Page MenuHomePhabricator

Requesting access to production shell and wmf ldap access for Razzi Abuissa
Closed, ResolvedPublicRequest

Description

Note that since I'm an SRE, I'll be creating the puppet patch to add myself to the posix groups, and a teammate will merge it.

Requestor provided information and prerequisites

  • Wikitech username: razzi
  • Preferred shell username: razzi
  • Email address: rabuissa@wikimedia.org
  • Ssh public key (must be dedicated key for wmf production): ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDOETw1B56Sj5+s2mssruTQRZqaveOf2ortJbawxiUE3 razzi@razzi-macbook-air
  • Requested group membership: analytics-privatedata-users analytics-admins
  • Reason for access: Starting work as SRE on Analytics team
  • Name of approving party (hiring manager for WMF staff): Nuria Ruiz
  • Requestor -- Please Acknowledge that you have read and signed the L3 Wikimedia Server Access Responsibilities document: Acknowledged
  • Requestor -- Please coordinate obtaining a comment of approval on this task from the approving party.

SRE Clinic Duty Confirmation Checklist for Access Requests

This checklist should be used on all access requests to ensure that all steps are covered, including expansion to existing access. Please double check the step has been completed before checking it off.

This section is to be confirmed and completed by a member of the SRE team.

  • - User has signed the L3 Acknowledgement of Wikimedia Server Access Responsibilities Document.
  • - User has a valid NDA on file with WMF legal. (This can be checked by Operations via the NDA tracking sheet & is included in all WMF Staff/Contractor hiring.)
  • - User has provided the following: wikitech username, preferred shell username, email address, and full reasoning for access (including what commands and/or tasks they expect to perform)
  • - User has provided a public SSH key. This ssh key pair should only be used for WMF cluster access, and not share with any other service (this includes not sharing with WMCS access, no shared keys.)
  • - access request (or expansion) has sign off of WMF sponsor/manager (sponser for volunteers, manager for wmf staff)
  • - Patchset for access request

For additional details regarding access request requirements, please see https://wikitech.wikimedia.org/wiki/Requesting_shell_access

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald Transcript
razzi renamed this task from Requesting access to production shell for Razzi Abuissa to Requesting access to production shell and wmf ldap access for Razzi Abuissa.Aug 27 2020, 6:30 PM
razzi added a project: LDAP-Access-Requests.
jijiki triaged this task as Medium priority.

Change 622878 had a related patch set uploaded (by Razzi; owner: Razzi):
[operations/puppet@production] admin: Add razzi to users and add to analytics groups

https://gerrit.wikimedia.org/r/622878

Change 622878 merged by Ottomata:
[operations/puppet@production] admin: Add razzi to users and add to analytics groups

https://gerrit.wikimedia.org/r/622878

LDAP wmf addition done:

[@mwmaint1002:/home/otto] $ ldapsearch -x cn=wmf | grep razzi
member: uid=razzi,ou=people,dc=wikimedia,dc=org

And shell access added too! @razzi, you should be able to log into e.g stat boxes, like stat1008.eqiad.wmnet.

Hi @razzi Check out https://wikitech.wikimedia.org/wiki/Bastion and https://wikitech.wikimedia.org/wiki/Production_access#SSH_configuration for how to configure your SSH client to jump via one of the bastion hosts to a host behind it, such as stat1008 which Ottomata mentioned.

You can use any bastion host but the one closest to you physically is recommended.

You can first try direct SSH to a bastion host and as a second step to use ProxyJump / ProxyCommand to connect to other hosts in the private .wmnet space behind it. Feel free to ping on IRC if there are questions or issues.

SSH is working! Thanks all

Change 627895 had a related patch set uploaded (by Razzi; owner: Razzi):
[operations/puppet@production] Add razzi to ops group

https://gerrit.wikimedia.org/r/627895

Change 627895 merged by Ottomata:
[operations/puppet@production] Add razzi to ops group

https://gerrit.wikimedia.org/r/627895

Requested by @Ottomatta and as a Gerrit administrator, I have added @razzi to the Gerrit Analytics group ( https://gerrit.wikimedia.org/r/admin/groups/d34747bee94be39cff54b5fda1ae36b575107792,members ):

19:12 	<hashar> 	Adding Razzi (new SRE) to Gerrit Analytics group # T261443

This was a legit Gerrit-Privilege-Request and it was resolved. Why are we removing project tags after the fact now?

@Dzahn: In my understanding this ticket wasn't a request for any direct Gerrit-Privilege-Requests itself, but instead for LDAP membership in the wmf group (and the Gerrit group then derive this member from that LDAP groups). There are already a bunch of tags for that still tagged on this ticket.

"Gerrit Analytics Group" is different from membership in wmf LDAP though. It's a custom Gerrit group.