Page MenuHomePhabricator

WMF-NDA access for DannyS712
Closed, ResolvedPublic

Description

Hi. I'd like to request access to WMF-NDA

  • Use case / needs: I'd like to be able to work on the restricted tasks (I've filed a fair number myself as well). If I understand correctly the NDA is also a prerequisite for requesting access to logstash in the future
  • Wikimedia Foundation employees supporting request: @daniel, @hashar, @Aklapper, @Niharika, @CDanis, @thcipriani

Checklist from Wikitech

  • At least one comment of support from a Wikimedia Foundation employee, explaining why it is a good idea to accept your request
  • A comment of approval from one Wikimedia Foundation manager (usually the manager of an employee supporting you).
  • Have someone with access double-check which mediawiki.org account that the manager's Phabricator account is linked to, where the SUL account was created, and how it was created on that wiki.
  • Make DannyS712 a member of the "WMF-NDA-Requests" project so they can sign {L2}.
  • DannyS712 to sign {L2}
  • Verify the signature.
  • Get sign off by a C-level staff of the Wikimedia Foundation. (T256367#6617971)
  • Add DannyS712 to WMF-NDA

Event Timeline

Restricted Application added a project: User-DannyS712. · View Herald TranscriptJun 25 2020, 12:15 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Aklapper updated the task description. (Show Details)Jun 25 2020, 1:58 PM

Nice! You should be able to access L2 now.
Also note that I don't know what acl*security_volunteer is or what it is used for. Please create a separate request for that - thanks!

DannyS712 updated the task description. (Show Details)Jun 25 2020, 3:27 PM
DannyS712 updated the task description. (Show Details)

Nice! You should be able to access L2 now.
Also note that I don't know what acl*security_volunteer is or what it is used for. Please create a separate request for that - thanks!

Signed. Will file a separate task for security access once this is resolved

I support DannyS712's request. In particular, access to logstash would be useful for investigating issues.

DannyS712 is a prolific and diligent engineer, who quickly response to requests and upcoming issues. Having DannyS712 help out with investigating incidents would be valuable.

This being said, I do not know anything about DannyS712 outside of what I have seen on Gerrit and Phabricator and a handful of Emails. I have never met them in person, nor do I know anything about their background.

Legoktm updated the task description. (Show Details)Jul 3 2020, 4:56 AM

@daniel can you ask your manager to take a look and (hopefully) approve this?

daniel added a comment.Jul 3 2020, 9:25 AM

@daniel can you ask your manager to take a look and (hopefully) approve this?

I can try, but there really isn't an established process for this I'm afraid.

@daniel can you ask your manager to take a look and (hopefully) approve this?

I can try, but there really isn't an established process for this I'm afraid.

I was following the steps laid out in https://wikitech.wikimedia.org/wiki/Volunteer_NDA

daniel added a comment.Jul 3 2020, 9:40 AM

I can try, but there really isn't an established process for this I'm afraid.

I was following the steps laid out in https://wikitech.wikimedia.org/wiki/Volunteer_NDA

Yeas, sure. What I meant is: there is no established process by which managers decide who should be supported in getting access. This doesn't happen often these days, so I guess it's a first for everyone involved.

Not a (fulltime) WMF contractor, but I support this access request, because Danny is an active volunteer involved in MediaWiki development. Having logstash access would improve their ability to help the movement.

hashar added a subscriber: hashar.Jul 9 2020, 10:06 PM

DannyS712 has been instrumental in the recent Revision deprecation, access to at least logstash would definitely be helpful.

{{ping}} @daniel any updates?

+1 to this request, so we have 3½ WMF staff folks supporting this.

@daniel: Who is your manager, and can that person please be subscribed on this task (to potentially approve this request)? Thanks.

I think @WDoranWMF wanted to check higher up the chain of command. This isn't something we do frequently, so the criteria are unclear.

@daniel @hashar Can one of you ask your manager to have a look at this request?

or maybe @Aklapper can? :-)

I'll +1 this too. @DannyS712 has been extremely helpful in fixing bugs and issues proactively.

Pinging @WDoranWMF again and @DannyH (my manager).

I also support this proposal. @DannyS712 has been very helpful in all sorts of production firefighting recently -- of particular note, T264369

@greg @thcipriani @faidon @mark Can one of you please help move this along?

I also support this proposal. @DannyS712 has been very helpful in all sorts of production firefighting recently -- of particular note, T264369

@greg @thcipriani @faidon @mark Can one of you please help move this along?

I also support this proposal. @DannyS712 has been very helpful in raising issues related to upcoming deployments (not to mention fixing issues as they arise). @DannyS712's troubleshooting help is invaluable and I support giving them the access they need to be more effective.

Kizule added a subscriber: Kizule.Oct 6 2020, 10:06 PM

As volunteer, I support this request, per all reasons which others mentioned already. :)

I am sorry that this request is taking quite some time. WMF needs to sort out the internal parts of this process better. I've asked some folks to clarify the process.

thcipriani updated the task description. (Show Details)Oct 7 2020, 1:54 PM

I see that @thcipriani has added a check to the "A comment of approval from one Wikimedia Foundation manager (usually the manager of an employee supporting you)." requirement
Can someone please double-check the related SUL account, etc. and verify that this is proper?
Other than verifying my signature (I signed this a while ago), it looks like the only thing left should be "Get sign off by a C-level staff of the Wikimedia Foundation." - I wonder how long that will take

Urbanecm added a comment.EditedOct 7 2020, 9:38 PM

I guess the last signoff needs to be from @gsingers as the CTO?

Huji awarded a token.Oct 12 2020, 9:59 PM

From what I can tell the procedure described in https://wikitech.wikimedia.org/wiki/Volunteer_NDA is outdated and no longer accurate. All current NDA access requires an NDA signed with the Legal department (it's still a digital signture, but different from clicking https://phabricator.wikimedia.org/L2.

Let me clarify this and then I'll report back to this task in the next days.

Let me clarify this and then I'll report back to this task in the next days.

I've confirmed with Legal; for access to the NDA Phabricator project the procedure at https://wikitech.wikimedia.org/wiki/Volunteer_NDA is still enough; only privileged LDAP and shell access need the full-blown NDA.

@MoritzMuehlenhoff Hello, since Danny would like to request logstash access (ie. nda LDAP group), based on your comment, it seems that the full NDA would be needed. Could you please help to start the process? Thanks!

@MoritzMuehlenhoff Hello, since Danny would like to request logstash access (ie. nda LDAP group), based on your comment, it seems that the full NDA would be needed. Could you please help to start the process? Thanks!

Indeed - given how long this NDA has taken, if possible I'd like to start the process for the logstash one now

I guess the last signoff needs to be from @gsingers as the CTO?

{{ping}} just want to make sure you saw this @gsingers

@MoritzMuehlenhoff Hello, since Danny would like to request logstash access (ie. nda LDAP group), based on your comment, it seems that the full NDA would be needed. Could you please help to start the process? Thanks!

Indeed - given how long this NDA has taken, if possible I'd like to start the process for the logstash one now

{{ping}} just want to make sure you saw this @MoritzMuehlenhoff

DannyS712 updated the task description. (Show Details)Oct 28 2020, 3:18 AM

Indeed - given how long this NDA has taken, if possible I'd like to start the process for the logstash one now

{{ping}} just want to make sure you saw this @MoritzMuehlenhoff

Sorry, I missed your ping.

I'm adding @KFrancis from the WMF's Legal department to the task to handle this.

@MoritzMuehlenhoff Please email (kfrancis@wikimedia.org) me the user's full name, mailing address, and the type of access they will need.

@DannyS712 can you get in touch with @KFrancis by email please? For the NDA, the foundation needs your real name, a real world address.

@KFrancis For the type of access: "privileged LDAP access" , ie add the person to the nda group.

@DannyS712 can you get in touch with @KFrancis by email please? For the NDA, the foundation needs your real name, a real world address.

@KFrancis For the type of access: "privileged LDAP access" , ie add the person to the nda group.

Sent

@MoritzMuehlenhoff @DannyS712 Sorry for the delay on this.. I just need to know the name of the group for LDAP access?

@KFrancis This is for the cn=ldap LDAP group.

@MoritzMuehlenhoff @DannyS712 The NDA has been sent for signatures. I'll confirm when it's complete.

@MoritzMuehlenhoff @DannyS712 The NDA has been sent for signatures. I'll confirm when it's complete.

To be clear, that NDA is separate from this request, which is pending approval from @gsingers

@MoritzMuehlenhoff Confirming the signed NDA! Thanks for your patience!

hashar assigned this task to gsingers.Tue, Nov 10, 12:52 PM

For the Get sign off by a C-level staff of the Wikimedia Foundation step, it seems @gsingers as head of Technology is the most appropriate person.

For the context @DannyS712 has done, and still does, a lot of refactoring and cleaning in MediaWiki. Even though that is peer reviewed, tested via CI etc, sometime an issue strikes production or cant be analyzed outside of production. Hence Danny asked for access to the log (Logstash), and overall it is handy to have @DannyS712 to be able to access security tasks that often deal with the inner of MediaWiki.

My first time dealing with this type of request here, so thanks for the patience. I'm not sure the process here, so I'll ask what is perhaps a dumb question: would it makes sense for someone to verify the signature and do Have someone with access double-check which mediawiki.org account that the manager's Phabricator account is linked to, where the SUL account was created, and how it was created on that wiki. before I sign off?

Or are doing those things gated on me first approving?

My first time dealing with this type of request here, so thanks for the patience. I'm not sure the process here, so I'll ask what is perhaps a dumb question: would it makes sense for someone to verify the signature and do Have someone with access double-check which mediawiki.org account that the manager's Phabricator account is linked to, where the SUL account was created, and how it was created on that wiki. before I sign off?

Or are doing those things gated on me first approving?

My understanding is that you can approve it at any point, since I won't actually be added to the group until all of the requirements are met.
For verifying the signature, someone with access just needs to confirm that I have indeed signed L2 (I did so back in June)
For checking the manager's phabricator account, some helpful links:

So we might need a confirmation from someone that @thcipriani really is a WMF manager?

My first time dealing with this type of request here, so thanks for the patience. I'm not sure the process here, so I'll ask what is perhaps a dumb question: would it makes sense for someone to verify the signature and do Have someone with access double-check which mediawiki.org account that the manager's Phabricator account is linked to, where the SUL account was created, and how it was created on that wiki. before I sign off?

Or are doing those things gated on me first approving?

My understanding is that you can approve it at any point, since I won't actually be added to the group until all of the requirements are met.
For verifying the signature, someone with access just needs to confirm that I have indeed signed L2 (I did so back in June)
For checking the manager's phabricator account, some helpful links:

So we might need a confirmation from someone that @thcipriani really is a WMF manager?

heh, page creation on mediawiki.org date of 2015-02-09 would mean you're running quite a long con to get NDA access :P

Here's some proof I control both the SUL account and the TCipriani_(WMF) mediawiki account: https://wikitech.wikimedia.org/w/index.php?title=User:Thcipriani&redirect=no

Thanks for the help on this.

I approve.

thcipriani updated the task description. (Show Details)Tue, Nov 10, 11:17 PM
Urbanecm removed gsingers as the assignee of this task.Wed, Nov 11, 4:45 AM

@Aklapper are you able to verify the signature, or do you know who can?

If this is about L2, then I can confirm that https://phabricator.wikimedia.org/legalpad/signatures/2/ lists @DannyS712 as having signed L2 on 2020-06-25.

If this is about L2, then I can confirm that https://phabricator.wikimedia.org/legalpad/signatures/2/ lists @DannyS712 as having signed L2 on 2020-06-25.

In that case, would you be willing to conduct the checks remaining and add me to the group?

Everything seems to be in place now, I'm adding DannyS712 to cn=nda.

Change 640810 had a related patch set uploaded (by Muehlenhoff; owner: Muehlenhoff):
[operations/puppet@production] Add DannyS712 to cn=nda

https://gerrit.wikimedia.org/r/640810

Change 640810 merged by Muehlenhoff:
[operations/puppet@production] Add DannyS712 to cn=nda

https://gerrit.wikimedia.org/r/640810

MoritzMuehlenhoff closed this task as Resolved.Thu, Nov 12, 1:25 PM
MoritzMuehlenhoff claimed this task.

@DannyS712 You've been added to cn=nda, I'm closing the task, but please reopen if you run into any issues :-)

Aklapper reopened this task as Open.Thu, Nov 12, 1:39 PM

Reopening as DannyS712 has not been added yet to WMF-NDA

DannyS712 removed MoritzMuehlenhoff as the assignee of this task.Thu, Nov 12, 2:25 PM
MoritzMuehlenhoff closed this task as Resolved.Thu, Nov 12, 2:32 PM
MoritzMuehlenhoff updated the task description. (Show Details)

I've also added DannyS712 to WMF-NDA now