Page MenuHomePhabricator
Create Task
Maniphest T223463

(2019-09) Create secteam groups in admin.yaml and define permissions
Closed, InvalidPublic0 Estimated Story Points
Actions

Description

Security-Team is currently keeping evidence in a few location, but mostly consolidated on mwlog* for now. This is owned by root at the moment which limits the team as only one member can fully manage the data. We also need a GID that we can use to manage files in general and settings etc. Additionally members of secteam who do engineering within prod (of which there is one atm) need a subset of commands.

In my mind this comes with:

secteam
secteam-admin (commands to be run generally such as tcpdump)
secteam-root (not sure if there is anything here at the moment)

Details

SubjectRepoBranchLines +/-
admin: new group add secteam-adminoperations/puppetproduction+16 -0
admin: add secteam and secteam-admin for T223463operations/puppetproduction+21 -1
admin: new user group secteam-usersoperations/puppetproduction+4 -0
Customize query in gerrit

Related Objects
Search...

Event Timeline

chasemp triaged this task as Medium priority.May 16 2019, 4:49 PM
chasemp created this task.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 16 2019, 4:49 PM
gerritbot added a comment.May 16 2019, 5:22 PM

Change 510753 had a related patch set uploaded (by Rush; owner: cpettet):
[operations/puppet@production] admin: add secteam and secteam-admin for T223463

https://gerrit.wikimedia.org/r/510753

gerritbot added a project: Patch-For-Review.May 16 2019, 5:22 PM

Change 510753 had a related patch set uploaded (by Rush; owner: cpettet):
[operations/puppet@production] admin: add secteam and secteam-admin for T223463

https://gerrit.wikimedia.org/r/510753

chasemp added projects: Security-Team, SRE.May 16 2019, 5:32 PM
chasemp updated the task description. (Show Details)
Dzahn added a project: SRE-Access-Requests.May 16 2019, 5:38 PM
chasemp added a comment.May 16 2019, 5:39 PM

Is this SRE-Access-Requests? I'm not giving anyone rights they don't have. Security-Team is shell only and no sudo, secteam-admin is me only and I already have root.

chasemp added a comment.May 16 2019, 5:47 PM
In T223463#5187594, @chasemp wrote:

Is this SRE-Access-Requests? I'm not giving anyone rights they don't have. Security-Team is shell only and no sudo, secteam-admin is me only and I already have root.

mutante: regarding the question: it's always SRE-access-requests .. the difference you point out just changes it from "has to be in the meeting or not" imho
chasemp:  kk, then I'll proceed w/o a meeting based on no change in priv and leave the tag for posterity/discovery
chasemp added a comment.Jun 3 2019, 1:59 PM

Quick example on use cases and such, last week in {T224725} there were some artifacts that members of secteam wanted to help verify/collab on but without shell or a predefined mechanism it's difficult. (i.e. root@clouddb1001:/srv/labsdb/s53220__quickstatements_p)

chasemp mentioned this in T224886: Establish secteam production norms.Jun 3 2019, 2:29 PM
chasemp added a parent task: T224886: Establish secteam production norms.
chasemp added a subscriber: MoritzMuehlenhoff.Jun 3 2019, 2:56 PM

pinged @MoritzMuehlenhoff to get feedback, esp on the list of perms for secteam-admin and he graciously agreed to look at things tomorrow

ArielGlenn moved this task from Untriaged to 3 Business Day Wait on the SRE-Access-Requests board.Jun 10 2019, 6:33 AM
jbond subscribed.Jun 26 2019, 12:12 PM
gerritbot added a comment.Jul 9 2019, 12:28 PM

Change 521483 had a related patch set uploaded (by Jbond; owner: John Bond):
[operations/puppet@production] admin: new user group secteam-users

https://gerrit.wikimedia.org/r/521483

gerritbot added a comment.Jul 9 2019, 12:28 PM

Change 521484 had a related patch set uploaded (by Jbond; owner: John Bond):
[operations/puppet@production] admin: new group add secteam-admin

https://gerrit.wikimedia.org/r/521484

gerritbot added a comment.Jul 9 2019, 12:41 PM

Change 521483 merged by Jbond:
[operations/puppet@production] admin: new user group secteam-users

https://gerrit.wikimedia.org/r/521483

jbond added a comment.Jul 9 2019, 12:47 PM

@chasemp I have gone ahead and created the secteam-users group (renamed from secteam to match our convention) so you can go ahead an start using that one. There where some additional comments around the secteam-admins group and as this is a downgrade in your permissions it was deemed that this change was low priority and we had some time to ensure we get this right. Please let us know if we have got the priority wrong.

sbassett subscribed.EditedJul 9 2019, 1:37 PM

@jbond - @chasemp is on sabbatical until September, so it'll probably be a little while before this can be tested and confirmed. So yes, this entire task is fairly low priority at the moment.

jbond added a comment.Jul 9 2019, 3:11 PM

@sbassett thanks for the info

akosiaris changed the task status from Open to Stalled.Jul 15 2019, 1:41 PM
akosiaris lowered the priority of this task from Medium to Low.
akosiaris subscribed.

Setting stalled and low priority per comments above. @sbassett feel free to unstall when ready.

RobH moved this task from 3 Business Day Wait to SRE Meeting Review on the SRE-Access-Requests board.Jul 26 2019, 5:07 PM
RobH renamed this task from Create secteam groups in admin.yaml and define permissions to (2019-09) Create secteam groups in admin.yaml and define permissions.Jul 30 2019, 8:10 PM
RobH assigned this task to sbassett.
sbassett added a project: user-sbassett.Sep 10 2019, 4:58 PM
sbassett moved this task from Incoming to Waiting on the Security-Team board.Oct 4 2019, 5:10 PM
sbassett reassigned this task from sbassett to chasemp.Oct 22 2019, 2:33 PM
sbassett removed a subscriber: chasemp.
Dzahn moved this task from SRE Meeting Review to In Discussion on the SRE-Access-Requests board.Oct 22 2019, 11:40 PM
sbassett removed a project: user-sbassett.Oct 29 2019, 3:21 PM
jcrespo subscribed.Dec 10 2019, 11:34 AM

Hey, @chasemp, is this in your radar (lot of time passed since last update)? If yes, but "there is need of some discussion and work not involving SRE", I would remove the SRE-Access-Requests so it doesn't appear on clinic duty dashboard. If no, maybe this should be closed and a different task should be open with further actionables (technically, the title has been already fullfilled, secteam-users exist on production). If yes, but SREs are blocking work, please let us know how. Cheers!

herron removed a project: SRE-Access-Requests.Jan 2 2020, 2:55 PM
herron subscribed.

Removing the SRE-Access-Requests project tag for now. Please update and re-add if/when any further action is needed. Thanks!

chasemp added a comment.Jun 16 2020, 3:23 PM

Apologies @jcrespo and @herron for the lag here. I was away (thanks for updating the task @sbassett) and then this fell to the bottom of the pile due to fires forever and ever it feels like. I'll cleanup, revisit, and add the tags as appropriate.

chasemp closed this task as Declined.Sep 28 2020, 6:41 PM
gerritbot added a comment.Sep 28 2020, 6:43 PM

Change 510753 abandoned by Rush:
[operations/puppet@production] admin: add secteam and secteam-admin for T223463

Reason:
Nothing here for the moment, so setting aside until there is.

https://gerrit.wikimedia.org/r/510753

gerritbot added a comment.Sep 28 2020, 6:43 PM

Change 521484 abandoned by Rush:
[operations/puppet@production] admin: new group add secteam-admin

Reason:
Nothing here actionable atm.

https://gerrit.wikimedia.org/r/521484

chasemp changed the task status from Declined to Resolved.Sep 28 2020, 6:43 PM
sbassett changed the task status from Resolved to Invalid.Dec 3 2021, 6:45 PM

Huh, given that both relevant patches were never merged, I'm going to set this to invalid for now, since it definitely was not resolved and wasn't really declined either. I think invalid makes the most sense given that it is not clear if this is even needed anymore or if an alternative approach might be required.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL