Page MenuHomePhabricator
Create Task
Maniphest T275677

Requesting access to gitlab1001 / gitlab1002 for Oly Kalinichenko from Speed & Function
Closed, ResolvedPublicRequest
Actions

Description

Requestor provided information and prerequisites

This section is to be completed by the individual requesting access.

  • Wikitech username: OlyKalinichenkoSpeedAndFunction
  • Preferred shell username: aex
  • Email address: oly.kalinichenko@speedandfunction.com
  • Ssh public key (must be dedicated key for wmf production):
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBEgeCnlFqvMSxmk5Pw78FKJ82iyIiHrnWWzpaeNpFgV oly.kalinichenko@speedandfunction.com-wmfprod
  • Requested group membership: gitlab-roots (will need root on gitlab1001 / gitlab1002)
  • Reason for access: Speed & Function contract work for GitLab initialization project
  • Name of approving party (hiring manager for WMF staff): Tyler Cipriani
  • Requestor -- Please Acknowledge that you have read and signed the L3 Wikimedia Server Access Responsibilities document:
  • Requestor -- Please coordinate obtaining a comment of approval on this task from the approving party.

SRE Clinic Duty Confirmation Checklist for Access Requests

This checklist should be used on all access requests to ensure that all steps are covered, including expansion to existing access. Please double check the step has been completed before checking it off.

This section is to be confirmed and completed by a member of the SRE team.

  • - User has signed the L3 Acknowledgement of Wikimedia Server Access Responsibilities Document.
  • - User has a valid NDA on file with WMF legal. (This can be checked by Operations via the NDA tracking sheet & is included in all WMF Staff/Contractor hiring.)
  • - User has provided the following: wikitech username, preferred shell username, email address, and full reasoning for access (including what commands and/or tasks they expect to perform)
  • - User has provided a public SSH key. This ssh key pair should only be used for WMF cluster access, and not share with any other service (this includes not sharing with WMCS access, no shared keys.)
  • - access request (or expansion) has sign off of WMF sponsor/manager (sponser for volunteers, manager for wmf staff)
  • - Patchset for access request

For additional details regarding access request requirements, please see https://wikitech.wikimedia.org/wiki/Requesting_shell_access

Details

SubjectRepoBranchLines +/-
Remove olykalinichenko SSH key, reused in Cloud VPSoperations/puppetproduction+1 -2
Add new SSH key for olykalinichenkooperations/puppetproduction+2 -1
Remove SSH keys reused in Cloud VPSoperations/puppetproduction+2 -4
admin: Add olykalinichenko shell account and to gitlab-rootsoperations/puppetproduction+11 -1
Customize query in gerrit

Related Objects
Search...

Event Timeline

brennen created this task.Feb 24 2021, 7:30 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 24 2021, 7:30 PM
brennen added a comment.Feb 24 2021, 7:30 PM

@OlyKalinichenkoSpeedAndFunction please comment here confirming signature of L3 Wikimedia Server Access Responsibilities document.

Maintenance_bot added a project: SRE.Feb 24 2021, 7:45 PM
thcipriani added a parent task: T274460: Shell access for VMs for Speed & Function contractors.Feb 24 2021, 8:50 PM
brennen updated the task description. (Show Details)Feb 24 2021, 9:01 PM
RhinosF1 subscribed.Feb 24 2021, 9:44 PM
jbond added subscribers: wkandek, KFrancis, jbond.Feb 25 2021, 1:09 PM

@wkandek or @thcipriani an you approve the access
@KFrancis are you able to confirm NDA status

@OlyKalinichenkoSpeedAndFunction The SSH key you have provided is the same one you have registered for the cloud environment (i.e. the one you used when registering your wikitech account) we require a separate ssh key for production access can you please generate a new key and update the ticket.

Thanks

jbond triaged this task as Medium priority.Feb 25 2021, 1:09 PM
jbond updated the task description. (Show Details)
thcipriani added a comment.Feb 25 2021, 1:58 PM
In T275677#6860814, @jbond wrote:

@wkandek or @thcipriani an you approve the access

Approve. Thanks!

thcipriani mentioned this in T274460: Shell access for VMs for Speed & Function contractors.Feb 25 2021, 8:10 PM
OlyKalinichenkoSpeedAndFunction added a comment.Feb 26 2021, 11:15 AM

Please add new key

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCrWAH/rao/XRJ6VjjsFnr141AwNsatGcSMQ5WvR9LhNUwNFnUnAXrM1CJO/FI4a00nfaaxBSYAeFqK9LZnxhyuhwMPrleBsn2U63OqM2OW9nSsirupuUoimAzwrNlF+v5SyG4We31fte5tZKautHgMo3mrT9tWaje9a4DpjhDFuvNf9Lvtx9ZeOcUS72raipPba+zG8j3Kb/kcctH/KqBaYtWnUjxL6nNBjHd7mHpRW2CnxGaHX7HSlHrwFC/DL8xi/JJulRGNuAGYJ8ywiCXJZnTR/UPl1XubaQXKU7We/gtCqWnGHXRoi+BiWbgACYGbGVqvCgq/NzEMcfRVSWXZCmmD+DokMzW0hWyxTF/OvlxBjZ6/f1bBbssOpo7VlkqbCNuu5bBOOoziQ33Gc9z07dKa211WFDU+Ap1NIWyndSPULiPQG9O4BdXUsKKGDH+2IWgr+PBs1C4D+kW/xxWNkr9T07qnyYlpzFSC+7lLRhSGaWtc4YXuryK/IUob0eO4n+Nm/5hJppsxXo5CVDa8ch4kem4VXQFDeZgth7UZGFFEoRc0mKrqVS6+i5xJYXMaXtYHvTl8Kms+RDqgC3afptohszyqFSBzlgvq/DApdPRKYNVv8nlGdFJbwuMKM48zbDgLwC/VEmrGoUvUZjSVgm2Sl4hoOuq6YN9ipyiQuw==
jbond updated the task description. (Show Details)Feb 26 2021, 1:20 PM

@OlyKalinichenkoSpeedAndFunction are you also able to confirm L3 status as per:

In T275677#6858091, @brennen wrote:

@OlyKalinichenkoSpeedAndFunction please comment here confirming signature of L3 Wikimedia Server Access Responsibilities document.

KFrancis added a comment.Feb 26 2021, 7:33 PM

@jbond @jbond Hello, would you please confirm if Oly Kalinichenko us an employee or contractor for Speed & Function? Would you please also let me know what access to gitlab1001 / gitlab1002 would be for?

jbond added a comment.Feb 26 2021, 7:46 PM

@KFrancis they are not staff AFAIK the are contractors for Speed & Function. At a high level gitlab1001 / gitlab1002 are servers which will be used to build a PoC to replace the https://gerrit.wikimedia.org/. The NDA requirement is because theses servers will be on the production network and the contractors may need access to some of data sources that includes some PPI data.

@wkandek or @thcipriani should be able to provide more clarification

thanks

JMeybohm moved this task from Untriaged to Manager/NDA Approval/Confirmation on the SRE-Access-Requests board.Mar 1 2021, 11:35 AM
greg subscribed.Mar 1 2021, 6:17 PM
In T275677#6865296, @KFrancis wrote:

@jbond @jbond Hello, would you please confirm if Oly Kalinichenko us an employee or contractor for Speed & Function? Would you please also let me know what access to gitlab1001 / gitlab1002 would be for?

Hi @KFrancis, just a note of reference, here is the Coupa link for the contact that they are working under: https://wikimedia.coupahost.com/easy_form_responses/1342 This should cover all of them, Olly (this task), Eugene (T275679), and Sergey (T275722).

I hope that helps. Let me know if you need anything else from the contractors to get started.

KFrancis added a comment.Mar 1 2021, 8:55 PM

@jbond Hello, I am confirming Oly Kalinichenko is covered under Speed & Function's existing agreement. Please proceed with the access.

jbond added a comment.Mar 2 2021, 12:46 PM
In T275677#6864295, @jbond wrote:

@OlyKalinichenkoSpeedAndFunction are you also able to confirm L3 status as per:

In T275677#6858091, @brennen wrote:

@OlyKalinichenkoSpeedAndFunction please comment here confirming signature of L3 Wikimedia Server Access Responsibilities document.

We just need this confirmation to proceed now

jbond updated the task description. (Show Details)Mar 2 2021, 12:46 PM
gerritbot added a comment.Mar 4 2021, 10:57 AM

Change 668360 had a related patch set uploaded (by JMeybohm; owner: JMeybohm):
[operations/puppet@production] admin: Add aex shell account and to gitlab-roots

https://gerrit.wikimedia.org/r/668360

gerritbot added a project: Patch-For-Review.Mar 4 2021, 10:57 AM
JMeybohm updated the task description. (Show Details)Mar 4 2021, 10:57 AM
JMeybohm subscribed.

phab account @OlyKalinichenkoSpeedAndFunction has signed L3 as of signature list, so I checked the box

JMeybohm added a comment.Mar 4 2021, 1:54 PM

@OlyKalinichenkoSpeedAndFunction we need the shell username to be the same as your wikitech shell name so this is going to be olykalinichenko. Sorry for the form being not clean on this, we will update it accordingly.

gerritbot added a comment.Mar 4 2021, 2:27 PM

Change 668360 merged by JMeybohm:
[operations/puppet@production] admin: Add olykalinichenko shell account and to gitlab-roots

https://gerrit.wikimedia.org/r/668360

JMeybohm closed this task as Resolved.Mar 4 2021, 2:30 PM
JMeybohm claimed this task.
Maintenance_bot removed a project: Patch-For-Review.Mar 4 2021, 3:11 PM
gerritbot added a comment.Mar 8 2021, 9:19 AM

Change 669741 had a related patch set uploaded (by JMeybohm; owner: JMeybohm):
[operations/puppet@production] Remove SSH keys reused in Cloud VPS

https://gerrit.wikimedia.org/r/669741

gerritbot added a project: Patch-For-Review.Mar 8 2021, 9:19 AM
gerritbot added a comment.Mar 8 2021, 9:36 AM

Change 669741 merged by JMeybohm:
[operations/puppet@production] Remove SSH keys reused in Cloud VPS

https://gerrit.wikimedia.org/r/669741

JMeybohm reopened this task as Open.Mar 8 2021, 9:44 AM

@OlyKalinichenkoSpeedAndFunction I did remove your SSH key from your production account as you seem to have uploaded it to CloudVPS via the wikitech preferences page.
Please use a dedicated key for wmf production and do not reuse that one anywhere else!

You may post a new SSH Key here to have that added to your production account again.

RhinosF1 added a comment.Mar 8 2021, 10:02 AM

All 3 contractors have done so despite being told. The other one just got caught earlier. Should they be asked to actually pay attention to what they're doing? Speed seems to be too much a focus in this work.

Maintenance_bot removed a project: Patch-For-Review.Mar 8 2021, 10:10 AM
Peachey88 mentioned this in T276761: Special:NovaKey should have a message not to add production keys.Mar 8 2021, 10:18 AM
OlyKalinichenkoSpeedAndFunction added a comment.Mar 8 2021, 3:06 PM

@JMeybohm, I've created add added a new dedicated key (4096 bits). Could you please add this key

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDqhkrLDMb0atfFuaavH8SxgaUftOnFGAsNL847A1GqhSibiTg2tohNHZjd8eJhUAvFfjTAWcvm5hhBDEtDR+9y1tVm6nc2tBrpZ1uTTqLfu5uQNCeXn6H26vcgkItmobjygzq/qFsZPULizA0YdDX2Vp5Wn2ExJ9XNxO9XYiISAhdUSq7PShhn+f9DltzG7l6nkf6ikkDb4mk2MSgUXi+HFE2mmqh1gJ6Y3F0TIB+/AKRRL/wr9U69mXGxB/XDphB1dOuZrkkUY73KGWBBIbg243aQCjTIcKN6l8X5bR9ath+9MFKDOTqsSIAK9j58WFPP3B7gY9vELXecN56gB1mBAKG/X0A+FCOEnLcf2y/a61IhTTd4CdgWJ1YVc2rDvCNTXnnQBOrzt5MHbefi+ufsWzoJkJkLXi/yv56h3t+2ZqHol5yNM41Ys/fy+I1hHuZaflrfCCrEtxcf6Z34EFX+PxJUl0/g+oEGiFYC90MeVqH1vmE4VUyjkfj46B+/ZMkzqrteB+zR4Y68WEh6591Psc3Y5z9z2rDFXAXQe9bl0XrHMOhVpssEiXGIBAgS5enuJScHEV6cJos9DFv5JMm55mB5SwRL0lOnwLd7Kh/uhKjrhmlYFK05X8ZutYBf1GYqXeRq1HNMyj+Ft5qmICEPQmv8GJ720Giv4YZk+Q3l3w==
JMeybohm updated the task description. (Show Details)Mar 8 2021, 3:10 PM
gerritbot added a comment.Mar 8 2021, 3:12 PM

Change 669866 had a related patch set uploaded (by JMeybohm; owner: JMeybohm):
[operations/puppet@production] Add new SSH key for olykalinichenko

https://gerrit.wikimedia.org/r/669866

gerritbot added a project: Patch-For-Review.Mar 8 2021, 3:12 PM
OlyKalinichenkoSpeedAndFunction added a comment.Mar 8 2021, 3:13 PM

@KFrancis could you please check a screenshot with *L3*

image.png (2×3 px, 1 MB)

Legoktm subscribed.Mar 8 2021, 4:29 PM
In T275677#6891497, @RhinosF1 wrote:

All 3 contractors have done so despite being told. The other one just got caught earlier. Should they be asked to actually pay attention to what they're doing? Speed seems to be too much a focus in this work.

This isn't a helpful nor constructive comment. People make this mistake all the time. T276761: Special:NovaKey should have a message not to add production keys is probably the way forward.

gerritbot added a comment.Mar 8 2021, 5:39 PM

Change 669866 merged by JMeybohm:
[operations/puppet@production] Add new SSH key for olykalinichenko

https://gerrit.wikimedia.org/r/669866

JMeybohm closed this task as Resolved.Mar 8 2021, 5:40 PM

Account has been updated

Maintenance_bot removed a project: Patch-For-Review.Mar 8 2021, 6:10 PM
MoritzMuehlenhoff reopened this task as Open.Mar 10 2021, 10:29 AM
MoritzMuehlenhoff subscribed.

@OlyKalinichenkoSpeedAndFunction your production SSH key is still in Cloud VPS LDAP, please remove it at http://https://wikitech.wikimedia.org under "Preferences -> OpenStack"

gerritbot added a comment.Mar 11 2021, 9:45 AM

Change 670779 had a related patch set uploaded (by JMeybohm; owner: JMeybohm):
[operations/puppet@production] Remove olykalinichenko SSH key, reused in Cloud VPS

https://gerrit.wikimedia.org/r/670779

gerritbot added a project: Patch-For-Review.Mar 11 2021, 9:45 AM
gerritbot added a comment.Mar 11 2021, 9:48 AM

Change 670779 merged by JMeybohm:
[operations/puppet@production] Remove olykalinichenko SSH key, reused in Cloud VPS

https://gerrit.wikimedia.org/r/670779

JMeybohm removed JMeybohm as the assignee of this task.Mar 11 2021, 9:50 AM
In T275677#6891447, @JMeybohm wrote:

@OlyKalinichenkoSpeedAndFunction I did remove your SSH key from your production account as you seem to have uploaded it to CloudVPS via the wikitech preferences page.
Please use a dedicated key for wmf production and do not reuse that one anywhere else!

You may post a new SSH Key here to have that added to your production account again.

This, again.
@OlyKalinichenkoSpeedAndFunction please stop adding your production SSH keys to Cloud VPS!

Maintenance_bot removed a project: Patch-For-Review.Mar 11 2021, 10:10 AM
OlyKalinichenkoSpeedAndFunction updated the task description. (Show Details)Mar 11 2021, 3:24 PM
OlyKalinichenkoSpeedAndFunction added a comment.Mar 12 2021, 2:07 PM

Hey, Apologies for that. I've updated the SHH key and this one is unique, and it's placed only locally.
Could you please check it again?

ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBEgeCnlFqvMSxmk5Pw78FKJ82iyIiHrnWWzpaeNpFgV oly.kalinichenko@speedandfunction.com-wmfprod
Volans closed this task as Resolved.Mar 15 2021, 8:39 PM
Volans claimed this task.
Volans subscribed.

My understanding is that all the steps have been completed. Resolving. Feel free to re-open in case of any issue.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits