Page MenuHomePhabricator

Grant sudo access for CI admins to doc.wikimedia.org publishing user
Closed, ResolvedPublic

Description

Hosting of doc.wikimedia.org is being migrated from the CI master (contint1001.wikimedia.org) to a Ganeti VM doc1001.eqiad.wmnet. The documentation generated by CI is published over rsync. The rsync daemon the daemon on the receiving end runs as doc-uploader and exposes a doc rsync module corresponding to /srv/docroot/org/wikimedia/doc/.

CI admins would sometime need the ability to cleanup published doc. For example to remove obsolete documentations (archived repos, closed branches) or move files around when a new entry is added. We sometime have to manually delete directories, typically when a repository is archived from Gerrit.

We might also have CI faults that would be easier to fix by shell access and the usual find/rm commands rather than trying to figure out the right rsync command :-]

So it is merely a convenience.
The workflow is roughly:

I would like contint-admins to be granted a sudo rule to run command as the doc-uploader user.

Event Timeline

hashar triaged this task as Normal priority.Jan 8 2019, 1:09 PM
hashar created this task.
Restricted Application added a project: Operations. · View Herald TranscriptJan 8 2019, 1:09 PM

Change 480798 had a related patch set uploaded (by Hashar; owner: Hashar):
[operations/puppet@production] doc: grant doc-uploader access to contint users

https://gerrit.wikimedia.org/r/480798

Dzahn awarded a token.Jan 8 2019, 9:03 PM
Dzahn added a comment.Jan 8 2019, 9:06 PM

Thanks for excellent justification for https://gerrit.wikimedia.org/r/#/c/operations/puppet/+/480798/

+1 to this access request

hashar updated the task description. (Show Details)Jan 9 2019, 7:39 AM

Change 480798 merged by Dzahn:
[operations/puppet@production] doc: grant doc-uploader access to contint users

https://gerrit.wikimedia.org/r/480798

Dzahn closed this task as Resolved.Jan 14 2019, 7:29 PM

The request has been approved in today's SRE meeting, but with an additional comment that this should have some follow-up to remove the need for manual actions from the workflow in the future.

The change has been merged and:

[contint1001:~] $ sudo grep upload /etc/sudoers.d/contint-admins 
%contint-admins ALL = (doc-uploader) NOPASSWD: ALL

I can confirm it is working fine. Thank you.

Whenever something goes wrong, we can just rsync from contint1001 to fix the doc, but it is sometime easier to just do it as the user. So merely a convenience really, I don't expect us to constantly shell to the host and move things around :]

Anyway it is good, just now have to fix the umask for rsync!

just now have to fix the umask for rsync!

merged!