Requesting access to production shell and wmf ldap access for Razzi Abuissa
Closed, ResolvedPublicRequest
Actions

Assigned To

Authored By

	• razzi
	Aug 27 2020, 6:27 PM

Description

Note that since I'm an SRE, I'll be creating the puppet patch to add myself to the posix groups, and a teammate will merge it.

Requestor provided information and prerequisites

Wikitech username: razzi
Preferred shell username: razzi
Email address: rabuissa@wikimedia.org
Ssh public key (must be dedicated key for wmf production): ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDOETw1B56Sj5+s2mssruTQRZqaveOf2ortJbawxiUE3 razzi@razzi-macbook-air
Requested group membership: analytics-privatedata-users analytics-admins
Reason for access: Starting work as SRE on Analytics team
Name of approving party (hiring manager for WMF staff): Nuria Ruiz
Requestor -- Please Acknowledge that you have read and signed the L3 Wikimedia Server Access Responsibilities document: Acknowledged
Requestor -- Please coordinate obtaining a comment of approval on this task from the approving party.

SRE Clinic Duty Confirmation Checklist for Access Requests

This checklist should be used on all access requests to ensure that all steps are covered, including expansion to existing access. Please double check the step has been completed before checking it off.

This section is to be confirmed and completed by a member of the SRE team.

- User has signed the L3 Acknowledgement of Wikimedia Server Access Responsibilities Document.
- User has a valid NDA on file with WMF legal. (This can be checked by Operations via the NDA tracking sheet & is included in all WMF Staff/Contractor hiring.)
- User has provided the following: wikitech username, preferred shell username, email address, and full reasoning for access (including what commands and/or tasks they expect to perform)
- User has provided a public SSH key. This ssh key pair should only be used for WMF cluster access, and not share with any other service (this includes not sharing with WMCS access, no shared keys.)
- access request (or expansion) has sign off of WMF sponsor/manager (sponser for volunteers, manager for wmf staff)
- Patchset for access request

For additional details regarding access request requirements, please see https://wikitech.wikimedia.org/wiki/Requesting_shell_access

Details

	Subject	Repo	Branch	Lines +/-
	Add razzi to ops group	operations/puppet	production	+2 -1
	admin: Add razzi to users and add to analytics groups	operations/puppet	production	+17 -8

Customize query in gerrit

Event Timeline

• razzi created this task.Aug 27 2020, 6:27 PM

Restricted Application added a project: SRE. · View Herald TranscriptAug 27 2020, 6:27 PM

Restricted Application added a subscriber: Aklapper. · View Herald Transcript

• razzi renamed this task from Requesting access to production shell for Razzi Abuissa to Requesting access to production shell and wmf ldap access for Razzi Abuissa.Aug 27 2020, 6:30 PM

• razzi added a project: LDAP-Access-Requests.

jijiki assigned this task to • razzi.Aug 27 2020, 7:49 PM

jijiki triaged this task as Medium priority.

Change 622878 had a related patch set uploaded (by Razzi; owner: Razzi):
[operations/puppet@production] admin: Add razzi to users and add to analytics groups

https://gerrit.wikimedia.org/r/622878

gerritbot added a project: Patch-For-Review.Aug 27 2020, 10:44 PM

Change 622878 merged by Ottomata:
[operations/puppet@production] admin: Add razzi to users and add to analytics groups

https://gerrit.wikimedia.org/r/622878

Ottomata updated the task description. (Show Details)Aug 28 2020, 2:47 PM

LDAP wmf addition done:

[@mwmaint1002:/home/otto] $ ldapsearch -x cn=wmf | grep razzi
member: uid=razzi,ou=people,dc=wikimedia,dc=org

And shell access added too! @razzi, you should be able to log into e.g stat boxes, like stat1008.eqiad.wmnet.

Maintenance_bot removed a project: Patch-For-Review.Aug 28 2020, 3:10 PM

Hi @razzi Check out https://wikitech.wikimedia.org/wiki/Bastion and https://wikitech.wikimedia.org/wiki/Production_access#SSH_configuration for how to configure your SSH client to jump via one of the bastion hosts to a host behind it, such as stat1008 which Ottomata mentioned.

You can use any bastion host but the one closest to you physically is recommended.

You can first try direct SSH to a bastion host and as a second step to use ProxyJump / ProxyCommand to connect to other hosts in the private .wmnet space behind it. Feel free to ping on IRC if there are questions or issues.

SSH is working! Thanks all

Change 627895 had a related patch set uploaded (by Razzi; owner: Razzi):
[operations/puppet@production] Add razzi to ops group

https://gerrit.wikimedia.org/r/627895

Change 627895 merged by Ottomata:
[operations/puppet@production] Add razzi to ops group

https://gerrit.wikimedia.org/r/627895

Maintenance_bot removed a project: Patch-For-Review.Sep 16 2020, 7:11 PM

hashar added a project: Gerrit-Privilege-Requests.Sep 21 2020, 7:10 PM

Requested by @Ottomatta and as a Gerrit administrator, I have added @razzi to the Gerrit Analytics group ( https://gerrit.wikimedia.org/r/admin/groups/d34747bee94be39cff54b5fda1ae36b575107792,members ):

19:12 	<hashar> 	Adding Razzi (new SRE) to Gerrit Analytics group # T261443

Thank you!

MarcoAurelio moved this task from Backlog to Resolved on the Gerrit-Privilege-Requests board.Oct 5 2020, 2:26 PM

Aklapper removed a project: Gerrit-Privilege-Requests.Jan 15 2021, 1:32 PM

This was a legit Gerrit-Privilege-Request and it was resolved. Why are we removing project tags after the fact now?

@Dzahn: In my understanding this ticket wasn't a request for any direct Gerrit-Privilege-Requests itself, but instead for LDAP membership in the wmf group (and the Gerrit group then derive this member from that LDAP groups). There are already a bunch of tags for that still tagged on this ticket.

"Gerrit Analytics Group" is different from membership in wmf LDAP though. It's a custom Gerrit group.

Requesting access to production shell and wmf ldap access for Razzi AbuissaClosed, ResolvedPublicRequestActions