• schedule a short maintenance window for phabricator
• change the passwords live
• change the passwords in private repo in class passwords::mysql::phabricator
• run puppet on phabricator servers and confirm everything works

?

cc: @20after4

happy to help

Works for me.

We could also do T146055: Improve privilege separation for phabricator's config files and mysql credentials at the same time.

@mmodell could we schedule a specific date for this, so it is not forgotten? How much time do you need to prepare T146055? Work on our side is not too time consuming, but maybe yours may take more...

ugh. @jcrespo, I apologize, I let the ball drop on this one. It wouldn't take much effort on my part, we already have the puppet scaffolding to support separating them.

Maybe this can be scheduled before or after the maintenance for T259589?

I don't have the bandwidth to prepare this change before Tuesday - @jcrespo if you happen to have some room to prepare this before Tuesday (or after), please take the lead!

I made a note about how we go about setting a separate password for PHD daemons in a comment at T146055#6378825.

Essentially we just need to define a new password variable and reference it from modules/profile/manifests/phabricator/main.pp.

Mentioned in SAL (#wikimedia-operations) [2020-08-18T06:48:39Z] <jynus> deploy another password change to phabricator service (potentially disruptive) T250361

Mentioned in SAL (#wikimedia-operations) [2020-08-18T07:16:41Z] <jynus> update rest of phabricator passwords T250361

Change 620879 had a related patch set uploaded (by Jcrespo; owner: Jcrespo):
[operations/puppet@production] phabricator: Add new db user for the daemon, separate from web request user

https://gerrit.wikimedia.org/r/620879

Change 620879 merged by Jcrespo:
[operations/puppet@production] phabricator: Add new db user for the daemon, separate from web request user

https://gerrit.wikimedia.org/r/620879