Page MenuHomePhabricator
Create Task
Maniphest T202476

Give thiemowmde permission to upload wikidiff2 releases (releasers-wikidiff2)
Closed, ResolvedPublic
Actions

Description

@thiemowmde (realname: Thiemo Kreuz) will be partly taking over release manager duties for wikidiff2 from me, and will need access to upload tarballs to releases.wikimedia.org. Note that the "releasers-wikidiff2" group doesn't exist yet, it's being created as part of T202473.

As far as I can tell, Thiemo doesn't have a shell account yet, so they'll need to follow the steps on https://wikitech.wikimedia.org/wiki/Production_shell_access#New_users

SRE Clinic Duty Checklist for Access Requests

Most requirements are outlined on https://wikitech.wikimedia.org/wiki/Requesting_shell_access

This checklist should be used on all access requests to ensure that all steps are covered. This includes expansion to access. Please do not check off items on the list below unless you are in Ops and have confirmed the step.

  • - User has signed the L3 Acknowledgement of Wikimedia Server Access Responsibilities Document.
  • - User has a valid NDA on file with WMF legal. (This can be checked by Operations via the NDA tracking sheet & is included in all WMF Staff/Contractor hiring.)
  • - User has provided the following: wikitech username, preferred shell username, email address, and full reasoning for access (including what commands and/or tasks they expect to perform.
  • - User has provided a public SSH key. This ssh key pair should only be used for WMF cluster access, and not share with any other service (this includes not sharing with WMCS access, no shared keys.)
  • - access request (or expansion) has sign off of WMF sponsor/manager (sponser for volunteers, manager for wmf staff) - in this case @Legoktm approval for hand off of some responsibilties
  • - non-sudo requests: 3 business day wait must pass with no objections being noted on the task
  • - Patchset for access request

Details

SubjectRepoBranchLines +/-
add thiemowmde to releasers-wikidiff2operations/puppetproduction+1 -1
add thiemowmde to shell usersoperations/puppetproduction+9 -4
Customize query in gerrit

Related Objects
Search...

Event Timeline

Legoktm created this task.Aug 22 2018, 12:25 AM
Legoktm added a subtask: T202473: Create releasers-wikidiff2 group, split from releasers-mediawiki.
Legoktm added a project: SRE-Access-Requests.
Restricted Application added a project: SRE. · View Herald TranscriptAug 22 2018, 12:26 AM
Addshore moved this task from Unsorted 💣 to Watching 👀 on the User-Addshore board.Aug 22 2018, 10:14 AM
Addshore awarded a token.
Dzahn closed subtask T202473: Create releasers-wikidiff2 group, split from releasers-mediawiki as Resolved.Aug 22 2018, 9:58 PM
Dzahn removed a subtask: T202473: Create releasers-wikidiff2 group, split from releasers-mediawiki.Aug 22 2018, 10:01 PM
Dzahn added a parent task: T202473: Create releasers-wikidiff2 group, split from releasers-mediawiki.
RobH updated the task description. (Show Details)Aug 22 2018, 10:48 PM
RobH assigned this task to thiemowmde.Aug 22 2018, 10:56 PM
RobH triaged this task as Medium priority.
RobH moved this task from Untriaged to Manager/NDA Approval/Confirmation on the SRE-Access-Requests board.
RobH added subscribers: RStallman-legalteam, RobH.

Please note that @thiemowmde will need to provide/work on some further steps for us to process this request:

We have your username as thiemowmde (from your wikitech account) and know what group you need (releasers-wikidiff2 per T202473). However, we need a few more things from you:

  • Please coordinate with WMDE and WMF Legal (typically @RStallman-legalteam) to have a signed NDA on file with us. (This is required for ALL shell access requests.)
  • Please review and sign the L3 document.
    • Provide a public ssh key, this key (per the L3 document) should be dedicated to WMF production shell access ONLY and not used anywhere else (not even WMF cloud services.)

Once we have that info/NDA on file for you, we should be able to move forward with this request.

RobH updated the task description. (Show Details)Aug 22 2018, 10:56 PM
thiemowmde updated the task description. (Show Details)Aug 23 2018, 7:33 AM
thiemowmde added a comment.Aug 23 2018, 7:37 AM

I struggle a bit with the SSH key request, as I would like to reduce the complexity to manage all this as much as I can. Can I reuse the SSH key I already use for all Wikitech stuff (Gerrit and so on)? I mean, I would store both in the same place anyway. What is the benefit of creating a new one?

jcrespo subscribed.Aug 23 2018, 7:40 AM

@thiemowmde No, it is explicitly said above: "This ssh key pair should only be used for WMF cluster access, and not share with any other service (this includes not sharing with WMCS access, no shared keys.)". Wikitech IS WMCS access.

thiemowmde added a comment.Aug 23 2018, 8:57 AM
  • I don't know what "WMCS" stands for, despite working with Wikimedia infrastructure for about a decade.
  • I find it hard to tell what the "cloud" in "WMF cloud services" includes. Aren't the production servers also in some kind of "cloud"? Isn't everything in the "cloud" nowadays? What's the meaning of this word?
  • L3 states to use different keys for "production" and "labs", but does not explain what "labs" includes. Gerrit, for example, is not on wmflabs.org but on wikimedia.org. Does this still count as being part of "labs"?

I would highly appreciate a language more people are able to understand, if that's possible. Avoiding abbreviations is always a good start. Thank you.

And again, what's the benefit if the two are stored in the same key pass anyway? (Something I assume most people do.)

Gehel subscribed.Aug 23 2018, 9:10 AM
In T202476#4525961, @thiemowmde wrote:
  • I don't know what "WMCS" stands for, despite working with Wikimedia infrastructure for about a decade.

WMCS is mostly what was formerly known as "Labs". Labs was confusing for multiple reasons, hence the rename. And yes, WMCS is probably confusing as well, hopefully a little less. Naming is hard. Some of the rational is documented.

  • I find it hard to tell what the "cloud" in "WMF cloud services" includes. Aren't the production servers also in some kind of "cloud"? Isn't everything in the "cloud" nowadays? What's the meaning of this word?

Cloud is a confusing name in itself. In this context, it is mostly about on-demand self-service VMs. Production is mostly on real hardware, with no self-service capabilities, so production is NOT cloud for most definition of cloud. This might change and WMCS might become more confusing in the future.

MoritzMuehlenhoff subscribed.Aug 23 2018, 9:15 AM
In T202476#4525961, @thiemowmde wrote:
  • I don't know what "WMCS" stands for, despite working with Wikimedia infrastructure for about a decade.

Wikimedia Cloud Services, all the services operated by https://www.mediawiki.org/wiki/Wikimedia_Cloud_Services_team

  • I find it hard to tell what the "cloud" in "WMF cloud services" includes. Aren't the production servers also in some kind of "cloud"? Isn't everything in the "cloud" nowadays? What's the meaning of this word?

Toolforge and all the VPS instances provided by the WMCS team (e.g. deployment-prep or generally anything that has a .wmflabs domain)

And again, what's the benefit if the two are stored in the same key pass anyway? (Something I assume most people do.)

WMCS allows SSH agent forwarding and a malicious privileged user in WMCS can connect to our forwarded agent socket and connect to production on your behalf.

You should also run separate SSH agents, the setup is explained in https://wikitech.wikimedia.org/wiki/Managing_multiple_SSH_agents

dcausse subscribed.EditedAug 23 2018, 9:15 AM

[redundant comment]

Addshore added a comment.EditedAug 23 2018, 9:18 AM
In T202476#4525961, @thiemowmde wrote:
  • L3 states to use different keys for "production" and "labs", but does not explain what "labs" includes. Gerrit, for example, is not on wmflabs.org but on wikimedia.org. Does this still count as being part of "labs"?

Sounds like the wording in L3 could be improved slightly there, or services like Gerrit also mentioned explicitly.

dcausse unsubscribed.Aug 23 2018, 9:22 AM
Joe subscribed.EditedAug 23 2018, 9:22 AM
In T202476#4525961, @thiemowmde wrote:
  • I don't know what "WMCS" stands for, despite working with Wikimedia infrastructure for about a decade.
  • I find it hard to tell what the "cloud" in "WMF cloud services" includes. Aren't the production servers also in some kind of "cloud"? Isn't everything in the "cloud" nowadays? What's the meaning of this word?
  • L3 states to use different keys for "production" and "labs", but does not explain what "labs" includes. Gerrit, for example, is not on wmflabs.org but on wikimedia.org. Does this still count as being part of "labs"?

I would highly appreciate a language more people are able to understand, if that's possible. Avoiding abbreviations is always a good start. Thank you.

And again, what's the benefit if the two are stored in the same key pass anyway? (Something I assume most people do.)

Hi Thiemo!

I'd first start with explaining the SSH part:
most of us use separate ssh agents to connect to production and "cloud services", you can find instructions to set it up here https://wikitech.wikimedia.org/wiki/Managing_multiple_SSH_agents, so there is indeed an added security layer, especially given how lax access rules are on our VMs.

About the L3 document: it needs to be amended, I'll ping @RobH later about it - it should name Cloud Services, not labs.

Then regarding the rest of your comment: I do agree that excessive usage of acronyms is to be discouraged; however, I'm pretty sure that reading https://wikitech.wikimedia.org/wiki/Production_shell_access would have removed your doubts easily. But more importantly: criticism is anyways better received when not expressed angrily, and in proper places - a ticket where access is requested is definitely not the place to discuss our access policies, IMHO.

Aklapper mentioned this in T202617: Update terms "Labs" and "Operations" in L3.Aug 23 2018, 10:54 AM
In T202476#4526037, @Joe wrote:

About the L3 document: it needs to be amended, I'll ping @RobH later about it - it should name Cloud Services, not labs.

I filed T202617 about that.

jijiki subscribed.Aug 23 2018, 12:08 PM
RobH added a comment.Aug 23 2018, 4:18 PM

Ok, I've gone ahead and updated the L3 per the instructions on T202617. So that should eliminate the earlier confusion.

@thiemowmde:

In T202476#4525808, @thiemowmde wrote:

I struggle a bit with the SSH key request, as I would like to reduce the complexity to manage all this as much as I can. Can I reuse the SSH key I already use for all Wikitech stuff (Gerrit and so on)? I mean, I would store both in the same place anyway. What is the benefit of creating a new one?

As others have already pointed out, this needs to be a dedicated key for just Wikimedia Production shell access. We revoke access if we see the key in use anywhere else.

We'll need you to go ahead and handle the following:

  • - provide a public ssh key for use in wikimedia production shell access
  • - sign an NDA with Wikimedia Legal (all shell requests require an NDA on file.)
RStallman-legalteam added a comment.Aug 27 2018, 10:14 PM

Just seeing this now, as I was on vacation last week. @thiemowmde: I'll set up the NDA for you to sign through our contracts software and email you directly. Thanks!

thiemowmde added a comment.Aug 28 2018, 1:00 PM

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCopJe4A8f90fa+Y0GYwvw1k/UaWNvWRNJ9m+ym7GXoMDpVYELQAdeYm52ApG/UsQh3q05vIOGJf/peD5I7gxO4k7y9pY7wa7U9E8RWoFZDwAbyp7zXQEIWOoPP1ZqL+sJrML35duzr7tGc1ap4QPt5Arehvi22sNBVVmdU+JZhPeBZ2gT9qcf1ss0m3/TsSJyIC9PpFYAGxQE5QDLXwAolm2Eq9LSqYu4kC50SuNSihy8xsTTtBHo6l3Vmdl2XXPHdxc5qVAC+ojw/uqNLVYhc0V+avozTP9L1EapvF+/g6agwmjpfx5MEO70upz9f00uKHm12qx2BKRQlS0Mq1czOc+RqmzGoYfPGkfhqRUh2EVbum3lGV8KXs8hPuhqBQbfWLfSEZ+6p/ys9a4EsARsEChuqMKA1MTi/AAp4W4AXbw5ut/Jc9XYrG1z8RkuY8KFf71y2uvW0JY3bs118h9RwryQQp7xHB+xWRwFS2PTlPABSSg+nDKdPF786Y0cMlUpetwEdmqQZfz9s7JUUIGYJLN08Y7RdTw3pir3Fr02MvbDPUeuPbHPW6w7EEIiyaejB/SYjJgn9XbMtMYx03oKDygtKznpwinxlGH0MmS6F8IE7oILSOWGNMgmLYbLcKkpx6M977rfud0g/a5PionT+Z1O8npyPL2aEPqPEwauV1Q== thiemo.kreuz@wikimedia.de

RStallman-legalteam added a comment.Aug 28 2018, 5:46 PM

The NDA is now signed and on file with legal.

ArielGlenn updated the task description. (Show Details)Aug 28 2018, 5:48 PM
ArielGlenn updated the task description. (Show Details)Aug 28 2018, 5:50 PM
ArielGlenn updated the task description. (Show Details)Aug 28 2018, 5:55 PM
gerritbot subscribed.Aug 28 2018, 6:05 PM

Change 455882 had a related patch set uploaded (by ArielGlenn; owner: ArielGlenn):
[operations/puppet@production] add thiemowmde to shell users

https://gerrit.wikimedia.org/r/455882

gerritbot added a project: Patch-For-Review.Aug 28 2018, 6:05 PM
gerritbot added a comment.Aug 28 2018, 6:15 PM

Change 455882 merged by ArielGlenn:
[operations/puppet@production] add thiemowmde to shell users

https://gerrit.wikimedia.org/r/455882

gerritbot added a comment.Aug 28 2018, 6:18 PM

Change 455885 had a related patch set uploaded (by ArielGlenn; owner: ArielGlenn):
[operations/puppet@production] add thiemowmde to releasers-wikidiff2

https://gerrit.wikimedia.org/r/455885

gerritbot added a comment.Aug 28 2018, 6:20 PM

Change 455885 merged by ArielGlenn:
[operations/puppet@production] add thiemowmde to releasers-wikidiff2

https://gerrit.wikimedia.org/r/455885

ArielGlenn subscribed.Aug 28 2018, 6:21 PM

In about 30 minutes this change should be live. After that, we will just be waiting for the user to verify that access works as expected, and then this can be closed.

ArielGlenn moved this task from Manager/NDA Approval/Confirmation to user confirm on the SRE-Access-Requests board.Aug 28 2018, 6:22 PM
ArielGlenn added a comment.Sep 3 2018, 7:52 AM

Hey @thiemowmde please let us know that uploads work for you, and we'll close this task.

MoritzMuehlenhoff added a comment.Sep 10 2018, 2:50 PM

@thiemowmde Does the access work for you?

RobH closed this task as Resolved.Sep 18 2018, 4:33 PM

This has sat pending @thiemowmde's acknowledgement of access. However, since it likely is fine, I'm resolving this.

@thiemowmde: if your access isnt working feel free to reopen this task.

Addshore moved this task from Watching 👀 to Closing ✔️ on the User-Addshore board.Sep 20 2018, 1:09 PM
WMDE-leszek mentioned this in T358578: Add WMDE staff who have signed the NDA with the WMF to the WMF-NDA phabricator policy group.Feb 27 2024, 12:55 PM
Maintenance_bot removed a project: Patch-For-Review.Feb 27 2024, 1:31 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits