Page MenuHomePhabricator

access for foks to labweb (in one way or another) (or make changePassword.php work on mwmaint hosts)
Closed, ResolvedPublic

Description

Problem statement: existing shell user 'foks' (@jrbs) can't access labweb* hosts

Purpose: run changePassword.php for things like T211700#5108206 which can only be done on labweb hosts, not mwmaint

He already has an existing shell user and is member in the group "restricted".

The groups that have access to labweb include: ops, deployment, wmcs-roots, deploy-service but not 'restricted'.

Possible solutions:

  • promote foks from restricted to deployment (drawback: that group is made for deploying mw and gives way more unrelated access)
  • add 'restricted' group to labweb hosts in addition to just deployers (drawback: all restricted users who never requested this also get the access)
  • create a new admin group specifically for this purpose and add that to labweb hosts (drawback: yet another group, but actually none?)
  • somehow make it possible to use changePasword.php from mwmaint hosts?
  • re-use the existing admin group ldap-admins, add the group on labweb, add foks to the group
  • X?

Event Timeline

Dzahn created this task.Apr 12 2019, 10:44 PM
Restricted Application added a project: Operations. · View Herald TranscriptApr 12 2019, 10:44 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Dzahn updated the task description. (Show Details)Apr 12 2019, 10:46 PM
Dzahn added a subscriber: MoritzMuehlenhoff.
Dzahn renamed this task from access for foks to labweb (in one way or another) to access for foks to labweb (in one way or another) (or make changePassword.php work on mwmaint hosts).Apr 12 2019, 10:54 PM
Dzahn added subscribers: Reedy, Krenair.

somehow make it possible to use changePasword.php from mwmaint hosts?

This might be the most straight forward thing to do, but I'd like @Andrew to help think about the implications. The missing piece today is provisioning the LDAP password for the uid=novaadmin user that is used by Wikitech to modify LDAP contents. This password is provisioned by modules/openstack/manifests/wikitech/wikitechprivatesettings.pp. This could be added to mwmaint hosts via some profile if there are no concerns about "leaking" the secrets.

I agree that adding that password to mwmaint is pretty easy. Is that really the only step that's necessary to make changePassword.php work there? If so then I don't object to this -- presumably people with access to mwmaint already have the ability to break wikipedia, which is probably a lower threshold than 'trusted to change ldap passwords'.

Krenair added a comment.EditedApr 15 2019, 2:58 AM

Well from hieradata/role/common/mediawiki/maintenance.yaml:

  • restricted - doesn't have as many different ways to break things as deployment but could still do a lot of damage and cause DBA headaches
  • deployment - can and occasionally does break wikipedia
  • ldap-admins - presumably we already trust this group to do be able to do everything this could do
  • maintenance-log-readers - this group can't do much. The only current member of this group is also a member of deployment though.
  • perf-roots - root on varnish and application servers
jbond added a subscriber: jbond.Apr 15 2019, 4:46 PM
colewhite triaged this task as Normal priority.Apr 16 2019, 6:11 PM

Change 506492 had a related patch set uploaded (by Herron; owner: Herron):
[operations/puppet@production] admin: add foks to deployment group

https://gerrit.wikimedia.org/r/506492

herron added a subscriber: herron.Apr 25 2019, 5:07 PM

Since we're approaching two weeks on this request I've proposed the above patch to move forward using the existing deployment group and trust that caution will be exercised. Happy to see another approach implemented, but at the same time would like to unblock this individual access request.

Change 506542 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] ldap-admins: remove demon, add foks, add admin group on labweb hosts

https://gerrit.wikimedia.org/r/506542

Dzahn added a comment.Apr 25 2019, 7:44 PM

Happy to see another approach implemented, but at the same time would like to unblock this individual access request.

Thank you very much for pushing this forward! I have thought about it some more and now came up with this counter suggestion:

https://gerrit.wikimedia.org/r/c/operations/puppet/+/506542

Change 506492 abandoned by Herron:
admin: add foks to deployment group

Reason:
in favor of Ia0d403e59c7f4e3f08a25c5c52842323f9f33d26

https://gerrit.wikimedia.org/r/506492

Dzahn assigned this task to jrbs.Apr 29 2019, 8:54 PM

Let's confirm that it doesn't actually work on mwmaint and what the error is. And also whether it runs as another user (www-data) and what the full command is.

Could you please paste an example command @jrbs

Dzahn changed the task status from Open to Stalled.May 6 2019, 4:08 PM
Volans added a subscriber: Volans.May 24 2019, 10:17 AM

@jrbs Any update on this?

Change 506542 merged by Andrew Bogott:
[operations/puppet@production] ldap-admins: add foks, add admin group on labweb hosts

https://gerrit.wikimedia.org/r/506542

jijiki closed this task as Resolved.Jun 21 2019, 5:40 AM
jijiki added a subscriber: jijiki.

@Andrew @jrbs This looks like resolved, please ping if it is not :)