Page MenuHomePhabricator

Requesting access to Proton for pmiazga, bearND, Mholloway, MSantos, Tgr
Closed, ResolvedPublic

Description

Please grant access to Proton production servers and access rights to deploy the service for

Username: pmiazga
Full name: Piotr Miazga

Username: bsitzmann
Full name: Bernd Sitzmann

Username: mholloway-shell
Full name: Michael Holloway
Prod SSH public key: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIneKTP+6PaLMgGkOqtGe89r1i6e8lAPSZuBgGSbJaFS mholloway@wmf1256.local
L3: Signed

Username: mbsantos
Full name: Mateus B. Santos
Prod SSH public key: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHVfF4WbLZsEyojr+GciiTvGmOEt8jPa5ut+K47dz1X0 msantos@wikimedia.org
L3: Signed

Username: tgr
Full name: Gergo Tisza

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald Transcript

@bearND @Mholloway @MSantos @Tgr could you edit the task and put your shell usernames here please?

@mobrovac could you approve the request? Also, are there any additional rights that those people require?

I added myself, as I don't have access to production servers, this would help me a lot when debugging/helping Readers Infrastructure in the early phase.

Once all the usernames are known in the task description, your respective managers need to explicitly approve each of the individual requests.

Are you requesting the admin group "sc-admins" ?

sc-admins:
  description: General service cluster admins - sc(a|b)
  gid: 779
  members: [eevans, mobrovac, ppchelko]
  privileges: ['ALL = NOPASSWD: /usr/bin/puppet agent *',
             'ALL = NOPASSWD: /usr/sbin/service changeprop *',
             'ALL = NOPASSWD: /usr/sbin/service citoid *',
             'ALL = NOPASSWD: /usr/sbin/service cpjobqueue *',
             'ALL = NOPASSWD: /usr/sbin/service cxserver *',
             'ALL = NOPASSWD: /usr/sbin/service graphoid *',
             'ALL = NOPASSWD: /usr/sbin/service mathoid *',
             'ALL = NOPASSWD: /usr/sbin/service mobileapps *',
             'ALL = NOPASSWD: /usr/sbin/service pdfrender *',
             'ALL = NOPASSWD: /usr/sbin/service proton *',
             'ALL = (proton) NOPASSWD: ALL',
             'ALL = NOPASSWD: /usr/sbin/service recommendation_api *',
             'ALL = (recommendation_api) NOPASSWD: ALL',
             'ALL = NOPASSWD: /usr/sbin/service zotero *',
             'ALL = NOPASSWD: /usr/bin/firejail --join=*']

please see https://wikitech.wikimedia.org/wiki/Production_shell_access#New_users for the required steps for the process

we'll also need you to read sign L3 and add SSH keys please

Those requests will be discussed on the 17th Dec SRE meeting, provided we have all information :)

Are you requesting the admin group "sc-admins" ?

No. The scope of this ticket is for Proton only. AFAIK, we currently don't have an admin group for proton (ping @akosiaris), so we will have to create it.

@phuedx could you approve my request? @Jhernandez can you approve the request for @bearND @Mholloway @MSantos and @Tgr?

Change 478373 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] admins: add new group for proton admins

https://gerrit.wikimedia.org/r/478373

.. we currently don't have an admin group for proton (ping @akosiaris), so we will have to create it.

ACK, https://gerrit.wikimedia.org/r/#/c/operations/puppet/+/478373/

Change 478373 merged by Dzahn:
[operations/puppet@production] admins: add new group for proton admins

https://gerrit.wikimedia.org/r/478373

Change 478776 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] admins: add to proton-admins: pmiazga, bsitzmann, mholloway, mbsantos, tgr

https://gerrit.wikimedia.org/r/478776

Dzahn triaged this task as High priority.

Change 478776 merged by Alexandros Kosiaris:
[operations/puppet@production] admins: add to proton-admins: pmiazga, bsitzmann, mholloway, mbsantos, tgr

https://gerrit.wikimedia.org/r/478776

I 've slightly amended the patch to remove the now defunct sc-admins group and merged the patch per the SRE meeting's approval. Resolving this