Page MenuHomePhabricator

Create a service account to manage traffic.wmflabs.org. from acme-chief
Closed, ResolvedPublic

Description

We need a service user with enough access to create/append/delete TXT records under the DNS zone traffic.wmflabs.org.

This service user will be used by acme-chief to fulfill dns-01 challenges from Let's Encrypt.

Following the naming schema used in the deployment-prep project traffic-dns-manager could be the name for this service account

Event Timeline

aborrero triaged this task as Medium priority.Aug 5 2019, 10:03 AM
aborrero moved this task from Inbox to Needs discussion on the cloud-services-team (Kanban) board.
aborrero subscribed.

For the WMCS team meeting, needs discussion: how to better handle this. I'm not aware of the current workflow for creating service account in openstack.

Anyone can create the desired Developer account via Wikitech or Striker and then add it as an administrator of the traffic project. There is nothing special about the account from the OpenStack point of view. We can not make a single account to handle this sort of activity across multiple Cloud VPS projects as the same credentials would be used in all projects.

$ ldap cn=deployment-prep-dns-manager \* memberOf
dn: uid=deployment-prep-dns-manager,ou=people,dc=wikimedia,dc=org
uid: deployment-prep-dns-manager
sn: Deployment-prep-dns-manager
cn: Deployment-prep-dns-manager
objectClass: inetOrgPerson
objectClass: person
objectClass: ldapPublicKey
objectClass: posixAccount
objectClass: shadowAccount
uidNumber: 19091
gidNumber: 500
homeDirectory: /home/deployment-prep-dns-manager
loginShell: /bin/false
mail: krenair+betadnsmanager@<redacted>
memberOf: cn=project-deployment-prep,ou=groups,dc=wikimedia,dc=org

# pagedresults: cookie=

Here you go @Vgutierrez. Ping me on IRC if you would like to have some assistance when creating the Wikitech or Striker account.

then add it as an administrator of the traffic project. There is nothing special about the account from the OpenStack point of view.

IIRC deployment-prep's one has a special role that cannot be assigned by normal users, it gives basically read only + edit DNS permissions?

IIRC deployment-prep's one has a special role that cannot be assigned by normal users, it gives basically read only + edit DNS permissions?

Wow, I had completely forgotten that we made the designateadmin role in T194998: Create custom deployment-prep role that allows editing of Designate records only. I don't think this actually got documented anywhere outside of that ticket and the git patch that went with it. @Andrew didn't remember it when I was rambling in a meeting today about how we could in theory make such a role if it was actually needed.

The rest of the things I said about initial creation of the account are pretty much true, but it will take direct use of the openstack cli tools to grant the new user this role in the project.

Yeah, to be honest, a limited access for this account would be better than a full administrator role

Change 528720 had a related patch set uploaded (by Arturo Borrero Gonzalez; owner: Arturo Borrero Gonzalez):
[operations/puppet@production] keystone: allow svc account traffic-cloud-dns-manager to use password auth

https://gerrit.wikimedia.org/r/528720

Change 528720 merged by Arturo Borrero Gonzalez:
[operations/puppet@production] keystone: allow svc account traffic-cloud-dns-manager to use password auth

https://gerrit.wikimedia.org/r/528720

Mentioned in SAL (#wikimedia-cloud) [2019-08-07T10:01:54Z] <arturo> remove projectadmin and added designateadmin role to the traffic-cloud-dns-manager user T229786