Setup shell access and civi access for civi staging for Coleman Watts
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	• DStrine
	May 13 2020, 4:48 PM

Description

He has a yubikey now.
@Eileenmcnaughton might have more info about specific access.

Prerequisites

Before we can take any action to add a user, we need to verify that they are authorized to have such access. This requires confirmation from their manager and approval from the C level that access is approved.

[x] user_verification

Requires: user request
[x] access_rights: letter to C level verifying grant of access
[x] account name/contact info: verify on https://collab.wikimedia.org/wiki/Fundraising#Contact_List

Accounts and Services

[x] user account

Requires: user_verification
[x] Add the user to the users.yaml and group_members.yaml files as appropriate.
[x] Push out puppet changes.

[ ] client_ssl_cert

Requires: user_verification
[x] cert_setup: generate cert on frpm1001 using ssl_user_admin
[x] account_setup: sms the user the password for the key
[ ] follow_on: assist with certificate installation

[ ] yubikey

Requires: useraccount and OIT request to send out yubikey to user
[x] physical: Make a request to OIT to have a key sent to the user
[ ] account_setup: Get public side and add to puppet-private/manifests/passwords/yubico.pp
[ ] follow_on: Make sure user can use yubikey for ssh access

[ ] ssh

Requires: useraccount and yubikey
[ ] key_setup: Send template/docs for generating keypair and ~/.ssh/config file
[ ] account_setup: Get public side and add to puppet-private/secrets/ssh/default/$username
[ ] follow_on: Verify user can ssh using correct creds and passphrases when needed.

[ ] mysql

Requires: useraccount, yubikey, ssh
[x] account_setup
    [x] Create user block in ~/puppet-private/secrets/mysql_grants/fundraising_qa
    [x] Ensure user is in correct blocks for select rights on dbs.
        - Generally use another user in same group as a guide
    [x] Run the grant script to get the grants.
    [x] Copy/paste to execute the grants on appropriate dbs.
    [x] Create the user a ~/.my.cnf file with the original password from account creation.
[ ] follow_on: Verify user can ssh to the required host and log in to mysql.

[ ] civicrm

Requires: client_ssl_cert
[x] account_setup: Create user account. This will notify the user via email to update their password.
[ ] follow_on: Verify user can log in to https://civicrm.wikimedia.org

Event Timeline

• DStrine created this task.May 13 2020, 4:48 PM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 13 2020, 4:48 PM

• DStrine moved this task from Triage to FR-Ops on the Fundraising-Backlog board.May 13 2020, 4:52 PM

Dwisehaupt updated the task description. (Show Details)May 15 2020, 7:50 PM

Dwisehaupt moved this task from Triage to Up Next on the fundraising-tech-ops board.

I am the person who is managing the contract so I'm probably as close to a direct manager as we'll get. I approve.

they have been added to the contractor list and the contact list:
https://collab.wikimedia.org/wiki/Fundraising/contractors
https://collab.wikimedia.org/wiki/Fundraising#Contact_List

Thanks @DStrine.

Email sent to @Lgruwell-WMF for approval.

Dwisehaupt updated the task description. (Show Details)May 15 2020, 9:19 PM

Dwisehaupt moved this task from Up Next to In Progress on the fundraising-tech-ops board.May 18 2020, 5:01 PM

Received confirmation to request for approval. Moving forward on creating the rest of the account portions.

civicrmllc group created and user accounts established with the following commits:

puppet:
  382eeb4f Add civicrmllc contractors to auth role
  7a5376f3 Add accounts and group mapping for civicrmllc contractors

puppet-private:
  0e01479f Add iptables rules to allow civicrmllc group to ssh to frdev

Dwisehaupt updated the task description. (Show Details)May 18 2020, 6:45 PM

After discussion with @Eileenmcnaughton, we will want to grant access to the dev versions of the civicrm, drupal, and fredge databases. If we find more access is needed in the future, that can be done in follow on requests.

Dwisehaupt claimed this task.May 18 2020, 11:36 PM

Spoke with Coleman in the call today. Setting up accounts now.

Dwisehaupt updated the task description. (Show Details)May 20 2020, 9:56 PM

[frack::puppet::private] 57a04eb Adding db perms for cwatts and totten - civicrmllc

Set up mysql config and verified I could log in as the user and verified db access and restrictions were in place and functioning. Access was granted to dev_civicrm, dev_drupal, and dev_fredge

[frack::puppet::private] 229e560 Activating civicrmllc cwatts and totten mysql grants

Dwisehaupt changed the task status from Open to Stalled.Jul 1 2020, 6:32 PM

Dwisehaupt moved this task from In Progress to Stalled on the fundraising-tech-ops board.

approved

Dwisehaupt closed this task as Resolved.Jul 9 2020, 2:18 PM

Dwisehaupt reopened this task as Stalled.

Dwisehaupt moved this task from Stalled to Done on the fundraising-tech-ops board.

Dwisehaupt moved this task from Done to Blocked on the fundraising-tech-ops board.

@Dwisehaupt: Which other task or which person is this task stalled on?

@Aklapper This is stalled on an external contractor. I have set up our initial portions but can't proceed until they follow up with additional information.

Closing out this task for now. Will reopen when then get around to needed the full access.

Removed accounts and access as it hasn't been needed in over 2 years.

Setup shell access and civi access for civi staging for Coleman WattsClosed, ResolvedPublicActions