Page MenuHomePhabricator

Give thiemowmde permission to upload wikidiff2 releases (releasers-wikidiff2)
Closed, ResolvedPublic

Description

@thiemowmde (realname: Thiemo Kreuz) will be partly taking over release manager duties for wikidiff2 from me, and will need access to upload tarballs to releases.wikimedia.org. Note that the "releasers-wikidiff2" group doesn't exist yet, it's being created as part of T202473.

As far as I can tell, Thiemo doesn't have a shell account yet, so they'll need to follow the steps on https://wikitech.wikimedia.org/wiki/Production_shell_access#New_users

SRE Clinic Duty Checklist for Access Requests

Most requirements are outlined on https://wikitech.wikimedia.org/wiki/Requesting_shell_access

This checklist should be used on all access requests to ensure that all steps are covered. This includes expansion to access. Please do not check off items on the list below unless you are in Ops and have confirmed the step.

  • - User has signed the L3 Acknowledgement of Wikimedia Server Access Responsibilities Document.
  • - User has a valid NDA on file with WMF legal. (This can be checked by Operations via the NDA tracking sheet & is included in all WMF Staff/Contractor hiring.)
  • - User has provided the following: wikitech username, preferred shell username, email address, and full reasoning for access (including what commands and/or tasks they expect to perform.
  • - User has provided a public SSH key. This ssh key pair should only be used for WMF cluster access, and not share with any other service (this includes not sharing with WMCS access, no shared keys.)
  • - access request (or expansion) has sign off of WMF sponsor/manager (sponser for volunteers, manager for wmf staff) - in this case @Legoktm approval for hand off of some responsibilties
  • - non-sudo requests: 3 business day wait must pass with no objections being noted on the task
  • - Patchset for access request

Details

Related Gerrit Patches:
operations/puppet : productionadd thiemowmde to releasers-wikidiff2
operations/puppet : productionadd thiemowmde to shell users

Event Timeline

Restricted Application added a project: Operations. · View Herald TranscriptAug 22 2018, 12:26 AM
Addshore awarded a token.
RobH updated the task description. (Show Details)Aug 22 2018, 10:48 PM
RobH assigned this task to thiemowmde.Aug 22 2018, 10:56 PM
RobH triaged this task as Normal priority.
RobH added subscribers: RStallman-legalteam, RobH.

Please note that @thiemowmde will need to provide/work on some further steps for us to process this request:

We have your username as thiemowmde (from your wikitech account) and know what group you need (releasers-wikidiff2 per T202473). However, we need a few more things from you:

  • Please coordinate with WMDE and WMF Legal (typically @RStallman-legalteam) to have a signed NDA on file with us. (This is required for ALL shell access requests.)
  • Please review and sign the L3 document.
    • Provide a public ssh key, this key (per the L3 document) should be dedicated to WMF production shell access ONLY and not used anywhere else (not even WMF cloud services.)

Once we have that info/NDA on file for you, we should be able to move forward with this request.

RobH updated the task description. (Show Details)Aug 22 2018, 10:56 PM
thiemowmde updated the task description. (Show Details)Aug 23 2018, 7:33 AM

I struggle a bit with the SSH key request, as I would like to reduce the complexity to manage all this as much as I can. Can I reuse the SSH key I already use for all Wikitech stuff (Gerrit and so on)? I mean, I would store both in the same place anyway. What is the benefit of creating a new one?

@thiemowmde No, it is explicitly said above: "This ssh key pair should only be used for WMF cluster access, and not share with any other service (this includes not sharing with WMCS access, no shared keys.)". Wikitech IS WMCS access.

  • I don't know what "WMCS" stands for, despite working with Wikimedia infrastructure for about a decade.
  • I find it hard to tell what the "cloud" in "WMF cloud services" includes. Aren't the production servers also in some kind of "cloud"? Isn't everything in the "cloud" nowadays? What's the meaning of this word?
  • L3 states to use different keys for "production" and "labs", but does not explain what "labs" includes. Gerrit, for example, is not on wmflabs.org but on wikimedia.org. Does this still count as being part of "labs"?

I would highly appreciate a language more people are able to understand, if that's possible. Avoiding abbreviations is always a good start. Thank you.

And again, what's the benefit if the two are stored in the same key pass anyway? (Something I assume most people do.)

Gehel added a subscriber: Gehel.Aug 23 2018, 9:10 AM
  • I don't know what "WMCS" stands for, despite working with Wikimedia infrastructure for about a decade.

WMCS is mostly what was formerly known as "Labs". Labs was confusing for multiple reasons, hence the rename. And yes, WMCS is probably confusing as well, hopefully a little less. Naming is hard. Some of the rational is documented.

  • I find it hard to tell what the "cloud" in "WMF cloud services" includes. Aren't the production servers also in some kind of "cloud"? Isn't everything in the "cloud" nowadays? What's the meaning of this word?

Cloud is a confusing name in itself. In this context, it is mostly about on-demand self-service VMs. Production is mostly on real hardware, with no self-service capabilities, so production is NOT cloud for most definition of cloud. This might change and WMCS might become more confusing in the future.

  • I don't know what "WMCS" stands for, despite working with Wikimedia infrastructure for about a decade.

Wikimedia Cloud Services, all the services operated by https://www.mediawiki.org/wiki/Wikimedia_Cloud_Services_team

  • I find it hard to tell what the "cloud" in "WMF cloud services" includes. Aren't the production servers also in some kind of "cloud"? Isn't everything in the "cloud" nowadays? What's the meaning of this word?

Toolforge and all the VPS instances provided by the WMCS team (e.g. deployment-prep or generally anything that has a .wmflabs domain)

And again, what's the benefit if the two are stored in the same key pass anyway? (Something I assume most people do.)

WMCS allows SSH agent forwarding and a malicious privileged user in WMCS can connect to our forwarded agent socket and connect to production on your behalf.

You should also run separate SSH agents, the setup is explained in https://wikitech.wikimedia.org/wiki/Managing_multiple_SSH_agents

dcausse added a subscriber: dcausse.EditedAug 23 2018, 9:15 AM

[redundant comment]

Addshore added a comment.EditedAug 23 2018, 9:18 AM
  • L3 states to use different keys for "production" and "labs", but does not explain what "labs" includes. Gerrit, for example, is not on wmflabs.org but on wikimedia.org. Does this still count as being part of "labs"?

Sounds like the wording in L3 could be improved slightly there, or services like Gerrit also mentioned explicitly.

dcausse removed a subscriber: dcausse.Aug 23 2018, 9:22 AM
Joe added a subscriber: Joe.EditedAug 23 2018, 9:22 AM
  • I don't know what "WMCS" stands for, despite working with Wikimedia infrastructure for about a decade.
  • I find it hard to tell what the "cloud" in "WMF cloud services" includes. Aren't the production servers also in some kind of "cloud"? Isn't everything in the "cloud" nowadays? What's the meaning of this word?
  • L3 states to use different keys for "production" and "labs", but does not explain what "labs" includes. Gerrit, for example, is not on wmflabs.org but on wikimedia.org. Does this still count as being part of "labs"?

I would highly appreciate a language more people are able to understand, if that's possible. Avoiding abbreviations is always a good start. Thank you.
And again, what's the benefit if the two are stored in the same key pass anyway? (Something I assume most people do.)

Hi Thiemo!

I'd first start with explaining the SSH part:
most of us use separate ssh agents to connect to production and "cloud services", you can find instructions to set it up here https://wikitech.wikimedia.org/wiki/Managing_multiple_SSH_agents, so there is indeed an added security layer, especially given how lax access rules are on our VMs.

About the L3 document: it needs to be amended, I'll ping @RobH later about it - it should name Cloud Services, not labs.

Then regarding the rest of your comment: I do agree that excessive usage of acronyms is to be discouraged; however, I'm pretty sure that reading https://wikitech.wikimedia.org/wiki/Production_shell_access would have removed your doubts easily. But more importantly: criticism is anyways better received when not expressed angrily, and in proper places - a ticket where access is requested is definitely not the place to discuss our access policies, IMHO.

About the L3 document: it needs to be amended, I'll ping @RobH later about it - it should name Cloud Services, not labs.

I filed T202617 about that.

jijiki added a subscriber: jijiki.Aug 23 2018, 12:08 PM
RobH added a comment.Aug 23 2018, 4:18 PM

Ok, I've gone ahead and updated the L3 per the instructions on T202617. So that should eliminate the earlier confusion.

@thiemowmde:

I struggle a bit with the SSH key request, as I would like to reduce the complexity to manage all this as much as I can. Can I reuse the SSH key I already use for all Wikitech stuff (Gerrit and so on)? I mean, I would store both in the same place anyway. What is the benefit of creating a new one?

As others have already pointed out, this needs to be a dedicated key for just Wikimedia Production shell access. We revoke access if we see the key in use anywhere else.

We'll need you to go ahead and handle the following:

  • - provide a public ssh key for use in wikimedia production shell access
  • - sign an NDA with Wikimedia Legal (all shell requests require an NDA on file.)

Just seeing this now, as I was on vacation last week. @thiemowmde: I'll set up the NDA for you to sign through our contracts software and email you directly. Thanks!

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCopJe4A8f90fa+Y0GYwvw1k/UaWNvWRNJ9m+ym7GXoMDpVYELQAdeYm52ApG/UsQh3q05vIOGJf/peD5I7gxO4k7y9pY7wa7U9E8RWoFZDwAbyp7zXQEIWOoPP1ZqL+sJrML35duzr7tGc1ap4QPt5Arehvi22sNBVVmdU+JZhPeBZ2gT9qcf1ss0m3/TsSJyIC9PpFYAGxQE5QDLXwAolm2Eq9LSqYu4kC50SuNSihy8xsTTtBHo6l3Vmdl2XXPHdxc5qVAC+ojw/uqNLVYhc0V+avozTP9L1EapvF+/g6agwmjpfx5MEO70upz9f00uKHm12qx2BKRQlS0Mq1czOc+RqmzGoYfPGkfhqRUh2EVbum3lGV8KXs8hPuhqBQbfWLfSEZ+6p/ys9a4EsARsEChuqMKA1MTi/AAp4W4AXbw5ut/Jc9XYrG1z8RkuY8KFf71y2uvW0JY3bs118h9RwryQQp7xHB+xWRwFS2PTlPABSSg+nDKdPF786Y0cMlUpetwEdmqQZfz9s7JUUIGYJLN08Y7RdTw3pir3Fr02MvbDPUeuPbHPW6w7EEIiyaejB/SYjJgn9XbMtMYx03oKDygtKznpwinxlGH0MmS6F8IE7oILSOWGNMgmLYbLcKkpx6M977rfud0g/a5PionT+Z1O8npyPL2aEPqPEwauV1Q== thiemo.kreuz@wikimedia.de

The NDA is now signed and on file with legal.

ArielGlenn updated the task description. (Show Details)Aug 28 2018, 5:48 PM
ArielGlenn updated the task description. (Show Details)Aug 28 2018, 5:50 PM
ArielGlenn updated the task description. (Show Details)Aug 28 2018, 5:55 PM

Change 455882 had a related patch set uploaded (by ArielGlenn; owner: ArielGlenn):
[operations/puppet@production] add thiemowmde to shell users

https://gerrit.wikimedia.org/r/455882

Change 455882 merged by ArielGlenn:
[operations/puppet@production] add thiemowmde to shell users

https://gerrit.wikimedia.org/r/455882

Change 455885 had a related patch set uploaded (by ArielGlenn; owner: ArielGlenn):
[operations/puppet@production] add thiemowmde to releasers-wikidiff2

https://gerrit.wikimedia.org/r/455885

Change 455885 merged by ArielGlenn:
[operations/puppet@production] add thiemowmde to releasers-wikidiff2

https://gerrit.wikimedia.org/r/455885

In about 30 minutes this change should be live. After that, we will just be waiting for the user to verify that access works as expected, and then this can be closed.

Hey @thiemowmde please let us know that uploads work for you, and we'll close this task.

@thiemowmde Does the access work for you?

RobH closed this task as Resolved.Sep 18 2018, 4:33 PM

This has sat pending @thiemowmde's acknowledgement of access. However, since it likely is fine, I'm resolving this.

@thiemowmde: if your access isnt working feel free to reopen this task.