Page MenuHomePhabricator
Create Task
Maniphest T203561

Remove user "albe" from the wmde LDAP group
Closed, ResolvedPublic
Actions

Description

The person using the account is no longer doing engineering tasks on WMF infrastructure, neither is supposed to have write access to WMDE's repositories on Gerrit, hence please remove this user from wmde group.
I have removed the user from all ldap groups related to wikitech/horizon projects. "wmde" seems to be generally the only group remaining (not sure about the "nda" group actually, please advise if you know something about it), according to: https://tools.wmflabs.org/ldap/user/albe

I am Aleksey's line manager at WMDE (which can be verified at https://www.wikimedia.de/wiki/Mitarbeitende).

Hopefully that is enough information need to handle the action requested.

Details

SubjectRepoBranchLines +/-
admins: remove albe from ldap_admins, add to absent groupoperations/puppetproduction+2 -2
Customize query in gerrit

Event Timeline

WMDE-leszek created this task.Sep 5 2018, 12:58 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 5 2018, 12:58 PM
Krenair subscribed.EditedSep 5 2018, 2:56 PM

nda is a highly privileged group according to https://wikitech.wikimedia.org/wiki/LDAP/Groups - not as much as most of the other ones on there, but still.

gerritbot subscribed.Sep 5 2018, 4:14 PM

Change 458207 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] admins: remove albe from ldap_admins, add to absent group

https://gerrit.wikimedia.org/r/458207

gerritbot added a project: Patch-For-Review.Sep 5 2018, 4:14 PM
Dzahn added subscribers: RStallman-legalteam, Dzahn.Sep 5 2018, 4:17 PM

can be verified at https://www.wikimedia.de/wiki/Mitarbeitende

Thank you. I did that. Verified.

Note to other people handling access requests: This requires both a Gerrit change (user must be moved to special absent group in admins module) and manual action on an LDAP client. (modify-ldap-group).

Regarding the "nda" group, this does allow login on several web UIs, such as Icinga and is only done after legal confirms there is a NDA on file. So we may also have to tell @RStallman-legalteam about revoking it when removing somebody.

gerritbot added a comment.Sep 5 2018, 4:29 PM

Change 458207 merged by Dzahn:
[operations/puppet@production] admins: remove albe from ldap_admins, add to absent group

https://gerrit.wikimedia.org/r/458207

Stashbot subscribed.Sep 5 2018, 4:31 PM

Mentioned in SAL (#wikimedia-operations) [2018-09-05T16:31:24Z] <mutante> LDAP: removed user 'albe' from groups 'wmde' and 'nda' (T203561)

Dzahn removed a project: Patch-For-Review.Sep 5 2018, 4:32 PM

Done. Keeping the ticket open to check whether the NDA group removal needs a process with legal or not.

WMDE-leszek added a comment.Sep 5 2018, 5:27 PM

Thanks for removing from 'nda' LDAP group. Thanks in advanced to @RStallman-legalteam for taking any further actions that are required (if there any).

Ottomata closed this task as Resolved.Sep 7 2018, 5:30 PM
Ottomata assigned this task to Dzahn.
Ottomata triaged this task as Medium priority.
Ottomata subscribed.

Looks like we can resolve, thanks.

Dzahn reopened this task as Open.Sep 7 2018, 5:39 PM

Not yet please, per "Keeping the ticket open to check whether the NDA group removal needs a process with legal or not." and meanwhile i know it does.. Rachel needs to follow-up on NDA removal.

RStallman-legalteam added a comment.Sep 7 2018, 5:49 PM

Thanks and sorry for my delay. I have noted this on the shared spreadsheet and updated the NDA contract record with this info.

Dzahn closed this task as Resolved.Sep 7 2018, 5:55 PM

cool, thanks Rachel. re-closing it then :)

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL