Page MenuHomePhabricator

Requesting access to restricted production access and analytics-privatedata-users for Zxane Soo
Closed, ResolvedPublic

Description

  • Wikitech username: Zsoo
  • Preferred shell username: zxane
  • Email address: zsoo at wikimedia.org

SSH Key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC3kiZBoCZU9sQS0ehfB47WOPPA5+3Tak+XnqFNxK4caYDE/BzyzVXu77AzhD20ouEE8ZN2NITJyDVOkWXh3CK4krZ6Nl7mvex7eYkR1Omi0EwIsbh/sQ26eZsjSi7AyUjvbpqv7E+Aok1wE5+8CqqX/EB3JNseHihPRB7f8XGBq/X7hj/EtKVgv/ZZfXF7pAUVOyzHejPmc6ki/vTZ1zxLBg9HruFD9K17mbFkcxc2n1k/x3MHKAS46ZJ4H1BHtKdhkqQkKcD2nwFG37Q7zwP3uayyaU3A1VU/lJsmNQ7JwBcjqGiVgF7sflLHAnxRTAFp60OA6eryr75OdsPEutUzG1OK1JuIPIPBCHttEVlkbcwIZLbAl/r+Z/eOTvzp4GaGdTwcQw7YgqdSUDjQ1wETDKNMAZxK1XGBPbLo+acyBU11+Th55zUdV38/M6RTv0lbDCZsDqy2UgT1ke/clLuMBoMv/XDExOALv3ILjQfARDh8LO19kxQD7UdaknT2gu3c7ymR6PFhQbYJnmTom2EH0gFHXfRVAgJf0rUyxW7BY5MER+F0M26bUdUV2nM4e0nUxKocx4HiDosRXXc9tTgNSTXqTnb4Z4IxH6ZAzOgsqT1D6sE4mGDboh+H/XST40I/WbMfCUPErNGZPbHeYR//Ki36zlQcsXrETUxf9NXM2w== zxane@Zxanes-MBP

Similarly to T256971, I'd like to request access for @ZS. He is a member of the Trust & Safety Operations team alongside @jrbs, I, and other collaborators.

Specifically some of the workflows he needs to be able to do (and I believe requires this access):

  • To remove 2FA for users who have lost their backup codes (after identity verification)
  • To add or reset user email addresses when locked out of their account (again after identity verification)
  • To permanently remove illegal images from the servers
  • Lookup private information such as user email addresses for legal or T&S investigations (such as urgent threats of harm or court orders).
  • Query webserver logs for private information such as IPs which have viewed certain pages (usually court orders)

Zxane has already signed L3. @JanWMF is our people manager and I'll have him comment here in support. As always please let me know if any issues or questions.

SRE Clinic Duty Confirmation Checklist for Access Requests

This checklist should be used on all access requests to ensure that all steps are covered, including expansion to existing access. Please double check the step has been completed before checking it off.

This section is to be confirmed and completed by a member of the SRE team.

  • - User has signed the L3 Acknowledgement of Wikimedia Server Access Responsibilities Document. - signed on Thu, Nov 5, 10:47
  • - User has a valid NDA on file with WMF legal. (This can be checked by Operations via the NDA tracking sheet & is included in all WMF Staff/Contractor hiring.) - user is staff
  • - User has provided the following: wikitech username, preferred shell username, email address, and full reasoning for access (including what commands and/or tasks they expect to perform)
  • - User has provided a public SSH key. This ssh key pair should only be used for WMF cluster access, and not share with any other service (this includes not sharing with WMCS access, no shared keys.) - this was provided on task by Samuel Guebo, but we need the pubkey confirmed by ZS.
  • - access request (or expansion) has sign off of WMF sponsor/manager (sponser for volunteers, manager for wmf staff)
  • - non-sudo requests: 3 business day wait must pass with no objections being noted on the task
  • - sudo access request requires signoff of the manager in charge of that group: restricted is a sudo group of deployment; (analytics-privatedata-users) - approved on comment T267312#6607624
  • - Patchset for access request

For additional details regarding access request requirements, please see https://wikitech.wikimedia.org/wiki/Requesting_shell_access

Event Timeline

So there is an issue here, and unfortunately without @ZS commenting directly, this is blocked.

The task was filed by @sguebo_WMF, who pasted in what they state in @ZS's public SSH key. Unfortunately, this has no actual accountability, so we'll need @ZS to please comment and paste/confirm their public SSH key.

Sorry to block, but party X saying that a SSH pub key they provide belongs to party Y isn't legit =]. (Nothing personal!)

RobH added a subscriber: Nuria.
This comment was removed by RobH.
RobH triaged this task as Medium priority.Nov 5 2020, 9:32 PM
RobH removed a subscriber: Nuria.

This approvals are now handled by @Ottomata

RobH added a subscriber: Nuria.

This approvals are now handled by @Ottomata

Apologies, it turns out analytics-privatedata-users doesn't appear to be a sudo role? (It has no sudo lines in the admin module.). So I suspect we don't need Analytics sign off for additions to analytics-privatedata-users.

@Ottomata, that right?

This request includes the 'restricted' user group, which is a sudo enabled group for deployment access to mwmaint, mwlog, and bastions.

restricted:  # Is a subset of the deployment group
    gid: 706
    description: access to mwmaint hosts, mwlog hosts (private data) and bastion hosts
                 restricted folks use sudo to access www-data resources
    privileges: ['ALL = (www-data) NOPASSWD: ALL']

Since this is a sudo inclusion request, this must be approved by whoever manages the 'restricted' group. Unfortunately, I do not know who that person would be, so I am asking around.

So there is an issue here, and unfortunately without @ZS commenting directly, this is blocked.

The task was filed by @sguebo_WMF, who pasted in what they state in @ZS's public SSH key. Unfortunately, this has no actual accountability, so we'll need @ZS to please comment and paste/confirm their public SSH key.

Sorry to block, but party X saying that a SSH pub key they provide belongs to party Y isn't legit =]. (Nothing personal!)

Apologies, it turns out analytics-privatedata-users doesn't appear to be a sudo role? (It has no sudo lines in the admin module.). So I suspect we don't need Analytics sign off for additions to analytics-privatedata-users.

Hm, I think historically Nuria has approved access to this group, and we should probably keep it that way. :)

Anyway, approved! My understanding is that @ZS is a full time WMF employee, so please add them to the wmf LDAP group as well, if they aren't already in it.

Team, thanks for working on this. I note that I have to input my own SSH key. which will be the one below. Cheers!

SSH Key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC3kiZBoCZU9sQS0ehfB47WOPPA5+3Tak+XnqFNxK4caYDE/BzyzVXu77AzhD20ouEE8ZN2NITJyDVOkWXh3CK4krZ6Nl7mvex7eYkR1Omi0EwIsbh/sQ26eZsjSi7AyUjvbpqv7E+Aok1wE5+8CqqX/EB3JNseHihPRB7f8XGBq/X7hj/EtKVgv/ZZfXF7pAUVOyzHejPmc6ki/vTZ1zxLBg9HruFD9K17mbFkcxc2n1k/x3MHKAS46ZJ4H1BHtKdhkqQkKcD2nwFG37Q7zwP3uayyaU3A1VU/lJsmNQ7JwBcjqGiVgF7sflLHAnxRTAFp60OA6eryr75OdsPEutUzG1OK1JuIPIPBCHttEVlkbcwIZLbAl/r+Z/eOTvzp4GaGdTwcQw7YgqdSUDjQ1wETDKNMAZxK1XGBPbLo+acyBU11+Th55zUdV38/M6RTv0lbDCZsDqy2UgT1ke/clLuMBoMv/XDExOALv3ILjQfARDh8LO19kxQD7UdaknT2gu3c7ymR6PFhQbYJnmTom2EH0gFHXfRVAgJf0rUyxW7BY5MER+F0M26bUdUV2nM4e0nUxKocx4HiDosRXXc9tTgNSTXqTnb4Z4IxH6ZAzOgsqT1D6sE4mGDboh+H/XST40I/WbMfCUPErNGZPbHeYR//Ki36zlQcsXrETUxf9NXM2w== zxane@Zxanes-MBP

RobH updated the task description. (Show Details)

Tyler,

Inclusion in the 'restricted' group includes sudo rights on mwlog and mwmaint hosts. In irc discussion, it was determined you are the most likely manager to handle approvals to that group, being RelEng. So I've assigned this to you for feedback/approval on adding @ZS (WMF staff) to the 'restricted' sudo group.

Please comment with approval (or questions) and assign to whoever is on SRE clinic duty (I'm on through end of today): https://wikitech.wikimedia.org/wiki/SRE_Clinic_Duty#Schedule

thcipriani added a subscriber: thcipriani.

Tyler,

Inclusion in the 'restricted' group includes sudo rights on mwlog and mwmaint hosts. In irc discussion, it was determined you are the most likely manager to handle approvals to that group, being RelEng. So I've assigned this to you for feedback/approval on adding @ZS (WMF staff) to the 'restricted' sudo group.

Please comment with approval (or questions) and assign to whoever is on SRE clinic duty (I'm on through end of today): https://wikitech.wikimedia.org/wiki/SRE_Clinic_Duty#Schedule

Approved. restricted membership required for "Query webserver logs for private information such as IPs which have viewed certain pages (usually court orders)".

Change 639802 had a related patch set uploaded (by RobH; owner: RobH):
[operations/puppet@production] adding user zxane

https://gerrit.wikimedia.org/r/639802

Change 639802 merged by RobH:
[operations/puppet@production] adding user zxane

https://gerrit.wikimedia.org/r/639802

Both groups requested have been approved by the mangers of those shell groups, so access has been merged live.

Anyway, approved! My understanding is that @ZS is a full time WMF employee, so please add them to the wmf LDAP group as well, if they aren't already in it.

Done