Page MenuHomePhabricator
Create Task
Maniphest T191453

grant thcipriani RelEng root on contint1001
Closed, ResolvedPublic
Actions

Description

Release Engineering has routinely needed root access on contint1001 during Pacific hours when @hashar is unavailable, and this need has only grown recently with continuing pipeline work.

I, @dduvall, nominate that @thcipriani be granted root on contint1001 as he is obscenely security minded and has the most careful and dutiful "enter" finger I have ever encountered. Thank you for your consideration.

Ops Clinic Duty Checklist for Access Requests

Most requirements are outlined on https://wikitech.wikimedia.org/wiki/Requesting_shell_access

This checklist should be used on all access requests to ensure that all steps are covered. This includes expansion to access. Please do not check off items on the list below unless you are in Ops and have confirmed the step.

  • - User has signed the L3 Acknowledgement of Wikimedia Server Access Responsibilities Document. - signed Feb 12 2015, 22:44
  • - User has a valid NDA on file with WMF legal. (This can be checked by Operations via the NDA tracking sheet & is included in all WMF Staff/Contractor hiring.)
  • - User has provided the following: wikitech username, preferred shell username, email address, and full reasoning for access (including what commands and/or tasks they expect to perform. - existing account, don't need this a second time.
  • - User has provided a public SSH key. This ssh key pair should only be used for WMF cluster access, and not share with any other service (this includes not sharing with WMCS access, no shared keys.) - paranoid check of the cloud key and production show they are indeed different
  • - access request (or expansion) has sign off of WMF sponsor/manager (sponsor for volunteers, manager for wmf staff)
  • - sudo requests: all sudo requests require explicit approval during the weekly operations team meeting. No sudo requests will be approved outside of those meetings without the direct override of the Director of Operations.
  • - Patchset for access request

Details

SubjectRepoBranchLines +/-
admin: add thcipriani to contint-roots groupoperations/puppetproduction+1 -1
Customize query in gerrit

Event Timeline

dduvall created this task.Apr 4 2018, 6:08 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 4 2018, 6:08 PM
RobH renamed this task from Request for one additional RelEng root on contint1001 to grant thcipriani RelEng root on contint1001.Apr 4 2018, 6:25 PM
RobH updated the task description. (Show Details)
RobH updated the task description. (Show Details)
demon subscribed.Apr 4 2018, 6:30 PM

I authorize this as @greg's delegate while he's on vacation.

RobH moved this task from Untriaged to Group Manager Approval Pending on the SRE-Access-Requests board.EditedApr 4 2018, 6:30 PM
RobH subscribed.

I've updated the task description a bit, and included the checklist we require.

I'll also note that @thcipriani already has been trusted with sudo-level access on other parts of our infrastructure, so this isn't a wholly new level of responsibility. They also are included in: gerrit-admin, deployment, releasers-mediawiki, contint-admins, deploy-service, deploy-phabricator, labnet-users, & contint-docker.

It seems the request is to add to:

contint-roots:
  gid: 720
  description: users who have full root on jenkins servers
  members: [hashar]
  privileges: ['ALL = (ALL) NOPASSWD: ALL']
Dzahn awarded a token.Apr 5 2018, 4:10 AM
herron triaged this task as Medium priority.Apr 6 2018, 4:56 PM
hashar added a comment.Apr 6 2018, 7:55 PM

@RobH indeed we are looking at adding Tyler to the contint-rootsgroup. That grant root access on contint1001 and contint2001.

Historically I had it granted a while ago for debugging purposes (access to Apache access logs, strace process, live hack Zuul/Jenkins for emergency fix up, files moving/permissions). Well all the low level firefighting tasks. That has also been very helpful to do package upgrades and thus slightly offload SRE on that front.

Overall it is a good thing to have more than one person able to do routine tasks. That reduces the bus factor I am. Moreover, Dan and Tyler are sprinting on Blubber/Deployment Pipeline and I am only barely involved in that sprint.

I do trust Tyler in not messing up the servers and matching any manual change with a puppet counterpart.

herron subscribed.Apr 9 2018, 4:46 PM

This was approved at the Monday SRE meeting so I'll work on creating a patch now

herron updated the task description. (Show Details)Apr 9 2018, 4:46 PM
gerritbot subscribed.Apr 9 2018, 5:05 PM

Change 425094 had a related patch set uploaded (by Herron; owner: Herron):
[operations/puppet@production] admin: add thcipriani to contint-roots group

https://gerrit.wikimedia.org/r/425094

gerritbot added a project: Patch-For-Review.Apr 9 2018, 5:05 PM

Change 425094 merged by Herron:
[operations/puppet@production] admin: add thcipriani to contint-roots group

https://gerrit.wikimedia.org/r/425094

herron closed this task as Resolved.Apr 9 2018, 5:11 PM
herron claimed this task.

@thcipriani is now a member of contint-roots on contint1001

contint1001:~$ getent group contint-roots
contint-roots:x:720:hashar,thcipriani
herron updated the task description. (Show Details)Apr 9 2018, 5:11 PM
herron removed a project: Patch-For-Review.
thcipriani added a comment.Apr 9 2018, 5:14 PM

Looks to be working, thanks @herron!

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL