Page MenuHomePhabricator

+2 for Addshore on operations/puppet
Closed, DeclinedPublic

Description

I'd like to nominate @Addshore for +2 on operations/puppet

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 11 2018, 12:48 PM

+2 rights on deployment-related repos are tightly entangled with the related production rights (for example a person with +2 right on mediawiki-config repo must be a deployer, otherwise the +2 right is useless and makes more harm than good. This is the case with operations/puppet as well. The person holding +2 right must be member of ops ldap group otherwise there is basically nothing (s)he can do or react in case of mistakes which can cause downtime for half an hour (the time it takes to re-run puppet config automatically) and since this right involves sudo rights on everything and access to the only private repo we have in prod (passwords of node, SSL certificates, etc.) very very few people have it, basically WMF SREs. I would love WMDE to have SRE but that's something else.

+2 on operations/puppet makes not much sense if one cannot deploy by itself (in fact, it would be a bad thing, as it would block other deployments). Not opposed to it, but the request of +2 should come with global root rights, as puppet == root access, so on it own this would not make much sense. Feel free to disagree.

+2 on ops/puppet is associated with being a global root in Wikimedia (https://tools.wmflabs.org/ldap/group/ops). Without a pressing/convincing need, I doubt it will be granted.

Restricted Application added a project: Operations. · View Herald TranscriptJul 11 2018, 3:13 PM

@Jonas +2 permissions on ops/puppet would be equivalent with root access across the complete production cluster (as it would e.g. allow to merge arbitrary SSH keys etc). I doubt that's intended here? More generally speaking this access requests lacks a clear rationale for the permission change, see https://wikitech.wikimedia.org/wiki/Production_shell_access#Additional_permissions_for_existing_users for some outline of the process.

To elaborate on that ("access requests lacks a clear rationale") access requests (or many other tickets) are meant to solve a problem, not just provide a solution- maybe we can help with the original problem you are trying to solve?

Jonas closed this task as Declined.Jul 12 2018, 3:42 PM