Page MenuHomePhabricator
Create Task
Maniphest T244395

Investigate whether we can automatically share incident status docs with WMDE
Closed, ResolvedPublic
Actions

Description

Can we automatically share incident docs with WMDE?

This could be done with the sharing settings on the Incident Reports folder in Google Drive, where the status docs are created.

@JAufrecht notes:

You can share to a list of accounts (emails). I don't think there's any definition of a group that we could use, and sharing by url seems inadequately secure.

I've asked @Addshore and @Ladsgroup to help us figure out who that should be, given they were the ones involved in working this incident.

In parallel, is it a good idea to broaden the access on the entire folder? I think so, but I want to make sure -- for example, are there any categories of incident that need to be kept to strictly WMF staff, not even WMDE? My instinct is no, it's fine -- after all, WMDE folks are present in the IRC channel where security-sensitive issues are discussed -- but let's decide out loud.

Related Objects

Event Timeline

RLazarus triaged this task as Medium priority.Feb 5 2020, 7:24 PM
RLazarus created this task.
CDanis subscribed.Feb 5 2020, 7:27 PM
Ladsgroup added a subscriber: Lucas_Werkmeister_WMDE.Feb 7 2020, 11:29 AM

Usually and in large incident it's me and Adam that help with the incident from WMDE and I don't remember anyone else from WMDE helping in any large incidents. OTOH most of the devs have prod access and would be able to help if needed. I think @Lucas_Werkmeister_WMDE would be a great help too. I think, Adam, Lucas, and I can be given automatically and we will added any people if needed, if it happens too often, we let you know to add more people as a default.

RLazarus updated the task description. (Show Details)Feb 7 2020, 2:24 PM

Thanks! I'll bring this up in the SRE meeting on Monday and go ahead if no one objects.

Peachey88 subscribed.Feb 8 2020, 10:56 AM
OhKayeSierra moved this task from Active investigation to Follow-up prevention on the Wikimedia-Incident board.Feb 12 2020, 5:38 AM
RLazarus added a comment.Feb 24 2020, 10:46 PM

"On Monday" turned out to be two weeks later -- sorry about that. Conclusions from today's SRE meeting, documented for posterity:

  • Yes, in principle we should do this.
  • Incident docs contain PII and other sensitive matter, so this requires an NDA on file for anyone we add, and a reminder that the contents of an incident status doc are confidential and can't be shared more broadly, even e.g. within WMDE.
  • We should also add a "confidential" label to the status doc template.
  • There's consensus among SRE to add the three specific folks named in this ticket, but we'll bring any future proposed additions back to the SRE meeting, rather than establishing a general rule.

I have a pending email to Legal to make sure I have all the details straight with respect to confidentiality policy. Assuming I get the thumbs up from them, I'll make the changes as described. Thanks WMDE friends for your patience.

Ladsgroup added a comment.Feb 25 2020, 12:01 PM
In T244395#5914004, @RLazarus wrote:

"On Monday" turned out to be two weeks later -- sorry about that. Conclusions from today's SRE meeting, documented for posterity:

  • Yes, in principle we should do this.
  • Incident docs contain PII and other sensitive matter, so this requires an NDA on file for anyone we add, and a reminder that the contents of an incident status doc are confidential and can't be shared more broadly, even e.g. within WMDE.
  • We should also add a "confidential" label to the status doc template.
  • There's consensus among SRE to add the three specific folks named in this ticket, but we'll bring any future proposed additions back to the SRE meeting, rather than establishing a general rule.

I have a pending email to Legal to make sure I have all the details straight with respect to confidentiality policy. Assuming I get the thumbs up from them, I'll make the changes as described. Thanks WMDE friends for your patience.

Thank you for the update @RLazarus, greatly appreciated and thank you for trusting me :)

Mholloway unsubscribed.Feb 25 2020, 2:37 PM
RLazarus added a project: SRE-OnFire.Mar 10 2020, 7:15 PM
Krinkle removed a parent task: T244278: Document 2020-02-04 kartotherian incident.Apr 28 2020, 7:27 PM
Krinkle edited projects, added Sustainability (Incident Followup); removed Wikimedia-Incident.Apr 28 2020, 9:50 PM
Ladsgroup added a comment.Jul 6 2020, 11:24 PM

Ping :)

RLazarus added a comment.Jul 16 2020, 11:18 PM

Sorry for the delay, but this is still in progress -- I've checked in with Legal and they're still working on it. Thanks for your patience, still.

RLazarus closed this task as Resolved.Oct 6 2020, 6:03 PM

This should be done! Thanks one last time for your patience.

@Addshore @Ladsgroup @Lucas_Werkmeister_WMDE You should see a "Status Documents" folder now shared with your @wikimedia.de accounts, and you'll automatically have access to new status docs for ongoing incidents as they're created there. You already know, but a reminder that those docs are confidential: please do not share them or discuss their contents with anyone else, even at WMDE.

Ping me if you have trouble getting in, or have any other questions.

Ladsgroup added a comment.Oct 6 2020, 9:32 PM

Thanks!

Lucas_Werkmeister_WMDE added a comment.Oct 7 2020, 10:49 AM

Works for me, thanks! I added a description to the folder so we (in WMDE) hopefully don’t forget it’s confidential.

Zabe mentioned this in T302163: Grant Zabe access to the T302047 gdoc incident report.Feb 20 2022, 12:46 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL