Page MenuHomePhabricator

(2019-09) Create secteam groups in admin.yaml and define permissions
Open, Stalled, LowPublic0 Story Points

Description

Security-Team is currently keeping evidence in a few location, but mostly consolidated on mwlog* for now. This is owned by root at the moment which limits the team as only one member can fully manage the data. We also need a GID that we can use to manage files in general and settings etc. Additionally members of secteam who do engineering within prod (of which there is one atm) need a subset of commands.

In my mind this comes with:

secteam
secteam-admin (commands to be run generally such as tcpdump)
secteam-root (not sure if there is anything here at the moment)

Event Timeline

chasemp triaged this task as Normal priority.May 16 2019, 4:49 PM
chasemp created this task.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 16 2019, 4:49 PM

Change 510753 had a related patch set uploaded (by Rush; owner: cpettet):
[operations/puppet@production] admin: add secteam and secteam-admin for T223463

https://gerrit.wikimedia.org/r/510753

Change 510753 had a related patch set uploaded (by Rush; owner: cpettet):
[operations/puppet@production] admin: add secteam and secteam-admin for T223463

https://gerrit.wikimedia.org/r/510753

chasemp updated the task description. (Show Details)

Is this SRE-Access-Requests? I'm not giving anyone rights they don't have. Security-Team is shell only and no sudo, secteam-admin is me only and I already have root.

Is this SRE-Access-Requests? I'm not giving anyone rights they don't have. Security-Team is shell only and no sudo, secteam-admin is me only and I already have root.

mutante: regarding the question: it's always SRE-access-requests .. the difference you point out just changes it from "has to be in the meeting or not" imho
chasemp:  kk, then I'll proceed w/o a meeting based on no change in priv and leave the tag for posterity/discovery

Quick example on use cases and such, last week in {T224725} there were some artifacts that members of secteam wanted to help verify/collab on but without shell or a predefined mechanism it's difficult. (i.e. root@clouddb1001:/srv/labsdb/s53220__quickstatements_p)

pinged @MoritzMuehlenhoff to get feedback, esp on the list of perms for secteam-admin and he graciously agreed to look at things tomorrow

jbond added a subscriber: jbond.Jun 26 2019, 12:12 PM

Change 521483 had a related patch set uploaded (by Jbond; owner: John Bond):
[operations/puppet@production] admin: new user group secteam-users

https://gerrit.wikimedia.org/r/521483

Change 521484 had a related patch set uploaded (by Jbond; owner: John Bond):
[operations/puppet@production] admin: new group add secteam-admin

https://gerrit.wikimedia.org/r/521484

Change 521483 merged by Jbond:
[operations/puppet@production] admin: new user group secteam-users

https://gerrit.wikimedia.org/r/521483

jbond added a comment.Jul 9 2019, 12:47 PM

@chasemp I have gone ahead and created the secteam-users group (renamed from secteam to match our convention) so you can go ahead an start using that one. There where some additional comments around the secteam-admins group and as this is a downgrade in your permissions it was deemed that this change was low priority and we had some time to ensure we get this right. Please let us know if we have got the priority wrong.

sbassett added a subscriber: sbassett.EditedJul 9 2019, 1:37 PM

@jbond - @chasemp is on sabbatical until September, so it'll probably be a little while before this can be tested and confirmed. So yes, this entire task is fairly low priority at the moment.

jbond added a comment.Jul 9 2019, 3:11 PM

@sbassett thanks for the info

akosiaris changed the task status from Open to Stalled.Jul 15 2019, 1:41 PM
akosiaris lowered the priority of this task from Normal to Low.
akosiaris added a subscriber: akosiaris.

Setting stalled and low priority per comments above. @sbassett feel free to unstall when ready.

RobH renamed this task from Create secteam groups in admin.yaml and define permissions to (2019-09) Create secteam groups in admin.yaml and define permissions.Jul 30 2019, 8:10 PM
RobH assigned this task to sbassett.
sbassett added a project: Restricted Project.Tue, Sep 10, 4:58 PM