In T236180 the Search team is trying to bootstrap an Apache Airflow service (https://airflow.apache.org/).
In order to properly manage it, they'd need to be able to impersonate the airflow system user and perform some related sudo command (to restart/start/stop the service, etc..) on an-airflow1001.eqiad.wmnet (Ganeti VM in the Analytics VLAN).
Currently the proposal is https://gerrit.wikimedia.org/r/#/c/operations/puppet/+/552304/1/modules/admin/data/data.yaml
Caveat: the analytics-search-users group is deployed to all the analytics hosts. We (as Analytics) don't have any Airflow service yet, but we might in the future. I can see two paths forward:
- We review/merge this change now and then revise the permissions in the future if needed.
- We create a new group called airflow-search-users (or similar) that is only deployed to an-airflow1001.eqiad.wmnet, more tedious but probably a little bit more clean from the user perms point of view.
Let me know what you think about it :)