to grant access to various LDAP auth protected services. If it's only for the latter, then that membership can probably be revoked as well.

Stashbot added a comment.Feb 9 2018, 2:01 AM

Mentioned in SAL (#wikimedia-cloud) [2018-02-09T02:01:15Z] <bd808> Removed Yuvipanda at user request (T186289)

bd808 added a comment.Feb 9 2018, 2:05 AM

@yuvipanda, you are the only admin of the matrix and jupyter projects. It looks like maybe matrix can just be deleted. I'm not sure what to do about the jupyter one, please advise.

Also, do you want to be removed from the magic wmflabsdotorg project too?

bd808 mentioned this in T186845: Display project name in SAL messages posted to Phabricator.Feb 9 2018, 2:09 AM
Tgr subscribed.Feb 9 2018, 2:33 AM

The matrix project might be useful for T186061: Evaluate Matrix / Element as the recommended chat system for Wikimedia (although I'm not sure if taking over / upgrading an existing installation would be less effort than setting up a new one, or that we even want to experiment with the hosted version of Matrix).

MoritzMuehlenhoff added a comment.Feb 9 2018, 8:04 AM
In T186289#3957262, @bd808 wrote:

@MoritzMuehlenhoff could you take care of removing @yuvipanda from the ops LDAP group?

I just did that.

This ldif should do it, but I wasn't sure if that happening before the pending Puppet patch would cause problems anywhere:

BTW, you can also simply run "offboard-user -l yuvipanda" on terbium, it'll search for all privileged LDAP groups and create an LDIF for you. I even prints out the ldapmodify command to run.

If you have time it would be awesome if you could handle the merge of https://gerrit.wikimedia.org/r/407577 as well.

Will do in a bit.

Note: @yuvipanda is also in the cn=nda group. Yuvi is keeping his Toolforge admin rights, so having the NDA on file is important. I'm not sure if the LDAP nda group is actually used to track anything officially however or if it just used to grant access to various LDAP auth protected services. If it's only for the latter, then that membership can probably be revoked as well.

cn=nda controls the access to the PII-relevant web services listed at https://wikitech.wikimedia.org/wiki/LDAP_Groups, it's independant of whether someone has signed an NDA/MOU (some people only have shell access to stat hosts e.g. and don't use LDAP services at all).

@yuvipanda, can you please confirm that you don't need access to any of those services below, then I'll also drop you from cn=ldap:

  • Logstash
  • Tendril
  • Graphite
  • Grafana-admin
  • Icinga
  • Piwik
  • Hadoop Yarn
  • Druid's Pivot UI
MarcoAurelio unsubscribed.Feb 9 2018, 9:33 AM
gerritbot added a comment.Feb 12 2018, 9:56 AM

Change 407577 merged by Muehlenhoff:
[operations/puppet@production] Remove access for myself

https://gerrit.wikimedia.org/r/407577

MoritzMuehlenhoff added a comment.Feb 13 2018, 9:48 AM

Yuvi's shell access was removed via https://gerrit.wikimedia.org/r/407577 and I've also just removed him from the wmflabs.org root mail alias and from the cn=nda LDAP group.

@bd808, I think the task can be resolved?

bd808 closed this task as Resolved.Feb 14 2018, 12:14 AM

Let's call this done until @yuvipanda stumbles on something that we missed.

bd808 moved this task from Inbox to Done on the cloud-services-team (Kanban) board.Mar 19 2018, 9:46 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits