Page MenuHomePhabricator

Requesting access to GLOBAL ROOT for David Caro
Closed, ResolvedPublicRequest


Requestor provided information and prerequisites

This section is to be completed by the individual requesting access.

  • Full name: David Caro Estevez
  • Wikitech username: David Caro
  • Preferred shell username: dcaro
  • Email address:
  • Ssh public key (must be dedicated key for wmf production): ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINrWIF528iRmgV89muq2ssjnMHfrgpzEMqOWCumafidg dcaro@magnum+prod
  • Requested group membership: ops
  • Reason for access: New hire for the WMCS team
  • Name of approving party (hiring manager for WMF staff): Nicholas Skaggs
  • Requestor -- Please Acknowledge that you have read and signed the L3 Wikimedia Server Access Responsibilities document: Ack
  • Requestor -- Please coordinate obtaining a comment of approval on this task from the approving party.

SRE Clinic Duty Confirmation Checklist for Access Requests

This checklist should be used on all access requests to ensure that all steps are covered, including expansion to existing access. Please double check the step has been completed before checking it off.

This section is to be confirmed and completed by a member of the SRE team.

  • - User has signed the L3 Acknowledgement of Wikimedia Server Access Responsibilities Document.
  • - User has a valid NDA on file with WMF legal. (This can be checked by Operations via the NDA tracking sheet & is included in all WMF Staff/Contractor hiring.)
  • - User has provided the following: wikitech username, preferred shell username, email address, and full reasoning for access (including what commands and/or tasks they expect to perform)
  • - User has provided a public SSH key. This ssh key pair should only be used for WMF cluster access, and not share with any other service (this includes not sharing with WMCS access, no shared keys.)
  • - access request (or expansion) has sign off of WMF sponsor/manager (sponser for volunteers, manager for wmf staff)
  • - non-staff requests: 3 business day wait must pass with no objections being noted on the task
  • - Approval of inclusion into 'ops' approved by owner of that group: @faidon or @mark - granted in last meeting for WMCS to Ops group additions.
  • - Patchset for access request -

For additional details regarding access request requirements, please see

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald Transcript
aborrero triaged this task as High priority.Nov 2 2020, 5:10 PM
  • confirmed L3 signature 👍
  • [ldap-corp1001:~] $ /usr/bin/ldapsearch -x "mail=dcaro*@*" | grep -E 'employee|mail|manager' 👍 (confirms full time employee and who is manager, NDA included)
  • [mwmaint1002:~] $ /usr/bin/ldapsearch -x "uid=dcaro*" 👍 (confirms wikitech user, email, UID for puppet change, uidNumber: 25603)


@RobH See above, I did these things to verify the user but on vacation from tomorow. Since it's a global root access and I see you are clinic duty for week of Nov 2, could you double check and follow-up please.

@RobH See above, I did these things to verify the user but on vacation from tomorow. Since it's a global root access and I see you are clinic duty for week of Nov 2, could you double check and follow-up please.

It appears all is done except the patchset, but I wonder if this needs team review or is auto approved. As its global root, I'm erring on the side of caution. This likely needs meeting approval (old process) or at minimum the approval of the manager for the global roots group (which I'm guessing is either @faidon or @mark?)

Unfortunately, we just had our meeting this last Monday, and don't have another one due until 2020-11-16. I'll ask in IRC and ping mgmt directly for approvals.

Change 639198 had a related patch set uploaded (by RobH; owner: RobH):
[operations/puppet@production] Adding dcaro to ops group

I've not had to handle an access request with quite this much scope (global root) since our new policies for approval took effect. I'm assumign a few things:

  • We aren't modifying the 'ops' group rights, so this does NOT need SRE meeting approval.
  • We want to add someone to 'ops' which is a group controlled by SRE; SRE mangement needs to approve of this addition.

@mark or @faidon: Please review the above and attach approval or further info requirements and assign back to me (SRE clinic duty this week) to followup. Thanks!

Note: I assigned this to Faidon since my org chart terminates at him not Mark but this could be handled by either.

" Requesting access to GLOBAL ROOT for David Caro PROCEED, for later changes, follow the ownership of WMCS group (doesn’t need meeting approval)"

This was approved in the SRE meeting earlier this week, thanks to @RLazarus for pointing this out! I'll merge this now.

Change 639198 merged by RobH:
[operations/puppet@production] Adding dcaro to ops group

@dcaro: Your rights as 'ops' into the global root group have been merged live. Please allow an hour or so for this to propagate across the cluster.

RobH removed faidon as the assignee of this task.Nov 4 2020, 4:25 PM
RobH updated the task description. (Show Details)