Page MenuHomePhabricator

LDAP nda access request for Daimona
Closed, ResolvedPublic


Recently, I opened a task for WMF-NDA access (T211042, currently on hold waiting for the C-level approval) in order to get privileged Phab access, which I'd need in order to deal with several tasks containing sensitive data, at least in the AbuseFilter workboard (more details and examples in the linked task). Together with this, I'd also like to have access to logstash, which could be helpful in at least two ways:

  • View errors/exceptions/etc. stack traces, which I need relatively often (some example tasks I can find right now: T210709, T209877, T144265). Sometimes, retrieving data quickly could make a great difference (like in T210709);
  • View the "slow abuse filters" log, which keeps trace of every slow filter across wikis; I could use this info to help local AbuseFilter maintainers improve the performance of their filters (and possibly speed up save time), thanks to the global abuse filter helper right.

IIUC, access to logstash is granted to those in the nda group, and I originally thought I could request this together with privileged phab access. However, I realized that this involves a totally different NDA to sign, and thus I'm opening this task. As for the support, I'm CC'ing @MusikAnimal per T211042#4795890.

Progress checklist (from Wikitech)

  • At least one comment of support from a Wikimedia Foundation employee, explaining why it is a good idea to accept your request
  • A comment of approval from one Wikimedia Foundation manager (usually the manager of an employee supporting you).
  • Get sign off by a C-level staff of the Wikimedia Foundation. WMF employees will arrange this as a last sign-off (usually with Victoria Coleman) when all other criteria have been met.
  • A member of the Technical Operations team will pick up your request (these are assigned on a weekly rotation) and contact the Legal department of the Wikimedia Foundation.
  • They'll reach out to you and prepare an NDA which you then need to sign
  • When that has been confirmed, the Operations person will grant you shell access or add you to the cn=nda LDAP group

Event Timeline

Dzahn triaged this task as Medium priority.Dec 14 2018, 7:36 PM

Hi @Daimona I see that a couple of the check boxes here look already done on T211042 which i added as a parent task. The technical part of adding you to the LDAP group would be trivial, so it just waits for the approvals to be done. I added Rachel Stallman from Legal to that parent task because i know she handles NDAs in some other cases that may or may not be different from volunteer NDAs, so i added her to find out.

I would say T211042#4808232 covers "At least one comment of support from a Wikimedia Foundation employee" and "A comment of approval from one Wikimedia Foundation manager" provided you get the c-level approval as well. We can check these off if you ask me, but more +1s from employees never hurt of course.

The c-level checkbox is already pending and " A member of the Technical Operations team will pick up your request " is what i'm doing right now. "and contact the Legal department of the Wikimedia Foundation" is that i added Rachel Stallman to reach out to you. Once that is done i can handle the very last check box and add you.

Dzahn changed the task status from Open to Stalled.Dec 14 2018, 8:00 PM
Dzahn claimed this task.
Dzahn updated the task description. (Show Details)

Reconfirming that I fully support Daimona having logstash access. He is the foremost developer of AbuseFilter and has been for nearly a year now.

Thanks @Dzahn for taking charge of my request, and thanks again @MusikAnimal for the support :-)

Dzahn removed Dzahn as the assignee of this task.Dec 18 2018, 2:35 PM

@Daimona I'm unassigning this task from myself but that is just because we have a weekly rotating clinic duty to handle access requests and it should not be blocked on me personally.

Once T211042 is resolved one of us will add you to the group. Just make sure we get the update once you signed the NDA. Cheers, Daniel

@Dzahn Sure, thanks :-) I have already signed the NDA, while probably the signature still has to be verified by Legal. CC'ing @RStallman-legalteam to make sure the process will continue in this task, and I'm also seizing the opportunity to CC @VColeman and ask if she could please provide C-level sign-off here, in addition to the parent task. Many thanks!

Confirming that Daimona's NDA is fully signed and on file with legal. Thanks!

Thanks for confirming! I left a comment on the other ticket and will close this once the last box is ticked off.

Hello -- a friendly reminder that this request is awaiting c-level review/approval

Hello -- a friendly reminder that this request is awaiting c-level review/approval

@MusikAnimal: since you seem to be the staff sponsor here, can you try to track down @Tnegrin or @VColeman and get them to add an 'approved' comment on this task?

Dzahn claimed this task.

done. added to LDAP group "nda"

[mwmaint1002:~] $ sudo modify-ldap-group nda | grep uid=daimona
member: uid=daimona,ou=people,dc=wikimedia,dc=org

@Daimona You have been added to the requested group now. You should be able to login.

Confirming that I can log into Logstash, thanks :-)

Change 483173 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] admins: add Daimona to ldap_only admins

Change 483173 merged by Dzahn:
[operations/puppet@production] admins: add Daimona to ldap_only admins