Page MenuHomePhabricator

Grant WMDE engineers access to logstash and creating grafana boards / Add WMDE engineers to 'nda' LDAP group
Closed, ResolvedPublic

Description

I request granting all WMDE engineers access to logstash.wikimedia.org/Kibana. Having it is required to be able to e.g. access stack traces in logs of production wikis in case of issues caused by our code, when monitoring logs of production wikis when deploying code or config changes, etc.
I would go as far as to say that having the access to logstash is a necessary for WMDE developers as for example access to the source code on Gerrit.

As far as I know, the technical change here is to have relevant LDAP user accounts added to the 'nda' LDAP group.
To my knowledge, all listed WMDE staff members have already signed the required NDAs with the WMF when they have been added the another LDAP group, i.e. 'wmde' group. I include people's names in the list. @RStallman-legalteam would you be so kind to verify that you have documents regarding all these people on file?

In the list below please find collected user names of . Their affiliation with the WMDE can be checked e.g. by seeing them being listed in the 'wmde' LDAP group: https://tools.wmflabs.org/ldap/group/wmde. I also vouch for them as an Engineering Manager with WMDE. We'll provide the necessary training and ensure the responsible user of privileges.

LDAP/shell user nameWikitech user namename
alaasarhanAlaa SarhanAlaa Sarhan
andrew-wmdeAndrew-WMDEAndrew Kostka
bitpogoMatthias GeislerMatthias Geisler
darthmonMonica PinedoMónica Pinedo
gbirkeGabriel BirkeGabriel Birke
jakobJakobJakob Warkotsch
jkrollJkrollJohannes Kroll
noaNoa wmdeNoa Rave
pgrassPablo Grass (WMDE)Pablo Grass
rosalie-wmdeRosalie Perside (WMDE)Rosalie Perside
tgritschacherTobias GritschacherTobias Gritschacher
thiemowmdeThiemo Kreuz (WMDE)Thiemo Kreuz
tieuTim EulitzTim Eulitz

The mentioned LDAP group change would also give said WMDE engineers ability to create and edit Grafana dashboards. While this is not the primary activity of our staff members, it is not uncommon need for them, so having this kind of access granted would also be beneficial.

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 4 2019, 4:44 PM
WMDE-leszek updated the task description. (Show Details)Jun 4 2019, 4:45 PM
fsero added a subscriber: fsero.Jun 5 2019, 10:58 AM

Hi @WMDE-leszek,

your request looks reasonable to me, i'd like for @RStallman-legalteam to verify NDAs for a double check. But this change is considerably bigger than the usual which is per individual, hence I'd like to discuss it on the next SRE meeting.

Thanks

sounds sensible, thanks @fsero

Hello,

We have NDAs on file for all except: Andrew Kostka, Jakob Warkotsch, Johannes Kroll, Tobias Gritschacher. Let me know if I should reach out to them individually to sign NDAs. Thanks!

@WMDE-leszek I think Rachel's question was directed to you.

ArielGlenn triaged this task as Normal priority.Jun 10 2019, 6:45 AM

@WMDE-leszek I went ahead and sent the NDAs to the four users mentioned above and will update the ticket once they are signed.

Apologies for the late reaction. It's been a longer weekend for me.
Thanks a lot @RStallman-legalteam for checking, and reaching out to remaining people!
@Andrew-WMDE @Jakob_WMDE @jkroll @Tobi_WMDE_SW gentlemen, please cooperate :)

All have signed the NDAs now. Many thanks!

Great! I'll make sure this is brought up at the next SRE meeting then (Monday).

@ArielGlenn have you maybe had a chance to discuss this topic in the SRE round?

That week we did not meet after all! :-( And this week I was missing, so I do not know if it was discussed. It should not be delayed any longer though. I will see what this week's clinic duty person can tell us.

It was indeed discussed this week and someone at that dicussion should be weighing in here these next few days.

jbond added a subscriber: jbond.Jun 26 2019, 12:30 PM

just adding this link as its useful for seeing how the current permissions are and validating after action has been preformed

https://tools.wmflabs.org/wmde-access/

Hi Leszek,
we have two ways to approach this: If you specifically only need Logstash access, we can extend the configuration for Logstash to check the membership of the wmde LDAP group in addition to wm/nda. Or if we add all WMDE engineers to the NDA group, then they'll also be able to access the additional services listed at https://wikitech.wikimedia.org/wiki/LDAP/Groups. Let me know your preference/intention.

One thing we'll need though: For all WMF staff we have a process that staff members who leave the Foundation get removed from NDA-relevant access (unless they sign up for a separate volunteer NDA) and we'll need something similar for Wikimedia Deutschland employees. As we don't have much insight who's leaving WMDE, can we figure out some process that we get a notification when someone in the WMDE LDAP groups moves on to a new job? We can also sort this out off task if you prefer, you can reach me at moritz@wikimedia.org.

Hi Leszek,
we have two ways to approach this: If you specifically only need Logstash access, we can extend the configuration for Logstash to check the membership of the wmde LDAP group in addition to wm/nda. Or if we add all WMDE engineers to the NDA group, then they'll also be able to access the additional services listed at https://wikitech.wikimedia.org/wiki/LDAP/Groups. Let me know your preference/intention.

We would actually also have similar need for Grafana board creation, I should not have made this request exclusively about logstash. I'll adjust this task description, to not dump another task on you in the near future. Sorry for this.

https://wikitech.wikimedia.org/wiki/LDAP/Groups does list a few services I don't expect WMDE engineers to actively use (apart from logstash, grafana, we might poke Icinga sometimes to help fixing issues on our end), so that might seem overly generous access to be granted. But I understand that you might not want to chop LDAP groups too fine. Given we'd actually appreciate having access to more than Logstash, adding individual engineers to the NDA group seems fine from our side. If there were any more fine-grained access levels, we're happy to discuss moving WMDE staff to the least wide circle.

One thing we'll need though: For all WMF staff we have a process that staff members who leave the Foundation get removed from NDA-relevant access (unless they sign up for a separate volunteer NDA) and we'll need something similar for Wikimedia Deutschland employees. As we don't have much insight who's leaving WMDE, can we figure out some process that we get a notification when someone in the WMDE LDAP groups moves on to a new job? We can also sort this out off task if you prefer, you can reach me at moritz@wikimedia.org.

I'd love to discuss this and figure out a way for us to update WMF and get all permissions revoked from leaving WMDE staff members. To not make this ticket too big in scope, I'll reach out to you via email shortly.

WMDE-leszek renamed this task from Grant WMDE engineers access to logstash / Add WMDE engineers to 'nda' LDAP group to Grant WMDE engineers access to logstash and creating grafana boards / Add WMDE engineers to 'nda' LDAP group.Jun 28 2019, 9:41 AM

we have two ways to approach this: If you specifically only need Logstash access, we can extend the configuration for Logstash to check the membership of the wmde LDAP group in addition to wm/nda.

This has been suggested before for such access requests (just add the wmde group to the access list for grafana and logstash etc), however there was some push back, but I'm not sure if I know the exact tickets for that.
There was also T161484 where it was identified that the wmde ldap group included a few legacy people that had not yet signed NDAs (looks like that has been cleaned up in this ticket however).

IMO being in the wmde group and automatically having access to the services that the nda group has access to would be a massive + for us and remove lots of overhead and waiting around when we realize engineer X doesn't have access to service Y yet.
Keeping this in the wmde group rather than also adding wmde staff to the nda group would be nice also as then we just have to remove them from a single group when they leave.

Merging two replies here:

we have two ways to approach this: If you specifically only need Logstash access, we can extend the configuration for Logstash to check the membership of the wmde LDAP group in addition to wm/nda. Or if we add all WMDE engineers to the NDA group, then they'll also be able to access the additional services listed at https://wikitech.wikimedia.org/wiki/LDAP/Groups. Let me know your preference/intention.

We would actually also have similar need for Grafana board creation, I should not have made this request exclusively about logstash. I'll adjust this task description, to not dump another task on you in the near future. Sorry for this.
https://wikitech.wikimedia.org/wiki/LDAP/Groups does list a few services I don't expect WMDE engineers to actively use (apart from logstash, grafana, we might poke Icinga sometimes to help fixing issues on our end), so that might seem overly generous access to be granted. But I understand that you might not want to chop LDAP groups too fine. Given we'd actually appreciate having access to more than Logstash, adding individual engineers to the NDA group seems fine from our side. If there were any more fine-grained access levels, we're happy to discuss moving WMDE staff to the least wide circle.

We have some mid-term plans to make permission management more flexible (at which point we could define a more fine-grained WMDE permission, but in the mean time it seems sensible to simply add WMDE to cn=nda. After all you've all signed up for an NDA. Especially given the aspect that Adam mentioned wrt "waiting around when we realize engineer X doesn't have access to service Y yet".

I'll bring this request forward in tonight's SRE meeting and will get back to you tomorrow.

Re being in WMDE group being equivalent to being in NDA group, just for the record: there are/were members of WMDE non-engineering staff (Product Management, for example) who were in WMDE group but haven't signed the NDA ldap group's NDA. This could be seen e.g. with https://tools.wmflabs.org/wmde-access/ So technically there would be some users who shouldn't just go to the NDA group, and are not subject to this request.

I am not saying having all WMDE people who use WMF services sign the NDA is not wanted/bad/etc, but this would require 1) changing some further processes here at WMDE (doable), and 2) having some users sign the NDA now who are not part of this task. Just pointing this out in case the solution chosen was to add individual names to the NDA group, "merging" the groups couldn't just happen "automatically".

Re being in WMDE group being equivalent to being in NDA group, just for the record: there are/were members of WMDE non-engineering staff (Product Management, for example) who were in WMDE group but haven't signed the NDA ldap group's NDA. This could be seen e.g. with https://tools.wmflabs.org/wmde-access/ So technically there would be some users who shouldn't just go to the NDA group, and are not subject to this request.
I am not saying having all WMDE people who use WMF services sign the NDA is not wanted/bad/etc, but this would require 1) changing some further processes here at WMDE (doable), and 2) having some users sign the NDA now who are not part of this task. Just pointing this out in case the solution chosen was to add individual names to the NDA group, "merging" the groups couldn't just happen "automatically".

Ack. Adding the 13 people listed in this task was discussed/approved in yesterday's SRE meeting. Going forward I'd say that depending on the background/needs of new WMDE staff you simply make the call internally whether to ask for wmde membership or wmde/nda membership. @WMDE-leszek Does that sounds good? If so, I'll move forward later the day and add the 13 people listed here.

That sounds good @MoritzMuehlenhoff, thanks!

All the accounts listed in this task have been added to cn=nda, please let me know if there are any issues.

Change 520259 had a related patch set uploaded (by Muehlenhoff; owner: Muehlenhoff):
[operations/puppet@production] Add two WMDE users to LDAP users list

https://gerrit.wikimedia.org/r/520259

Change 520259 merged by Muehlenhoff:
[operations/puppet@production] Add two WMDE users to LDAP users list

https://gerrit.wikimedia.org/r/520259

MoritzMuehlenhoff closed this task as Resolved.Jul 3 2019, 7:59 AM
MoritzMuehlenhoff claimed this task.

This is all complete, please let me know if there are any issues.