Page MenuHomePhabricator

Requesting access to restricted production access and analytics-privatedata-users for Samuel Guebo
Closed, ResolvedPublicRequest

Description

Username: sguebo (also ldap account and Samuel (WMF) on wikitech)
Full name: Samuel Guebo
SSH Key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDcAX6WTg1eISyLlAAfCB6JefHgZQFJRptkuj1ivLPHtOCvOFilAJFZRNlBwb5Mzrfucs6dMMPLg+UJLdJz2YM/g06Iwl1xYYW1pcLIl7mrrq5x54mQCFmacxLQLk1tqG5YvChJF8SbcH+Z1LvHhEy+ElBlQRnhBhi9YuTzLyy12aHVewnnGr+I+XPxG1Hg7gKZgbcsxT8L7XXcg0EGMNxhciPKUK0nK3PEmKWR0Xlx4hLnQ2hDYLqRmGAM7zj7uJ1tq1qKHW5DZvmlojdfdWFmFbVQDvP0HJHruwvudSs2re+5iwsztP3La4iXAj7c3fPIrYNgXjxMRKc4GgXHPZsCd3q6bVkTNRp0mcb3PWPaTIs/QdR9T6Z6M6fuUlEFRTjP9SqGHwCR5P//sS/aJSpf9HUjE8l88vVF0HW8m7ZVE1/xVERzw1fOhE+BAnO6qEjxnyqLnykdBIEVPsNy2MTIo98dxgzykmP5aMwcYnKPiUJ4nsDsaLoPct9iftJF8nNcbk+j5BHHNfiSM6V220rWox2IYM9M/OChaPuoRVIHQMTQ17ZaE7+JO93xosFigB0IpuMk4vwV+Z/vhk3NDoAjcw1gFSKnz8pKGrBI8CV2ls/32w8jcNAJgNdP1cjqLwksAbKvyk1TDZi6sXYW2L2Rr6YZ8Rb6g2SeBe/LPs44sw==

I'd like to request access for @sguebo_WMF to what I believe will be the restricted group and analytics-privatedata-users (the same that I have). Trust and Safety has had a number of workflows requiring shell access and private analytics logs (hadoop). Many of our workflows (including these ones) have been increasing and the only two people on our team with access are myself and Joe Sutherland. This has caused some major bottleneck issues at times and we want to expand the available people within our team to include other members of the T&S Operations team which includes Samuel. He also has experience as a developer which will be helpful with some of our rarer situations such as running election

Specifically some of the workflows he needs to be able to do (and I believe needs this access for):

  • Run maintenance scripts (mwmaint servers) to:
    • To remove 2FA for users who have lost their backup codes (after identity verification)
    • To add or reset user email addresses when locked out of their account (again after identity verification)
    • To permanently remove illegal images from the servers
  • Lookup private information such as user email addresses for legal or T&S investigations (such as urgent threats of harm or court orders).
  • Query webserver logs for private information such as IPs which have viewed certain pages (usually court orders)

Samuel has already signed L3. @JanWMF is our people manager and I'll have him comment here in support. As always please let me know if any issues or questions.

SRE Clinic Duty Checklist for Access Requests

Most requirements are outlined on https://wikitech.wikimedia.org/wiki/Requesting_shell_access

This checklist should be used on all access requests to ensure that all steps are covered. This includes expansion to access. Please do not check off items on the list below unless you are in Ops and have confirmed the step.

  • - User has signed the L3 Acknowledgement of Wikimedia Server Access Responsibilities Document.
  • - User has a valid NDA on file with WMF legal. (This can be checked by Operations via the NDA tracking sheet & is included in all WMF Staff/Contractor hiring.)
  • - User has provided the following: wikitech username, preferred shell username, email address, and full reasoning for access (including what commands and/or tasks they expect to perform.
  • - User has provided a public SSH key. This ssh key pair should only be used for WMF cluster access, and not share with any other service (this includes not sharing with WMCS access, no shared keys.)
  • - access request (or expansion) has sign off of WMF sponsor/manager (sponser for volunteers, manager for wmf staff)
  • - non-sudo requests: 3 business day wait must pass with no objections being noted on the task 3 business day wait ends on Friday, 2018-08-24.
  • - Patchset for access request 2 patches, one to add user, another to add to groups: https://gerrit.wikimedia.org/r/#/c/454578/ & https://gerrit.wikimedia.org/r/#/c/454581/

Details

Related Gerrit Patches:

Event Timeline

Restricted Application added a project: Operations. · View Herald TranscriptAug 21 2018, 8:33 AM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Jalexander updated the task description. (Show Details)Aug 21 2018, 8:41 AM
RobH assigned this task to sguebo_WMF.Aug 21 2018, 7:40 PM
RobH moved this task from Untriaged to Awaiting User Input on the SRE-Access-Requests board.
RobH added a subscriber: RobH.

So, here is my problem with this task. It appears that @Jalexander provided the public SSH key for @sguebo_WMF into the task description when he made it. I don't see any update to the task description until I pasted in the checklist, which is why I assume that @Jalexander pasted in the key.

This is not an acceptable means of verifying that the ssh key provided actually belongs to @sguebo_WMF . So, this cannot be finished processing until the SSH key is provided. Once @sguebo_WMF (NOT ANYONE ELSE) logs in and comments on this task, pasting their public ssh key, we can process it.

Apologies, but having party A provide the ssh key that supposedly belongs to party B just isn't good security practice. It is not personal, it is simply our policy. (This is not a personal attack on @Jalexander, whom I trust and have worked with for years!)

I'll prepare the patchset's and simply not include the ssh key for now.

RobH triaged this task as Normal priority.Aug 21 2018, 10:22 PM

Hi @RobH, I hereby confirm that I am the one who generated the key below:
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDcAX6WTg1eISyLlAAfCB6JefHgZQFJRptkuj1ivLPHtOCvOFilAJFZRNlBwb5Mzrfucs6dMMPLg+UJLdJz2YM/g06Iwl1xYYW1pcLIl7mrrq5x54mQCFmacxLQLk1tqG5YvChJF8SbcH+Z1LvHhEy+ElBlQRnhBhi9YuTzLyy12aHVewnnGr+I+XPxG1Hg7gKZgbcsxT8L7XXcg0EGMNxhciPKUK0nK3PEmKWR0Xlx4hLnQ2hDYLqRmGAM7zj7uJ1tq1qKHW5DZvmlojdfdWFmFbVQDvP0HJHruwvudSs2re+5iwsztP3La4iXAj7c3fPIrYNgXjxMRKc4GgXHPZsCd3q6bVkTNRp0mcb3PWPaTIs/QdR9T6Z6M6fuUlEFRTjP9SqGHwCR5P//sS/aJSpf9HUjE8l88vVF0HW8m7ZVE1/xVERzw1fOhE+BAnO6qEjxnyqLnykdBIEVPsNy2MTIo98dxgzykmP5aMwcYnKPiUJ4nsDsaLoPct9iftJF8nNcbk+j5BHHNfiSM6V220rWox2IYM9M/OChaPuoRVIHQMTQ17ZaE7+JO93xosFigB0IpuMk4vwV+Z/vhk3NDoAjcw1gFSKnz8pKGrBI8CV2ls/32w8jcNAJgNdP1cjqLwksAbKvyk1TDZi6sXYW2L2Rr6YZ8Rb6g2SeBe/LPs44sw==

Change 454578 had a related patch set uploaded (by RobH; owner: RobH):
[operations/puppet@production] adding user Samuel Guebo to admin module

https://gerrit.wikimedia.org/r/454578

RobH removed sguebo_WMF as the assignee of this task.Aug 22 2018, 4:01 PM
RobH updated the task description. (Show Details)
RobH moved this task from Awaiting User Input to 3 Business Day Wait on the SRE-Access-Requests board.

Change 454581 had a related patch set uploaded (by RobH; owner: RobH):
[operations/puppet@production] adding user Samuel Guebo to admin module

https://gerrit.wikimedia.org/r/454581

RobH updated the task description. (Show Details)Aug 22 2018, 4:05 PM
RobH updated the task description. (Show Details)
RobH updated the task description. (Show Details)Aug 23 2018, 3:56 PM

I neglected to note restrited is a sudo group, and thus this will require approval in our weekly SRE meeting (next Monday.)

RobH added a comment.Aug 27 2018, 5:58 PM

This was approved in today's SRE team meeting.

Change 454578 merged by RobH:
[operations/puppet@production] adding user Samuel Guebo to admin module

https://gerrit.wikimedia.org/r/454578

Change 454581 abandoned by RobH:
adding user Samuel Guebo to groups in the admin module

https://gerrit.wikimedia.org/r/454581

Change 455613 had a related patch set uploaded (by RobH; owner: RobH):
[operations/puppet@production] adding sguebo to restricted and analytics-privatedata-users

https://gerrit.wikimedia.org/r/455613

Change 455613 merged by ArielGlenn:
[operations/puppet@production] adding sguebo to restricted and analytics-privatedata-users

https://gerrit.wikimedia.org/r/455613

ArielGlenn updated the task description. (Show Details)Aug 28 2018, 8:51 AM

As soon as the user verifies that access works as expected, we can close this ticket.

Hi @ArielGlenn, the access works just fine. Thanks!

Dzahn closed this task as Resolved.Aug 31 2018, 5:37 PM
Dzahn claimed this task.
Dzahn added a subscriber: Dzahn.

Thanks for confirming.

Dzahn reassigned this task from Dzahn to ArielGlenn.Aug 31 2018, 5:37 PM