Page MenuHomePhabricator

Requesting access to production for dsharpe
Closed, ResolvedPublicRequest

Description

Username: dsharpe
Full name: David Lee Sharpe

I am a new hire in John Bennett's Security team, and part of my duties involve incident response. I need to be able to diagnose and completely research any type of intrusion or incident as part of my job duties. Can my access somehow be cloned from another existing WMF Security team member? I don't have a specific production server list to provide.

Public key is in this paste: https://phabricator.wikimedia.org/P8004

  • - User has signed the L3 Acknowledgement of Wikimedia Server Access Responsibilities Document.
  • - User has a valid NDA on file with WMF legal. (included in all WMF Staff/Contractor hiring)
  • - User has provided the following: wikitech username, preferred shell username, email address, and full reasoning for access (including what commands and/or tasks they expect to perform.
  • - User has provided a public SSH key. This ssh key pair should only be used for WMF cluster access, and not share with any other service (this includes not sharing with WMCS access, no shared keys.)
  • - access request has sign off of WMF manager
  • - sudo requests: all sudo requests require explicit approval during the weekly operations team meeting. No sudo requests will be approved outside of those meetings without the direct override of the Director of Operations.
  • - Patchset for access request

Details

Related Gerrit Patches:

Event Timeline

Dsharpe created this task.Jan 18 2019, 1:05 AM
Restricted Application added a project: Operations. · View Herald TranscriptJan 18 2019, 1:05 AM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Dsharpe updated the task description. (Show Details)Jan 18 2019, 1:19 AM
sbassett added subscribers: Bawolff, sbassett.EditedJan 18 2019, 2:35 AM

Hey @Dsharpe

I'd imagine you'd probably need deployment and analytics-privatedata-users access for now - this is what @Bawolff and I have. Here's the patch for when I was added to these groups.

Additionally, here's some info on some of the wikimedia production servers:

  1. Bastion servers and a neat shell script that geo-locates you and lets you know which bastion you should use.
  2. Deployment servers
  3. Logging servers
  4. Kibana
  5. Maintenance server
  6. Stats/analytics servers
  7. NOC - handy view of a lot of architectural/config stuff.
CDanis assigned this task to Dsharpe.Jan 18 2019, 2:22 PM
CDanis triaged this task as Normal priority.
CDanis updated the task description. (Show Details)
CDanis added a subscriber: CDanis.

Hi David,

Just a couple things for you:

  • WMF policy requires your manager comment on this ticket giving approval for access
  • Can you confirm that this is a fresh SSH keypair generated for WMF prod and not used anywhere else?

Aside from that, I'll get you on the list of access requests to be approved at our SRE meeting Monday.

Thanks!
-Chris

Yes, the ssh key pair is entirely new, and not used any where else at all.

Thank you!

CDanis updated the task description. (Show Details)Jan 18 2019, 3:37 PM

@faidon @mark Could one of you approve this request?

We won't have an SRE meeting next week (holiday), and I'm told that we usually don't have one the week of allhands or the week after (because of travel).

RobH added a subscriber: RobH.Jan 22 2019, 5:13 PM

I've emailed both @faidon and @mark to make them aware of this request:

Faidon & Mark,
Normally this is reviewed in the SRE meeting, but we won't be having one for the next two weeks. New security team member needs his access approved.
https://phabricator.wikimedia.org/T214130
Username: dsharpe
Full name: David Lee Sharpe

RobH changed the task status from Open to Stalled.Jan 24 2019, 5:21 PM
RobH reassigned this task from Dsharpe to mark.

This requires SRE Director approval OR SRE full meeting approval.

There are no SRE meetings scheduled until post all hands. I've emailed both directors to make them aware of this task, and that they can approve directly on task to skip the SRE meeting requirement.

I'm setting this stalled until that approval is granted. Please note if they do not approve this outside of the SRE meeting via this task, it has to be via the Monday SRE meetings. If it isn't approved by directors on task, the upcoming meets are:

2019-02-04 : likely will be canceled, since folks are traveling home
2019-02-11 : should be a normal meeting date

faidon added a comment.Feb 2 2019, 9:21 PM

Let's not wait for a meeting, approved!

faidon changed the task status from Stalled to Open.Feb 2 2019, 9:21 PM
faidon removed mark as the assignee of this task.

Change 488880 had a related patch set uploaded (by Giuseppe Lavagetto; owner: Giuseppe Lavagetto):
[operations/puppet@production] admin: add dsharpe, give access to deployment/analytics-privatedata-users

https://gerrit.wikimedia.org/r/488880

Change 488880 merged by Giuseppe Lavagetto:
[operations/puppet@production] admin: add dsharpe, give access to deployment/analytics-privatedata-users

https://gerrit.wikimedia.org/r/488880

Joe claimed this task.Feb 7 2019, 10:46 AM
Joe updated the task description. (Show Details)Feb 7 2019, 11:43 AM
Joe added a comment.Feb 7 2019, 11:46 AM

@Dsharpe you should be able to long onto the systems accessible via those groups - for example, deploy1001.

If you can access those servers, please resolve the ticket. Let me know if you're unable to do so otherwise.

Joe added a comment.Feb 11 2019, 10:50 AM

I will assume you can successfully access and just resolve the ticket. Please reopen it if any issue happens.

revi closed this task as Resolved.Feb 12 2019, 11:23 AM
revi removed a project: Patch-For-Review.