Page MenuHomePhabricator
Create Task
Maniphest T211962

LDAP nda access request for Daimona
Closed, ResolvedPublic
Actions

Description

Recently, I opened a task for WMF-NDA access (T211042, currently on hold waiting for the C-level approval) in order to get privileged Phab access, which I'd need in order to deal with several tasks containing sensitive data, at least in the AbuseFilter workboard (more details and examples in the linked task). Together with this, I'd also like to have access to logstash, which could be helpful in at least two ways:

  • View errors/exceptions/etc. stack traces, which I need relatively often (some example tasks I can find right now: T210709, T209877, T144265). Sometimes, retrieving data quickly could make a great difference (like in T210709);
  • View the "slow abuse filters" log, which keeps trace of every slow filter across wikis; I could use this info to help local AbuseFilter maintainers improve the performance of their filters (and possibly speed up save time), thanks to the global abuse filter helper right.

IIUC, access to logstash is granted to those in the nda group, and I originally thought I could request this together with privileged phab access. However, I realized that this involves a totally different NDA to sign, and thus I'm opening this task. As for the support, I'm CC'ing @MusikAnimal per T211042#4795890.

Progress checklist (from Wikitech)

  • At least one comment of support from a Wikimedia Foundation employee, explaining why it is a good idea to accept your request
  • A comment of approval from one Wikimedia Foundation manager (usually the manager of an employee supporting you).
  • Get sign off by a C-level staff of the Wikimedia Foundation. WMF employees will arrange this as a last sign-off (usually with Victoria Coleman) when all other criteria have been met.
  • A member of the Technical Operations team will pick up your request (these are assigned on a weekly rotation) and contact the Legal department of the Wikimedia Foundation.
  • They'll reach out to you and prepare an NDA which you then need to sign
  • When that has been confirmed, the Operations person will grant you shell access or add you to the cn=nda LDAP group

Details

SubjectRepoBranchLines +/-
admins: add Daimona to ldap_only adminsoperations/puppetproduction+4 -0
Customize query in gerrit

Related Objects
Search...

StatusSubtypeAssignedTask
 ResolvedDzahnT211042 Volunteer NDA for Daimona
 ResolvedDzahnT211962 LDAP nda access request for Daimona

Event Timeline

Daimona created this task.Dec 14 2018, 8:57 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 14 2018, 8:57 AM
MarcoAurelio subscribed.Dec 14 2018, 10:35 AM

+1

Dzahn triaged this task as Medium priority.Dec 14 2018, 7:36 PM
Dzahn added a parent task: T211042: Volunteer NDA for Daimona.
Dzahn subscribed.Dec 14 2018, 7:43 PM

Hi @Daimona I see that a couple of the check boxes here look already done on T211042 which i added as a parent task. The technical part of adding you to the LDAP group would be trivial, so it just waits for the approvals to be done. I added Rachel Stallman from Legal to that parent task because i know she handles NDAs in some other cases that may or may not be different from volunteer NDAs, so i added her to find out.

Dzahn added a comment.Dec 14 2018, 7:48 PM

I would say T211042#4808232 covers "At least one comment of support from a Wikimedia Foundation employee" and "A comment of approval from one Wikimedia Foundation manager" provided you get the c-level approval as well. We can check these off if you ask me, but more +1s from employees never hurt of course.

The c-level checkbox is already pending and " A member of the Technical Operations team will pick up your request " is what i'm doing right now. "and contact the Legal department of the Wikimedia Foundation" is that i added Rachel Stallman to reach out to you. Once that is done i can handle the very last check box and add you.

Dzahn changed the task status from Open to Stalled.Dec 14 2018, 8:00 PM
Dzahn claimed this task.
Dzahn updated the task description. (Show Details)
MusikAnimal awarded a token.Dec 14 2018, 8:31 PM
MusikAnimal added a comment.Dec 14 2018, 8:45 PM

Reconfirming that I fully support Daimona having logstash access. He is the foremost developer of AbuseFilter and has been for nearly a year now.

Daimona added a comment.Dec 14 2018, 9:21 PM

Thanks @Dzahn for taking charge of my request, and thanks again @MusikAnimal for the support :-)

Dzahn removed Dzahn as the assignee of this task.Dec 18 2018, 2:35 PM

@Daimona I'm unassigning this task from myself but that is just because we have a weekly rotating clinic duty to handle access requests and it should not be blocked on me personally.

Once T211042 is resolved one of us will add you to the group. Just make sure we get the update once you signed the NDA. Cheers, Daniel

Daimona added subscribers: VColeman, RStallman-legalteam.Dec 18 2018, 2:58 PM

@Dzahn Sure, thanks :-) I have already signed the NDA, while probably the signature still has to be verified by Legal. CC'ing @RStallman-legalteam to make sure the process will continue in this task, and I'm also seizing the opportunity to CC @VColeman and ask if she could please provide C-level sign-off here, in addition to the parent task. Many thanks!

RStallman-legalteam added a comment.Dec 18 2018, 3:11 PM

Confirming that Daimona's NDA is fully signed and on file with legal. Thanks!

Dzahn updated the task description. (Show Details)Dec 18 2018, 3:22 PM
Dzahn mentioned this in T211042: Volunteer NDA for Daimona.Dec 18 2018, 3:34 PM
Dzahn added a comment.Dec 18 2018, 3:44 PM

Thanks for confirming! I left a comment on the other ticket and will close this once the last box is ticked off.

colewhite moved this task from Backlog to Manager Approval Pending on the LDAP-Access-Requests board.Dec 18 2018, 5:04 PM
herron subscribed.Jan 4 2019, 3:37 PM

Hello -- a friendly reminder that this request is awaiting c-level review/approval

bd808 added subscribers: Tnegrin, bd808.Jan 4 2019, 7:47 PM
In T211962#4855263, @herron wrote:

Hello -- a friendly reminder that this request is awaiting c-level review/approval

@MusikAnimal: since you seem to be the staff sponsor here, can you try to track down @Tnegrin or @VColeman and get them to add an 'approved' comment on this task?

VColeman added a comment.Jan 7 2019, 10:31 PM

Approved

MusikAnimal updated the task description. (Show Details)Jan 7 2019, 11:00 PM
Dzahn closed this task as Resolved.Jan 8 2019, 4:07 AM
Dzahn claimed this task.

done. added to LDAP group "nda"

[mwmaint1002:~] $ sudo modify-ldap-group nda | grep uid=daimona
..
member: uid=daimona,ou=people,dc=wikimedia,dc=org

@Daimona You have been added to the requested group now. You should be able to login.

Dzahn updated the task description. (Show Details)Jan 8 2019, 4:08 AM
Daimona added a comment.Jan 8 2019, 9:21 AM

Confirming that I can log into Logstash, thanks :-)

Daimona mentioned this in T213151: Security Issue Access Request for Daimona.Jan 8 2019, 9:26 AM
gerritbot subscribed.Jan 9 2019, 4:29 PM

Change 483173 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] admins: add Daimona to ldap_only admins

https://gerrit.wikimedia.org/r/483173

gerritbot added a project: Patch-For-Review.Jan 9 2019, 4:29 PM
gerritbot added a comment.Jan 9 2019, 4:33 PM

Change 483173 merged by Dzahn:
[operations/puppet@production] admins: add Daimona to ldap_only admins

https://gerrit.wikimedia.org/r/483173

Daimona mentioned this in T239093: Add Daimona to #mediawiki_security.Nov 25 2019, 12:15 PM
Maintenance_bot removed a project: Patch-For-Review.Nov 26 2019, 11:58 AM
Restricted Application added a project: SRE. · View Herald TranscriptNov 26 2019, 11:58 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL