Nice! You should be able to access L2 now.
Also note that I don't know what acl*security_volunteer is or what it is used for. Please create a separate request for that - thanks!

In T256367#6256558, @Aklapper wrote:

Nice! You should be able to access L2 now.
Also note that I don't know what acl*security_volunteer is or what it is used for. Please create a separate request for that - thanks!

Signed. Will file a separate task for security access once this is resolved

I support DannyS712's request. In particular, access to logstash would be useful for investigating issues.

DannyS712 is a prolific and diligent engineer, who quickly response to requests and upcoming issues. Having DannyS712 help out with investigating incidents would be valuable.

This being said, I do not know anything about DannyS712 outside of what I have seen on Gerrit and Phabricator and a handful of Emails. I have never met them in person, nor do I know anything about their background.

@daniel can you ask your manager to take a look and (hopefully) approve this?

In T256367#6276244, @DannyS712 wrote:

@daniel can you ask your manager to take a look and (hopefully) approve this?

I can try, but there really isn't an established process for this I'm afraid.

In T256367#6276562, @daniel wrote:

In T256367#6276244, @DannyS712 wrote:

@daniel can you ask your manager to take a look and (hopefully) approve this?

I can try, but there really isn't an established process for this I'm afraid.

I was following the steps laid out in https://wikitech.wikimedia.org/wiki/Volunteer_NDA

In T256367#6276603, @DannyS712 wrote:

I can try, but there really isn't an established process for this I'm afraid.

I was following the steps laid out in https://wikitech.wikimedia.org/wiki/Volunteer_NDA

Yeas, sure. What I meant is: there is no established process by which managers decide who should be supported in getting access. This doesn't happen often these days, so I guess it's a first for everyone involved.

Not a (fulltime) WMF contractor, but I support this access request, because Danny is an active volunteer involved in MediaWiki development. Having logstash access would improve their ability to help the movement.

DannyS712 has been instrumental in the recent Revision deprecation, access to at least logstash would definitely be helpful.

{{ping}} @daniel any updates?

+1 to this request, so we have 3½ WMF staff folks supporting this.

@daniel: Who is your manager, and can that person please be subscribed on this task (to potentially approve this request)? Thanks.

I think @WDoranWMF wanted to check higher up the chain of command. This isn't something we do frequently, so the criteria are unclear.

@daniel @hashar Can one of you ask your manager to have a look at this request?

or maybe @Aklapper can? :-)

I'll +1 this too. @DannyS712 has been extremely helpful in fixing bugs and issues proactively.

Pinging @WDoranWMF again and @DannyH (my manager).

I also support this proposal. @DannyS712 has been very helpful in all sorts of production firefighting recently -- of particular note, T264369

@greg @thcipriani @faidon @mark Can one of you please help move this along?

In T256367#6523330, @CDanis wrote:

I also support this proposal. @DannyS712 has been very helpful in all sorts of production firefighting recently -- of particular note, T264369

@greg @thcipriani @faidon @mark Can one of you please help move this along?

I also support this proposal. @DannyS712 has been very helpful in raising issues related to upcoming deployments (not to mention fixing issues as they arise). @DannyS712's troubleshooting help is invaluable and I support giving them the access they need to be more effective.

As volunteer, I support this request, per all reasons which others mentioned already. :)

I am sorry that this request is taking quite some time. WMF needs to sort out the internal parts of this process better. I've asked some folks to clarify the process.

I see that @thcipriani has added a check to the "A comment of approval from one Wikimedia Foundation manager (usually the manager of an employee supporting you)." requirement
Can someone please double-check the related SUL account, etc. and verify that this is proper?
Other than verifying my signature (I signed this a while ago), it looks like the only thing left should be "Get sign off by a C-level staff of the Wikimedia Foundation." - I wonder how long that will take

I guess the last signoff needs to be from @gsingers as the CTO?

From what I can tell the procedure described in https://wikitech.wikimedia.org/wiki/Volunteer_NDA is outdated and no longer accurate. All current NDA access requires an NDA signed with the Legal department (it's still a digital signture, but different from clicking https://phabricator.wikimedia.org/L2.

Let me clarify this and then I'll report back to this task in the next days.

In T256367#6538035, @MoritzMuehlenhoff wrote:

Let me clarify this and then I'll report back to this task in the next days.

I've confirmed with Legal; for access to the NDA Phabricator project the procedure at https://wikitech.wikimedia.org/wiki/Volunteer_NDA is still enough; only privileged LDAP and shell access need the full-blown NDA.

@MoritzMuehlenhoff Hello, since Danny would like to request logstash access (ie. nda LDAP group), based on your comment, it seems that the full NDA would be needed. Could you please help to start the process? Thanks!

In T256367#6556250, @Urbanecm wrote:

@MoritzMuehlenhoff Hello, since Danny would like to request logstash access (ie. nda LDAP group), based on your comment, it seems that the full NDA would be needed. Could you please help to start the process? Thanks!

Indeed - given how long this NDA has taken, if possible I'd like to start the process for the logstash one now

In T256367#6527209, @Urbanecm wrote:

I guess the last signoff needs to be from @gsingers as the CTO?

{{ping}} just want to make sure you saw this @gsingers

In T256367#6556257, @DannyS712 wrote:

In T256367#6556250, @Urbanecm wrote:

@MoritzMuehlenhoff Hello, since Danny would like to request logstash access (ie. nda LDAP group), based on your comment, it seems that the full NDA would be needed. Could you please help to start the process? Thanks!

Indeed - given how long this NDA has taken, if possible I'd like to start the process for the logstash one now

{{ping}} just want to make sure you saw this @MoritzMuehlenhoff

In T256367#6583716, @DannyS712 wrote:

Indeed - given how long this NDA has taken, if possible I'd like to start the process for the logstash one now

{{ping}} just want to make sure you saw this @MoritzMuehlenhoff

Sorry, I missed your ping.

I'm adding @KFrancis from the WMF's Legal department to the task to handle this.

@MoritzMuehlenhoff Please email (kfrancis@wikimedia.org) me the user's full name, mailing address, and the type of access they will need.

@DannyS712 can you get in touch with @KFrancis by email please? For the NDA, the foundation needs your real name, a real world address.

@KFrancis For the type of access: "privileged LDAP access" , ie add the person to the nda group.

In T256367#6588877, @hashar wrote:

@DannyS712 can you get in touch with @KFrancis by email please? For the NDA, the foundation needs your real name, a real world address.

@KFrancis For the type of access: "privileged LDAP access" , ie add the person to the nda group.

Sent

@MoritzMuehlenhoff @DannyS712 Sorry for the delay on this.. I just need to know the name of the group for LDAP access?

@KFrancis This is for the cn=ldap LDAP group.

@MoritzMuehlenhoff @DannyS712 The NDA has been sent for signatures. I'll confirm when it's complete.

In T256367#6607271, @KFrancis wrote:

@MoritzMuehlenhoff @DannyS712 The NDA has been sent for signatures. I'll confirm when it's complete.

To be clear, that NDA is separate from this request, which is pending approval from @gsingers

@MoritzMuehlenhoff Confirming the signed NDA! Thanks for your patience!

Thanks Katie!

My first time dealing with this type of request here, so thanks for the patience. I'm not sure the process here, so I'll ask what is perhaps a dumb question: would it makes sense for someone to verify the signature and do Have someone with access double-check which mediawiki.org account that the manager's Phabricator account is linked to, where the SUL account was created, and how it was created on that wiki. before I sign off?

Or are doing those things gated on me first approving?

In T256367#6616416, @gsingers wrote:

My first time dealing with this type of request here, so thanks for the patience. I'm not sure the process here, so I'll ask what is perhaps a dumb question: would it makes sense for someone to verify the signature and do Have someone with access double-check which mediawiki.org account that the manager's Phabricator account is linked to, where the SUL account was created, and how it was created on that wiki. before I sign off?

Or are doing those things gated on me first approving?

My understanding is that you can approve it at any point, since I won't actually be added to the group until all of the requirements are met.
For verifying the signature, someone with access just needs to confirm that I have indeed signed L2 (I did so back in June)
For checking the manager's phabricator account, some helpful links:

• Manager approval (by @thcipriani): T256367#6523341 and T256367#6525235
• Manager phabricator account: @thcipriani
• Linked mediawiki.org account: https://www.mediawiki.org/wiki/User:TCipriani_(WMF)
• Where the SUL account was created: enwiki, https://en.wikipedia.org/wiki/Special:Redirect/logid/62351699
• How it was created on that wiki: standard account creation (i.e. not actually created by the WMF office IT in the manner done today to ensure that accounts with "WMF" in the name are indeed official WMF accounts)

So we might need a confirmation from someone that @thcipriani really is a WMF manager?

In T256367#6617813, @DannyS712 wrote:

In T256367#6616416, @gsingers wrote:

My first time dealing with this type of request here, so thanks for the patience. I'm not sure the process here, so I'll ask what is perhaps a dumb question: would it makes sense for someone to verify the signature and do Have someone with access double-check which mediawiki.org account that the manager's Phabricator account is linked to, where the SUL account was created, and how it was created on that wiki. before I sign off?

Or are doing those things gated on me first approving?

My understanding is that you can approve it at any point, since I won't actually be added to the group until all of the requirements are met.
For verifying the signature, someone with access just needs to confirm that I have indeed signed L2 (I did so back in June)
For checking the manager's phabricator account, some helpful links:

• Manager approval (by @thcipriani): T256367#6523341 and T256367#6525235
• Manager phabricator account: @thcipriani
• Linked mediawiki.org account: https://www.mediawiki.org/wiki/User:TCipriani_(WMF)
• Where the SUL account was created: enwiki, https://en.wikipedia.org/wiki/Special:Redirect/logid/62351699
• How it was created on that wiki: standard account creation (i.e. not actually created by the WMF office IT in the manner done today to ensure that accounts with "WMF" in the name are indeed official WMF accounts)

So we might need a confirmation from someone that @thcipriani really is a WMF manager?

heh, page creation on mediawiki.org date of 2015-02-09 would mean you're running quite a long con to get NDA access :P

Here's some proof I control both the SUL account and the TCipriani_(WMF) mediawiki account: https://wikitech.wikimedia.org/w/index.php?title=User:Thcipriani&redirect=no

Thanks for the help on this.

I approve.

@Aklapper are you able to verify the signature, or do you know who can?

If this is about L2, then I can confirm that https://phabricator.wikimedia.org/legalpad/signatures/2/ lists @DannyS712 as having signed L2 on 2020-06-25.

In T256367#6619962, @Aklapper wrote:

If this is about L2, then I can confirm that https://phabricator.wikimedia.org/legalpad/signatures/2/ lists @DannyS712 as having signed L2 on 2020-06-25.

In that case, would you be willing to conduct the checks remaining and add me to the group?

Everything seems to be in place now, I'm adding DannyS712 to cn=nda.

Change 640810 had a related patch set uploaded (by Muehlenhoff; owner: Muehlenhoff):
[operations/puppet@production] Add DannyS712 to cn=nda

https://gerrit.wikimedia.org/r/640810

Change 640810 merged by Muehlenhoff:
[operations/puppet@production] Add DannyS712 to cn=nda

https://gerrit.wikimedia.org/r/640810

@KFrancis @MoritzMuehlenhoff its a bit late to be asking this, but I just realized - if the nda says everything I see from my ldap access is confidential, including logstash info (which makes sense), am I allowed to post stack traces from logstash as part of reporting issues? The stack trace is then publically available, and while it doesn't include any personal information, it is probably still covered by the wording

@DannyS712 IANAL, but the NDA is primarily intended to protect personally identifiable information (PII) (and to some extent also information which could affect the security of PII data and the infratructure at large). As such posting a stack trace is typically fine (but make sure to e.g. strip IP addresses which could be part of the stack trace).

In T256367#6707473, @DannyS712 wrote:

@KFrancis @MoritzMuehlenhoff its a bit late to be asking this, but I just realized - if the nda says everything I see from my ldap access is confidential, including logstash info (which makes sense), am I allowed to post stack traces from logstash as part of reporting issues? The stack trace is then publically available, and while it doesn't include any personal information, it is probably still covered by the wording

Good call. I can only confirm Moritz said: in practice, it's taken to mean that you do not expose PII or security relevant information (vulnerabilities, passwords, etc). We make public hand-picked internal information, such as stack traces, as a matter of course on a daily basis. We even have support built into Kibana for posting this kind of information to phabricator (it's called phatality). Note that phatality will include the request URL per default, which may have to be redacted in some cases.

In T256367#6707727, @MoritzMuehlenhoff wrote:

@DannyS712 IANAL, but the NDA is primarily intended to protect personally identifiable information (PII) (and to some extent also information which could affect the security of PII data and the infratructure at large). As such posting a stack trace is typically fine (but make sure to e.g. strip IP addresses which could be part of the stack trace).

@KFrancis can you confirm if this is the intent?

@DannyS712 Hello! Sorry for the delay in responding. Would you mind sending me an email at kfrancis@wikimedia.org? I need to loop in legal counsel. Thanks!

In T256367#6721280, @KFrancis wrote:

@DannyS712 Hello! Sorry for the delay in responding. Would you mind sending me an email at kfrancis@wikimedia.org? I need to loop in legal counsel. Thanks!

{{done}}