Page MenuHomePhabricator

Requesting access to production infrastructure services for jgiannelos
Closed, ResolvedPublicRequest

Description

Requestor provided information and prerequisites

This section is to be completed by the individual requesting access.

  • Wikitech username: Jgiannelos
  • Preferred shell username: jgiannelos
  • Email address: jgiannelos@wikimedia.org
  • Ssh public key (must be dedicated key for wmf production): ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP6MjmxioZ+KwKPyFVIfeuG82b0db+VwpBf+EyCIbr4F nemo@nemoworld-wikimedia
  • Requested group membership:
    • maps-admins
    • kartotherian-admin
    • tilerator-admin
    • mobileapps-admin
    • deploy-service
    • proton-admins
  • Reason for access: Deployments and maintenance of production infrastructure services. I currently work on mediawiki/services/mobileapps and push notifications which is not yet deployed
  • Name of approving party (hiring manager for WMF staff): Daniel Cipoletti
  • Requestor -- Please Acknowledge that you have read and signed the L3 Wikimedia Server Access Responsibilities document: I acknowledge that
  • Requestor -- Please coordinate obtaining a comment of approval on this task from the approving party.

SRE Clinic Duty Confirmation Checklist for Access Requests

This checklist should be used on all access requests to ensure that all steps are covered, including expansion to existing access. Please double check the step has been completed before checking it off.

This section is to be confirmed and completed by a member of the SRE team.

  • - User has signed the L3 Acknowledgement of Wikimedia Server Access Responsibilities Document.
  • - User has a valid NDA on file with WMF legal. (This can be checked by Operations via the NDA tracking sheet & is included in all WMF Staff/Contractor hiring.)
  • - User has provided the following: wikitech username, preferred shell username, email address, and full reasoning for access (including what commands and/or tasks they expect to perform)
  • - User has provided a public SSH key. This ssh key pair should only be used for WMF cluster access, and not share with any other service (this includes not sharing with WMCS access, no shared keys.)
  • - access request (or expansion) has sign off of WMF sponsor/manager (sponser for volunteers, manager for wmf staff)
  • - must have approval from releng to be added to the deployment group
  • - non-sudo requests: 3 business day wait must pass with no objections being noted on the task
  • - Patchset for access request
  • - Add user to wmf-deployment gerrit group https://gerrit.wikimedia.org/r/admin/groups/21,members

For additional details regarding access request requirements, please see https://wikitech.wikimedia.org/wiki/Requesting_shell_access

Event Timeline

Restricted Application added a project: Operations. · View Herald TranscriptJul 6 2020, 9:06 AM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript

Adding my manager @dcipoletti in the loop

Jgiannelos added a comment.EditedJul 6 2020, 9:11 AM

Regarding Requested group membership:

I am not sure which are the specific groups.
@MSantos do you know if there is any standard set of groups our team needs to be in?

Looking at the puppet repository here is some that look relevant to product infrastructure projects:

  • deployment
  • maps-admins
  • kartotherian-admin
  • tilerator-admin
  • mobileapps-admin
  • deploy-service
  • proton-admins
jcrespo added subscribers: thcipriani, jcrespo.EditedJul 6 2020, 9:18 AM

@thcipriani I believe you will be the service owner approving this access. Can you work with the requester (or assign one of your direct reports to work with him to understand better the needed access) and once it is clear, approve if it proceeds?

Regarding Requested group membership:

I am not sure which are the specific groups.
@mateusbs17 do you know if there is any standard set of groups our team needs to be in

There's nobody with the name "mateusbs17" as far as I can see on Phabricator. You might want to check what they're username is and make sure they are aware.

jcrespo updated the task description. (Show Details)Jul 6 2020, 9:19 AM

@RhinosF1 I updated the username.

jcrespo updated the task description. (Show Details)Jul 6 2020, 9:29 AM

Not checking yet:

full reasoning for access

As, while everything required has been provided, the groups requested are not 100% set on stone, we will check that as done once we have a final request proposal.

@Jgiannelos I think it may help if you could expand on I currently work on mediawiki/services/mobileapps and push notifications which is not yet deployed I believe that mobile deployment, other service deployment and mediawiki core/extensions deployment have a different set of permissions/workflow. Maybe elaborating on those would help understanding which deployment rights are needed. But Releng are likely to know more.

jcrespo updated the task description. (Show Details)Jul 6 2020, 9:41 AM
jcrespo updated the task description. (Show Details)

Thanks @jcrespo for helping with the ticket. I will also consult my manager and @MSantos who helped me with onboarding about the specific groups.

Change 609752 had a related patch set uploaded (by Jcrespo; owner: Jcrespo):
[operations/puppet@production] [WIP] Add Jgiannelos production access

https://gerrit.wikimedia.org/r/609752

jcrespo triaged this task as Medium priority.Jul 6 2020, 9:52 AM
jcrespo moved this task from Backlog to Acknowledged on the Operations board.

Approving access request for @Jgiannelos

@thcipriani I believe you will be the service owner approving this access. Can you work with the requester (or assign one of your direct reports to work with him to understand better the needed access) and once it is clear, approve if it proceeds?

  • For working on mobileapps deploy-service will be needed -- +1 from me.
  • deployment is primarily for mediawiki deployers to perform admin tasks (restarting apache and php), so I'm not clear if/why that's needed: is the intention to perform backport/config deploys @Jgiannelos?

The non-deployment groups: I don't have much insight into/am not the service owner.

@thcipriani I believe you will be the service owner approving this access. Can you work with the requester (or assign one of your direct reports to work with him to understand better the needed access) and once it is clear, approve if it proceeds?

  • For working on mobileapps deploy-service will be needed -- +1 from me.
  • deployment is primarily for mediawiki deployers to perform admin tasks (restarting apache and php), so I'm not clear if/why that's needed: is the intention to perform backport/config deploys @Jgiannelos?

The non-deployment groups: I don't have much insight into/am not the service owner.

Regarding access to the deployment group, our team is working more with MediaWiki as our road-map evolves, but I think @Mholloway or @dr0ptp4kt should weigh on this.

The non-deployment groups are correct and reflect our stewardship.

I believe what's appropriate here is the set of distinct permissions formed from the union of permissions granted to @Mholloway and @MSantos and @bearND, Michael does that sound right?

TL;DR The list that @Jgiannelos provided in T257187#6280766 looks good to me.

I did some digging, and @bearND and I were added to the deployment group in https://gerrit.wikimedia.org/r/c/operations/puppet/+/233685 in order to access tin (the old deployment host). @Jgiannelos will need access to the deployment servers to deploy our services (and probably MediaWiki stuff sooner or later), but if that doesn't require deployment group membership (or doesn't anymore) then it shouldn't be necessary at this point.

I believe what's appropriate here is the set of distinct permissions formed from the union of permissions granted to @Mholloway and @MSantos and @bearND, Michael does that sound right?

The union of our group memberships is probably slightly overbroad. @Jgiannelos definitely won't need membership in releasers-mobile, which Bernd and I have from back in our Android team days and I think just gives permission to upload app releases for distribution at https://releases.wikimedia.org/mobile/.

Bernd and I also both have analytics-privatedata-users, which probably isn't strictly necessary at this point but wouldn't hurt either.

I did some digging, and @bearND and I were added to the deployment group in https://gerrit.wikimedia.org/r/c/operations/puppet/+/233685 in order to access tin (the old deployment host). @Jgiannelos will need access to the deployment servers to deploy our services (and probably MediaWiki stuff sooner or later), but if that doesn't require deployment group membership (or doesn't anymore) then it shouldn't be necessary at this point.

Ah, yeah, that patchset definitely pre-dates the deploy-service group.

My understanding is that since the deploy-service group is listed in admin::groups in hiera data for the deployment host (https://gerrit.wikimedia.org/r/plugins/gitiles/operations/puppet/+/refs/heads/production/hieradata/role/common/deployment_server.yaml#8) that should grant access to the deployment boxen without the need for the deployment group.

jcrespo updated the task description. (Show Details)Jul 8 2020, 9:38 AM
jcrespo added a comment.EditedJul 8 2020, 9:42 AM

May I ask you to update the list of requested groups on the description?

deploy-service was approved to proceed at T257187#6282174. What are the other groups finally requested after consultation?

The rest of the groups seem reasonable and within the approval of @dcipoletti, so scheduling this for deploy.

Change 609752 merged by Jcrespo:
[operations/puppet@production] admin: Add Jgiannelos production access

https://gerrit.wikimedia.org/r/609752

jcrespo closed this task as Resolved.Jul 10 2020, 8:53 AM
jcrespo claimed this task.

Access request has been merged:

Notice: /Stage[main]/Admin/Admin::Hashuser[jgiannelos]/Admin::User[jgiannelos]/User[jgiannelos]/ensure: created
Notice: /Stage[main]/Admin/Admin::Hashuser[jgiannelos]/Admin::User[jgiannelos]/File[/home/jgiannelos]/ensure: created

Please wait 30 minutes until access is fully applied to all relevant hosts and the try confirming access following the instructions as described at: https://wikitech.wikimedia.org/wiki/Production_access#Setting_up_your_access

If you have any problem of difficulty accessing, please reopen the ticket and ping me so we can debug the issues.