Page MenuHomePhabricator

WMF Audiences engineers and analysts missing from `wmf` LDAP group
Closed, ResolvedPublic

Description

After a question, I've done a quick manual check of the 60 people in Audiences with the word "Engineer" or "Analyst" in their job title (thanks to SREers that helped), and found six people who don't seem to be in the group:

PersonPhab accountTeamuid
Alex Ezell@aezellCommunity Techaezell
Joe Walsh@JoeWalshiOSjoewalsh
Marielle Volz@MvolzEditingmvolz
Natalia Harateh@NHarateh_WMFiOSnharateh
Petar Petković@Petar.petkovicLanguagepetarpetkovic
Runa Bhattacharjee@ArrbeeLanguagearrbee

This should probably be fixed. Pinged people, please confirm. :-) Also: I probably missed some people who weren't in my original list; I didn't check for Technology people; I didn't audit the current list.

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 20 2018, 1:20 AM
RobH claimed this task.Nov 20 2018, 1:23 AM
Mvolz added a comment.Nov 20 2018, 5:23 AM

I assume this is why I can't log into grafana - ran into it a few months
ago but couldn't figure out why I didn't have access and never followed up.
If I could be added that'd be great.

jcrespo claimed this task.Nov 26 2018, 1:48 PM
jcrespo added subscribers: RobH, jcrespo.

I will definitely add anyone that justifies its need to it, starting with @Mvolz ASAP.

I think it is fair to ask for personal confirmation by posting a comment here. The policy says they need to request it as "not everybody needs it".

For the rest, @JoeWalsh @Mvolz @NHarateh_WMF @Petar.petkovic @Arrbee please, comment here yourselves requesting it with a simple one line justification and I will add you with no issue. To understand what it provides, please read https://wikitech.wikimedia.org/wiki/LDAP/Groups#Specific_groups We can close this after a month from now (e.g. 2 January) and for those that didn't request it you can always do it at a later time on a separate ticket .

jcrespo triaged this task as Normal priority.Nov 26 2018, 1:51 PM

Change 475995 had a related patch set uploaded (by Jcrespo; owner: Jcrespo):
[operations/puppet@production] admin: Add Mvolz to ldap-only users

https://gerrit.wikimedia.org/r/475995

Change 475995 merged by Jcrespo:
[operations/puppet@production] admin: Add Mvolz to ldap-only users

https://gerrit.wikimedia.org/r/475995

@Mvolz you have been added to the wmf group, please verify you can now log in into Grafana: https://grafana.wikimedia.org/login?redirect=%2F

Mvolz added a comment.Nov 27 2018, 6:18 PM

@Mvolz you have been added to the wmf group, please verify you can now log in into Grafana: https://grafana.wikimedia.org/login?redirect=%2F

Thanks, I confirmed that I can log in now.

jcrespo removed jcrespo as the assignee of this task.Nov 27 2018, 6:49 PM

Please the rest, as mentioned at T209901#4773777 feel free to request access if needed. I will leave this task open until 2 January to attend those, you can create a new ticket after that anyway.

jijiki added a subscriber: jijiki.Dec 3 2018, 12:21 PM

@Jdforrester-WMF since this task is visible on the ops clinic board, is it ok if we mark this as "Resolved" and let whoever needs access to create a new task as @jcrespo suggested?

@Jdforrester-WMF since this task is visible on the ops clinic board, is it ok if we mark this as "Resolved" and let whoever needs access to create a new task as @jcrespo suggested?

Not really. Access to these services is part of the day job of the individuals I mentioned. Making people jump through hoops is decidedly not helpful.

@Jdforrester-WMF since this task is visible on the ops clinic board, is it ok if we mark this as "Resolved" and let whoever needs access to create a new task as @jcrespo suggested?

Not really. Access to these services is part of the day job of the individuals I mentioned. Making people jump through hoops is decidedly not helpful.

We're not doing this to make people jump through hoops, we're just following our standard workflow, as listed https://wikitech.wikimedia.org/wiki/LDAP/Groups and https://phabricator.wikimedia.org/project/profile/1564/:

  • one access request task per person (to make them quickly actionable and not tie multiple processes together) as those are reviewed on an ongoing basis by the "SRE clinic duty"
  • to get confirmation that it works for the users and to comfirm the correct UID/username (in particular for users who also have shell access)

Going forward a similar task should be opened for new hires as well.

Dzahn added a subscriber: Dzahn.Dec 11 2018, 12:32 AM

I don't think it's unreasonable to ask for a quick "i need this for ..". Access requests should be based on a real need. It's not just an oversight in an onboarding process. They require real code changes too. We are more than happy to add people based on individual need, also with high priority. But in this form as a blanket addition based on job role i'm afraid we have to decline it.

herron closed this task as Resolved.Jan 4 2019, 3:18 PM
herron claimed this task.
herron added a subscriber: herron.

Closing this since it has been idle for a month. If any of the remaining users do wish to proceed with access requests please follow-up with individual subtasks as outlined in T209901#4805591.

we're just following our standard workflow, as listed https://wikitech.wikimedia.org/wiki/LDAP/Groups and https://phabricator.wikimedia.org/project/profile/1564/:

  • one access request task per person (to make them quickly actionable and not tie multiple processes together) as those are reviewed on an ongoing basis by the "SRE clinic duty"

Aha, sorry, didn't know that. Will open follow-up tasks.