Page MenuHomePhabricator
Create Task
Maniphest T232632

fundraising access request for Rosie Lewis
Closed, ResolvedPublic
Actions

Description

Access is requested for Rosie Lewis to frdev1001 to access the donation database, for tracking major gifts and endowment appeals. Rosie already has a Yubikey, but this is a new access request and needs C-level authorization.

[x] user_verification
Requires: user request
[x] access_rights: letter to C level (currently Lisa) verifing grant of access
[x] account name/contact info: verify on https://collab.wikimedia.org/wiki/Fundraising#Contact_List

Accounts and Services

[x] user account
Requires: user_verification
[x] Add the user to the users.yaml and group_members.yaml files as appropriate.
[x] Push out puppet changes.
[x] yubikey
Requires: useraccount and OIT request to send out yubikey to user
[x] physical: Make a request to OIT to have a key sent to the user
[x] account_setup: Get public side and add to puppet-private/manifests/passwords/yubico.pp
[x] follow_on: Make sure user can use yubikey for ssh access
[x] ssh
Requires: useraccount and yubikey
[x] key_setup: Send template/docs for generating keypair and ~/.ssh/config file
[x] account_setup: Get public side and add to puppet-private/secrets/ssh/default/$username
[x] follow_on: Verify user can ssh to frdev1001 using correct creds and passphrases when needed.
[x] mysql
Requires: useraccount, yubikey, ssh
[x] account_setup
    [x] Add user account to mysql on appropriate master host with random password.
    [x] Grab password hash from mysql.
    [x] Create user block in grants file
    [x] Ensure user is in correct blocks for select rights on dbs.
        - Generally use another user in same group as a guide
    [x] Run the grant script to get the grants.
    [x] Copy/paste to execute the grants
    [x] Create the user a ~/.my.cnf file with the original password from account creation.
[x] follow_on: Verify user can ssh to database host and log in to mysql.

Related Objects
Search...

Event Timeline

Jgreen created this task.Sep 11 2019, 4:41 PM

Access request sent to Lisa . . .

Jgreen added a comment.Sep 12 2019, 2:52 PM

Access approval received.

Dwisehaupt claimed this task.EditedSep 17 2019, 5:59 PM
Dwisehaupt added a project: Fundraising-Backlog.

Hello @RLewis,

The two things we need to do at this point are to have you generate an ssh keypair and to get the public side of your yubikey for our system.

Instructions for generating the ssh keypair are here: https://collab.wikimedia.org/wiki/Fundraising_ssh_access

When you have generated the keypair, please post the contents of the public side of the key (ie: fr_id_rsa.pub) in this ticket.

As for the yubikey, there are 2 options for getting us the public side of the key:

  1. Visit https://directory.corp.wikimedia.org/yubikey.php logging in with your 'OIT' ldap credentials like you would for email, and clicking on the yubikey in the text box. It will then trim the code for you and provide the public side.
  1. In a text editor, just repeatedly press the button on the yubikey. You will notice there are 12 characters at the beginning of the output that don't change. That is the private side of the key that you can then send on to us.

Once we have this information we can update the config for your access.

Dallas

DStrine moved this task from Triage to FR-Ops on the Fundraising-Backlog board.Sep 17 2019, 7:47 PM
Dwisehaupt added a comment.Sep 20 2019, 6:04 PM

Send follow up email to check status on the ssh key generation and the yubikey public side.

Jgreen changed the task status from Open to Stalled.Feb 19 2020, 10:47 PM
Jgreen moved this task from Triage to Stalled on the fundraising-tech-ops board.
mepps added subscribers: MBeat33, mepps.Feb 27 2020, 7:27 PM

@MBeat33 @RLewis is this still needed?

RLewis added a comment.Feb 27 2020, 8:47 PM

Hi

I feel like I never set this up, so sorry. I've recently received a new
laptop with a new yubikey. Let me check in with Caitin Virtue to see if I
should still get access going forward and I'll let you know.

Thanks for bringing this to my attention.
Rosie Lewis
Development Research Analyst
+1 (415) 839-6885
rlewis@wikimedia.org
Support free knowledge! Donate
https://donate.wikimedia.org/w/index.php?title=Special:FundraiserLandingPage&country=US&uselang=en&utm_medium=spontaneous&utm_source=fr-redir&utm_campaign=spontaneous
.

RLewis added a comment.Apr 28 2020, 12:44 PM

@Dwisehaupt so sorry for the delay on getting back to you on this. I do need access to this after all. I'll attempt to start the process above and reach out if I have any issues.

MBeat33 unsubscribed.Apr 28 2020, 12:46 PM
RLewis added a comment.Apr 28 2020, 12:50 PM

@Dwisehaupt here's what I could see on the terminal after following the steps:

Rosies-MacBook:~ rosielewis$ cat ~/.ssh/fr_id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDHxUztT6keJoJpS1nlGOF0Wk1q9iwXG2flzziGo/NNVStlISclAc1STt4B6w/ck8kvCUFyqrUbI07b+7GJCdvb4A/vv5iyLSQeAJJj20/pdPI2v3/mpMvwT2yF0lO6JFVGOaMioZh4y7Yp7ilUbmAA8FusxNHY648VaraeYuM7+yxxQsAEdAoADULofu6AzF9LQdQ0lbTIbljX9ZcMFn8dHM0NWrVx41GwpTsO72iz40OtM9jnpfMX7BbvKOKet0ltHvvIJRCk7aLJJeQJTUgJQw8wZkAM2qQ8liEC7uA5mfInRZHnjVS5YJpTLtQV2JlPs+KbDM13bIyAY/rIyEYzUGnM5Ufc6JtnW8FOCULj1lDGZd2f9CB1i8E7DYRYLGaxahMyEiuXILUyaQTTCLoQRXXf0pgPAK63IUH2z/AqyeP2YIBN/qCTbBU0YrAwpCt26mpbXeRFCDk8nLtm76U3FNDXPtPsfAjoOCpFQ6AsO/sGxIG+2nBf2LvuwC2yI+zEs+gYxRVqtV5G2+pjBgINqvDl4C84NUnIlSzvp4COFznyNGwoo7pZ5i5ZED64pGcMXNZrw5z68c8RdK8XCB6coCx1a+jkZFxYZsE25a/aTTS6ImZdT9aVHXkaOAKyoc2Y9WGuZhivZdHKPcR5GTH3dkJRRUSxcVNmT5XxIx45vw== rlewis@wikimedia.org
Rosies-MacBook:~ rosielewis$

RLewis added a comment.Apr 28 2020, 12:53 PM

Public yubikey details:
Your Yubikey Public ID is: ccccccrdrdcj

Dwisehaupt changed the task status from Stalled to Open.Apr 28 2020, 4:15 PM
Dwisehaupt moved this task from Stalled to In Progress on the fundraising-tech-ops board.
Dwisehaupt updated the task description. (Show Details)Apr 28 2020, 4:36 PM

Changes pushed for account, ssh key, and yubikey:

[frack::puppet] 9866c2f4 Adding account for rlewis
[frack::puppet::private] 194b388 Adding yubikey and ssh public key for rlewis
Dwisehaupt added a comment.Apr 28 2020, 4:50 PM

Forgot to increment the uid. Did that in this commit:

[frack::puppet] 65f6ae02 Fixup on the UID for rlewis.
Dwisehaupt updated the task description. (Show Details)Apr 28 2020, 5:04 PM

Added to mysql grants, applied grants, verified could get in to mysql as the user.

[frack::puppet::private] 135c3fc Adding rlewis mysql account and grants
Dwisehaupt closed this task as Resolved.May 1 2020, 3:31 PM
Dwisehaupt updated the task description. (Show Details)
Dwisehaupt moved this task from In Progress to Done on the fundraising-tech-ops board.

Got confirmation of successful logins. All set here.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL