Page MenuHomePhabricator
Create Task
Maniphest T263191

Allow Nicholas Skaggs to issue icinga commands
Closed, ResolvedPublic
Actions

Description

In the same vein as T220887, as a non-global root but WMCS admin, I would like to be able to downtime hosts as needed utilizing the incinga web UI.

Details

SubjectRepoBranchLines +/-
icinga: Let Nskaggs issues commands on all hosts and servicesoperations/puppetproduction+2 -2
Customize query in gerrit

Related Objects

Event Timeline

nskaggs created this task.Sep 17 2020, 8:58 PM
Restricted Application added a project: SRE. · View Herald TranscriptSep 17 2020, 8:58 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
gerritbot added a comment.Sep 17 2020, 9:00 PM

Change 628196 had a related patch set uploaded (by Nskaggs; owner: Nskaggs):
[operations/puppet@production] icinga: Let Nskaggs issues commands on all hosts and services

https://gerrit.wikimedia.org/r/628196

gerritbot added a project: Patch-For-Review.Sep 17 2020, 9:00 PM
RLazarus subscribed.Sep 17 2020, 10:16 PM

I see you already put this on the agenda for the next SRE meeting on Monday, thanks. :) I expect it'll be uncontroversial, but if you don't need it urgently, we'll bring it up at the meeting and get it merged that afternoon.

RLazarus triaged this task as Medium priority.Sep 17 2020, 10:17 PM
Dzahn subscribed.Sep 18 2020, 5:06 PM

This is usually done without separate access request for all users who have root shell. The difference here would just be "prod root" vs. "wmcs / cloud root".

In theory this is not needed because Icinga users should be able to run commands on all services they are contacts for anyways. So if the user is in a contact group and that contact group is used for the Icinga checks then they should have all those privileges already. Since previous work on contactgroups and wmcs-related alerts this might already just work.

The change in the cgi.cfg is just a global override that allows them _beyond_ that; it does not consider contactgroups.

That being said, i still think this is uncontroversial and we can just merge in on Monday. Because if we don't there are likely going to be some special cases and this is just the easier path forward.

Peachey88 moved this task from Untriaged to SRE Meeting Review on the SRE-Access-Requests board.Sep 18 2020, 10:53 PM
gerritbot added a comment.Sep 21 2020, 4:46 PM

Change 628196 merged by Dzahn:
[operations/puppet@production] icinga: Let Nskaggs issues commands on all hosts and services

https://gerrit.wikimedia.org/r/628196

Maintenance_bot removed a project: Patch-For-Review.Sep 21 2020, 5:11 PM
crusnov subscribed.EditedSep 21 2020, 8:30 PM

I see the patch is already merged, @nskaggs please test icinga command and followup so we can close ticket. Thanks!

Dzahn closed this task as Resolved.Sep 21 2020, 9:56 PM
Dzahn claimed this task.

He already confirmed it as well :)

17:43 < balloons> mutante, I successfully scheduled some downtime. Thanks!

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL