Page MenuHomePhabricator

Requesting access to production for SWAT deploy for Urbanecm
Closed, ResolvedPublicRequest

Tokens
"Like" token, awarded by Lucas_Werkmeister_WMDE."Like" token, awarded by Rxy."Like" token, awarded by hashar."Like" token, awarded by MarcoAurelio."Like" token, awarded by Dzahn."Like" token, awarded by Legoktm."Meh!" token, awarded by zeljkofilipin.
Assigned To
Authored By
Urbanecm, Apr 23 2018

Description

Username: Urbanecm@Wikitech, Martin Urbanec@SUL
Full name: Martin Urbanec
Preffered shell username: urbanecm
Project being worked on: I work on Wikimedia-Site-requests work. I'd like to have deploy access because it'll allow me to help site requests work even more. Namely, throttling rules and similar urgent things can be done without any deploy window if needed, but often it's problem to find a deployer. I'd be able to act on server-side upload requests as well and of course, help with SWAT as well. This will mean access to the deployment host (deploy1001 and naos for deploying, terbium for scripts/server-side uploads)

Experience for this shell access
As explained above, I write patches for site requests on regular basis and because of that I use SWAT windows quite often. I think I became quite familiar with deploy process, such as roughly what to do if I want to deploy a patch, how to purge a static file, how to run a script and why I should want this particular script to be run.

Outside site-requests work, I'm a sysadmin at Wikimedia Czech Republic and I take care about two MediaWiki instances and one self-developed expense-tracking Django app.

Of course, I'm going to learn new things and I'm aware of the importance to be careful and ask a second opinion.

Approvals

  • Approval for direct supervisor: I don't have currently one, I talked about requesting this rights with @zeljkofilipin.
  • Approval for project lead: this is to be asked to @greg

SSH key

ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIArd1VWJLSPUzG+J758/6TtLeGNTWm2M4aNoaIZZdor urbanecm+wmnet@notebook

NDA
I had signed some NDA with WMF, not sure if a correct one.

SRE Clinic Duty Checklist for Access Requests

Most requirements are outlined on https://wikitech.wikimedia.org/wiki/Requesting_shell_access

This checklist should be used on all access requests to ensure that all steps are covered. This includes expansion to access. Please do not check off items on the list below unless you are in Ops and have confirmed the step.

  • - User has signed the L3 Acknowledgement of Wikimedia Server Access Responsibilities Document.
  • - User has a valid NDA on file with WMF legal. (This can be checked by Operations via the NDA tracking sheet & is included in all WMF Staff/Contractor hiring.)
  • - User has provided the following: wikitech username, preferred shell username, email address, and full reasoning for access (including what commands and/or tasks they expect to perform.
  • - User has provided a public SSH key. This ssh key pair should only be used for WMF cluster access, and not share with any other service (this includes not sharing with WMCS access, no shared keys.)
  • - access request (or expansion) has sign off of WMF sponsor/manager (sponser for volunteers, manager for wmf staff)
  • - sudo/deployment requests: all sudo requests require explicit approval during the weekly operations team meeting. No sudo requests will be approved outside of those meetings without the direct override of the Director of Operations.
  • - Patchset for access request

Event Timeline

Urbanecm created this task.Apr 23 2018, 6:34 PM
Restricted Application added projects: Operations, User-Urbanecm. · View Herald TranscriptApr 23 2018, 6:34 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Urbanecm updated the task description. (Show Details)Apr 23 2018, 6:38 PM
Urbanecm moved this task from Backlog to Later on the User-Urbanecm board.Apr 23 2018, 6:51 PM
Urbanecm moved this task from Later to Watching on the User-Urbanecm board.
hashar added a subscriber: hashar.Apr 24 2018, 1:36 PM
herron triaged this task as Normal priority.

@ Urbanecm - for the NDA, I'll need an email address and a physical address. You can email me the details: rstallman@wikimedia.org
Thanks!

@ Urbanecm - for the NDA, I'll need an email address and a physical address. You can email me the details: rstallman@wikimedia.org
Thanks!

Emailed.

RobH updated the task description. (Show Details)Apr 30 2018, 4:58 PM
RobH added a subscriber: RobH.Apr 30 2018, 6:06 PM

@Urbanecm: Please note we'll also need you to review and agree/sign the L3 document on phabricator for production shell access. I've added a checklist, but it should only be checked off by SRE team folks. (You'll need to meet all the checklist requirements though.)

We'll likely get an update on this task from @RStallman-legalteam when legal has reviewed the NDA, then we'll just need your sponsorship approval by @zeljkofilipin, and approval for swat deployment access by both @greg (release engineering) and then in an SRE team meeting (every Monday).

RobH updated the task description. (Show Details)Apr 30 2018, 6:07 PM

I signed L3. There are some upcoming issues with the NDA, I hope they'll be resolved soon.

RobH closed this task as Declined.May 2 2018, 3:53 PM

discussion with user off task.

Vvjjkkii renamed this task from Requesting access to production for SWAT deploy for Urbanecm to xeeaaaaaaa.Jul 1 2018, 1:14 AM
Vvjjkkii reopened this task as Open.
Vvjjkkii raised the priority of this task from Normal to High.
Vvjjkkii updated the task description. (Show Details)
Vvjjkkii removed subscribers: MarcoAurelio, Aklapper.
AfroThundr3007730 renamed this task from xeeaaaaaaa to Requesting access to production for SWAT deploy for Urbanecm.Jul 1 2018, 5:37 AM
AfroThundr3007730 closed this task as Declined.
AfroThundr3007730 lowered the priority of this task from High to Normal.
AfroThundr3007730 updated the task description. (Show Details)
Urbanecm reopened this task as Open.May 18 2019, 2:25 PM
Urbanecm added a project: User-Urbanecm.

Reopening after in-person discussion with @greg.

Urbanecm updated the task description. (Show Details)May 18 2019, 7:12 PM
Dzahn assigned this task to greg.Mon, May 20, 10:21 PM
Dzahn added a subscriber: Dzahn.

@greg So this is approved by you?

Urbanecm moved this task from Watching to Radar on the User-Urbanecm board.Tue, May 21, 5:07 PM
Urbanecm updated the task description. (Show Details)Tue, May 21, 5:12 PM
Urbanecm signed these changes with MFA.EditedTue, May 21, 5:17 PM

I hereby confirm authenticity of my SSH key (ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIArd1VWJLSPUzG+J758/6TtLeGNTWm2M4aNoaIZZdor urbanecm+wmnet@notebook).

Updated NDA for Urbanecm is fully signed and on file.

Urbanecm updated the task description. (Show Details)Tue, May 21, 8:52 PM
Dzahn updated the task description. (Show Details)Tue, May 21, 10:26 PM
Volans added a subscriber: Volans.Wed, May 22, 2:23 PM

Pending approval from sponsor (@zeljkofilipin ) and deployment group owner (@greg )

Rxy awarded a token.Thu, May 23, 1:06 PM
greg added a comment.Thu, May 23, 11:08 PM

Yup, +1. Thanks @Urbanecm. Now for some training with @zeljkofilipin :)

greg removed greg as the assignee of this task.

@Urbanecm is it ok to use the email you used to sign the NDA for the related patch in Puppet?
Keep in mind that that file is public.

@Urbanecm is it ok to use the email you used to sign the NDA for the related patch in Puppet?
Keep in mind that that file is public.

Yes, martin.urbanec@wikimedia.cz can definitely be used.

Change 512349 had a related patch set uploaded (by Volans; owner: Volans):
[operations/puppet@production] admin: enable shell access for urbanecm

https://gerrit.wikimedia.org/r/512349

Change 512349 merged by Volans:
[operations/puppet@production] admin: enable shell access for urbanecm

https://gerrit.wikimedia.org/r/512349

Addition to nda LDAP group will probably be needed, in order to be able to access logstash.

Change 512401 had a related patch set uploaded (by Volans; owner: Volans):
[operations/puppet@production] admin: add urbanecm to the deployment group

https://gerrit.wikimedia.org/r/512401

Change 512401 merged by Volans:
[operations/puppet@production] admin: add urbanecm to the deployment group

https://gerrit.wikimedia.org/r/512401

As per docs added Urbanecm to the wmf-deployment group in Gerrit.

I've added urbanecm to the LDAP group nda as per request above given that it's needed to check logstash during deployments.

It should be all done now. Leaving it open to allow @Urbanecm to check that everything works as expected with @zeljkofilipin in the next few days.
Feel free to resolve once all is verified.

Thanks! I'll resolve it after the first successful deployment.

Urbanecm assigned this task to Volans.Tue, May 28, 11:48 AM

I was able to deploy two patches without any problems, so I guess everything's working fine! Thanks!

Volans closed this task as Resolved.Tue, May 28, 11:50 AM
Volans removed a project: Patch-For-Review.

Glad to hear, resolving then.