Page MenuHomePhabricator

Requesting access to shell (snapshot, dumpsdata) for springle
Closed, ResolvedPublicRequest

Description

Username: springle
Full name: Sean Pringle
Key: https://phabricator.wikimedia.org/auth/sshkey/view/524/

Aim is to help out @ArielGlenn with dumps-related tasks. I understand this means only snapshot* and dumpsdata* shell access is required.

Have made separate contact with legal@ to ascertain the status of my old employee NDA, and update to a current volunteer NDA.

Ops Clinic Duty Checklist for Access Requests

Most requirements are outlined on https://wikitech.wikimedia.org/wiki/Requesting_shell_access

This checklist should be used on all access requests to ensure that all steps are covered. This includes expansion to access. Please do not check off items on the list below unless you are in Ops and have confirmed the step.

  • - User has signed the L3 Acknowledgement of Wikimedia Server Access Responsibilities Document.
  • - User has a valid NDA on file with WMF legal. @Springle is currently working on this with legal.
  • - User has provided the following: wikitech username, preferred shell username, email address, and full reasoning for access (including what commands and/or tasks they expect to perform.
  • - User has provided a public SSH key. This ssh key pair should only be used for WMF cluster access, and not share with any other service (this includes not sharing with WMCS access, no shared keys.)
  • - access request (or expansion) has sign off of WMF sponsor/manager (sponsor for volunteers, manager for wmf staff)
  • - non-sudo requests: 3 business day wait must pass with no objections being noted on the task
  • - sudo requests: all sudo requests require explicit approval during the weekly operations team meeting. No sudo requests will be approved outside of those meetings without the direct override of the Director of Operations.
  • - Patchset for access request

Event Timeline

Springle created this task.Apr 4 2018, 11:21 PM
Restricted Application added a project: Operations. · View Herald TranscriptApr 4 2018, 11:21 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
RobH updated the task description. (Show Details)Apr 4 2018, 11:32 PM
RobH triaged this task as Normal priority.

Updated to a non-wmf email in phabricator profile settings.

ArielGlenn updated the task description. (Show Details)Apr 5 2018, 11:47 AM

I suppose I'm the sponsor? If so, yes, I approve, for snapshot100x and dumpsdata100x access.

herron added a subscriber: herron.Apr 5 2018, 1:37 PM

Hey @ArielGlenn, in terms of the specific group access being requested, would this be membership to...

  • snapshot-admins for snapshot shell access and sudo privs to run as dumpsgen user and...
  • a new group (dumpsdata-admins?) for dumpsdata shell access? If so, would this group have sudo privs to run as dumpsgen as well?

I was thinking of not even having sudo access to the dumpsgen user initially, but setting up a scratch dir writeable by the user for testing purposes. All conf files and scripts are readable by the world so that would be no problem.

Sean's NDA is signed and filed with legal. Thanks!

ayounsi added a subscriber: ayounsi.Apr 9 2018, 9:46 PM
ArielGlenn updated the task description. (Show Details)Apr 10 2018, 9:10 AM
ArielGlenn updated the task description. (Show Details)Apr 10 2018, 12:25 PM
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCZwhGWhhv+9QdjhhShbLdSZSV349oFxPH73CfvI0jRsQFXsQIlPQaSeKcFqw+kjhUoxvfgCw3YWoExHTT6jxHUxrOswI6ZVPeicHNBQ4kiRRY4uKE0xpqbdnkbLRSNWyru8zG1aB/uxpkhsQhwnUZ9fpGtDkXzX1In8NZ7X9jMQB6yrHFxqK/549WELGnpscL79lX7uKM2Ri/+v61th7kuDyn6VjsIMSLdt46dKoW9WgQ2UgkjEh67HOZd1FYt4V+OaQcNr2JtHj7nSI6YsXx9TQnBrQVqWQXk63AFNxw4uD7xFVByc4FIqefIYjHqHANRWpRmaNOcj6LaBTqXZUBSmtYRiLkXUhqhr1Tf1NiE75UjGKhknucpywXTYI02HaTdEcdxfN4C9guI+ojxwUKrIMEk9Wz3qcYzyN0QZmCL/6EcRxjEUzYDpEt0tMBRsRqE5Qp0TLPuDsK5trY1rtdzy/HckqmSik9N1p2WQ941SWs2EEiFji1jiCM4N8gwy1r6mf9xo5LWRVY/LtNYbCf/2EfW3mjreP9MaOGI+vedcS8I4sd6O3VP8WPpXZtoBU1+EKLhEHvfp/E9qYYr6iWIltCFySi67fWlv83cUNezJ6uMrDR++g8ANkFJKEWSHJzdVyrtf2fiwNNyIPrkEawHAcKHsZsVGdzkP9Xr8eBb7Q== sean@laptop

Key verified over google hangout.

Change 425263 had a related patch set uploaded (by ArielGlenn; owner: ArielGlenn):
[operations/puppet@production] Create group of normal users with snapshot/dumps host access, add springle

https://gerrit.wikimedia.org/r/425263

Not sure if the patchset gives access to the bastions, otherwise I think we're ok.

ArielGlenn updated the task description. (Show Details)Apr 10 2018, 1:25 PM
Dzahn added a subscriber: Dzahn.Apr 11 2018, 10:10 PM

Not sure if the patchset gives access to the bastions, otherwise I think we're ok.

Checked that. It will add him on bastions as well, there is this:

hieradata/role/common/bastionhost/general.yaml

admin::groups:
  - all-users

--->

modules/admin/data/data.yaml

all-users:
  description: Global group that includes all users
  gid: 600
  members: [] # members get populated automagically

----->
modules/admin/manifests/init.pp

$base_data = loadyaml("${module_path}/data/data.yaml")
# Fill the all-users group with all active users
$data = add_all_users($base_data)
Dzahn added subscribers: mark, faidon.

@faidon @mark Since Monday is a US holiday so i guess no ops meeting but i will be on duty next week: If you want to approve this for Sean, i can go ahead and resolve it.

Dzahn changed the task status from Open to Stalled.Apr 17 2018, 5:33 PM
faidon changed the task status from Stalled to Open.Apr 18 2018, 4:57 PM

Seems fine :) Welcome back Sean!

ArielGlenn updated the task description. (Show Details)Apr 18 2018, 5:10 PM
ayounsi removed a subscriber: ayounsi.Apr 18 2018, 5:12 PM

Change 425263 merged by Dzahn:
[operations/puppet@production] admin: Create group with snapshot/dumps host access, add springle

https://gerrit.wikimedia.org/r/425263

Dzahn added a comment.Apr 18 2018, 6:53 PM

compiled: http://puppet-compiler.wmflabs.org/10970/

on bast1002: Notice: /Stage[main]/Admin/Admin::Hashuser[springle]/Admin::User[springle]/User[springle]/ensure: created

on bast5001: Notice: /Stage[main]/Admin/Admin::Hashuser[springle]/Admin::User[springle]/User[springle]/ensure: created

on snapshot1005: Notice: /Stage[main]/Admin/Admin::Hashuser[springle]/Admin::User[springle]/User[springle]/ensure: created

on snapshot1001: Notice: /Stage[main]/Admin/Admin::Hashgroup[snapshot-users]/Admin::Group[snapshot-users]/Group[snapshot-users]/ensure: created

uid=3391(springle) gid=500(wikidev) groups=500(wikidev),801(snapshot-users)

etc...

@Springle ^ Welcome back :)

Check out the bastion page: https://wikitech.wikimedia.org/wiki/Bastion
Meanwhile we have some more, including the new bast5001.wikimedia.org in Singapore which should be the best one for you in Australia now. But they should all work as soon as puppet ran. You can also find all the fingerprints from that page so you can actually verify on first connect.

This should resolve the ticket, let us know if any issues.

Dzahn closed this task as Resolved.Apr 18 2018, 6:54 PM
Dzahn claimed this task.