Page MenuHomePhabricator

Please add aaron to perf-team
Closed, ResolvedPublic

Description

Aaron Schulz is on the Performance Team, but isn't part of our system groups. I'd like to request that his user (aaron) be added to both perf-team and perf-roots.

Thanks!

SRE Clinic Duty Checklist for Access Requests

Most requirements are outlined on https://wikitech.wikimedia.org/wiki/Requesting_shell_access

This checklist should be used on all access requests to ensure that all steps are covered. This includes expansion to access. Please do not check off items on the list below unless you are in Ops and have confirmed the step.

  • - User has signed the L3 Acknowledgement of Wikimedia Server Access Responsibilities Document.
  • - User has a valid NDA on file with WMF legal. (This can be checked by Operations via the NDA tracking sheet & is included in all WMF Staff/Contractor hiring.)
  • - User has provided the following: wikitech username, preferred shell username, email address, and full reasoning for access (including what commands and/or tasks they expect to perform. - existing shell user 'aaron'
  • - User has provided a public SSH key. This ssh key pair should only be used for WMF cluster access, and not share with any other service (this includes not sharing with WMCS access, no shared keys.)
  • - access request (or expansion) has sign off of WMF sponsor/manager (sponser for volunteers, manager for wmf staff)
  • - sudo requests: all sudo requests require explicit approval during the weekly operations team meeting. No sudo requests will be approved outside of those meetings without the direct override of the Director of Operations. - this request include sudo groups and will be included for review on the weekly (Monday) SRE team meeting.
  • - Patchset for access request - https://gerrit.wikimedia.org/r/#/c/454887/

Details

Related Gerrit Patches:
operations/puppet : productionadd aaron to perf-team and perf-roots groups

Event Timeline

Imarlier created this task.Aug 23 2018, 5:32 PM
Restricted Application added a project: Operations. · View Herald TranscriptAug 23 2018, 5:32 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
RobH triaged this task as Normal priority.Aug 23 2018, 6:45 PM
RobH updated the task description. (Show Details)

Change 454887 had a related patch set uploaded (by RobH; owner: RobH):
[operations/puppet@production] add aaron to perf-team and perf-roots groups

https://gerrit.wikimedia.org/r/454887

RobH updated the task description. (Show Details)Aug 23 2018, 6:54 PM

Approved in SRE meeting.

ArielGlenn updated the task description. (Show Details)Aug 28 2018, 10:23 AM

Change 454887 merged by ArielGlenn:
[operations/puppet@production] add aaron to perf-team and perf-roots groups

https://gerrit.wikimedia.org/r/454887

As soon as the user verifies that access works as expected, we can close this ticket.

Imarlier added a subscriber: aaron.Aug 28 2018, 2:16 PM

@aaron Can you verify that you have access to perf-team hosts (eg, webperf1001)?

Imarlier assigned this task to aaron.Aug 28 2018, 2:17 PM
aaron closed this task as Resolved.Aug 28 2018, 6:33 PM

Confirmed.

MoritzMuehlenhoff reopened this task as Open.Aug 29 2018, 6:59 AM

I don't understand this task. Aaron already had global root already, why is that needed at all?

As Moritz points out, we have a cron job that explicitly checks for duplicate permissions (modules/openldap/files/cross-validate-accounts.py) and it flagged this. So we need to remove one or the other set of these permissions.

@aaron and @Imarlier which set of permissions should we clean up?

Dzahn closed this task as Resolved.Aug 31 2018, 5:53 PM
Dzahn added a subscriber: Dzahn.

This has been answered on T202910#4544447 ff

This patch will remove him from global root:

https://gerrit.wikimedia.org/r/456663

We can close this ticket because membership in perf-team is done and confirmed and the remaining question is answered in the other ticket already. Would otherwise be duplicate discussion.