Page MenuHomePhabricator
Create Task
Maniphest T275679

Requesting access to gitlab1001 / gitlab1002 for Eugene Chernov from Speed & Function
Closed, ResolvedPublicRequest
Actions

Description

Requestor provided information and prerequisites

This section is to be completed by the individual requesting access.

  • Wikitech username: Eugene.chernov
  • Preferred shell username: ichernov
  • Email address: eugene.chernov@speedandfunction.com
  • Ssh public key (must be dedicated key for wmf production):
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDXSV4ht0Q6zuWnnNuBH08/li10vGy/23z4Zw42JbgeGIE8MNdNaZePFk8LIvWr89j2FLBsOCTNkpNfBAgQhnIDouZW+JlypZrTa9plWwxRKJ2UhBkSigN5D4cDg5s5UnAuDj39C4wdeexJUEK1ElXlyJGEUipWCNE6SNdZJaN54aepGKENybjWSK6L4eNIPz3G+mTeTgAAvFXxPwkVGOY2uH3PtjRJqThdH5zKtfPdttsCAMwvYOv2UghtHjW5klmerKOehfqfLzZJ9OlsE8NyEWTxS8Usnpy3ch1N30CK+2K2eRbbX4QUWDbZYYZQ7n2amch9Bti1T7yBrUxAmO1CKI52RuRnWyYwLSPCDqk6rW5z5OHmOfJhuTHzXwIL8N01Duf638aHc5vGiyGl87BPY+G9QTr8oIR2vD9dUEn/rIhVskBmQ9dWYx6lD6qxuJOIWN2OPPAQ+NGi3QmR+3Ihy6GJbVBqyZqSeL6cmqbdGy3mpbRTRyY4wlkflOhtjfE= ievgen_chernov
  • Requested group membership: gitlab-roots (will need root on gitlab1001 / gitlab1002)
  • Reason for access: Speed & Function contract work for GitLab initialization project
  • Name of approving party (hiring manager for WMF staff): Tyler Cipriani
  • Requestor -- Please Acknowledge that you have read and signed the L3 Wikimedia Server Access Responsibilities document:
  • Requestor -- Please coordinate obtaining a comment of approval on this task from the approving party.

SRE Clinic Duty Confirmation Checklist for Access Requests

This checklist should be used on all access requests to ensure that all steps are covered, including expansion to existing access. Please double check the step has been completed before checking it off.

This section is to be confirmed and completed by a member of the SRE team.

  • - User has signed the L3 Acknowledgement of Wikimedia Server Access Responsibilities Document.
  • - User has a valid NDA on file with WMF legal. (This can be checked by Operations via the NDA tracking sheet & is included in all WMF Staff/Contractor hiring.)
  • - User has provided the following: wikitech username, preferred shell username, email address, and full reasoning for access (including what commands and/or tasks they expect to perform)
  • - User has provided a public SSH key. This ssh key pair should only be used for WMF cluster access, and not share with any other service (this includes not sharing with WMCS access, no shared keys.)
  • - access request (or expansion) has sign off of WMF sponsor/manager (sponser for volunteers, manager for wmf staff)
  • - Patchset for access request

For additional details regarding access request requirements, please see https://wikitech.wikimedia.org/wiki/Requesting_shell_access

Details

SubjectRepoBranchLines +/-
Add new SSH key for eugene-chernovoperations/puppetproduction+2 -1
Remove SSH keys reused in Cloud VPSoperations/puppetproduction+2 -4
admin: and end date for speed and function contractorsoperations/puppetproduction+4 -0
admin: add eugene-chernovoperations/puppetproduction+9 -1
Customize query in gerrit

Related Objects
Search...

Event Timeline

brennen created this task.Feb 24 2021, 7:35 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 24 2021, 7:35 PM
brennen added a comment.Feb 24 2021, 7:36 PM

@Eugene.chernov please comment here confirming signature of L3 Wikimedia Server Access Responsibilities document and also that ichernov is correct for shell username.

Maintenance_bot added a project: SRE.Feb 24 2021, 7:45 PM
thcipriani added a parent task: T274460: Shell access for VMs for Speed & Function contractors.Feb 24 2021, 8:50 PM
brennen renamed this task from Requesting access to gitlab1001 / gitlab1002 for Eugene Chernov to Requesting access to gitlab1001 / gitlab1002 for Eugene Chernov from Speed & Function.Feb 24 2021, 9:02 PM
brennen updated the task description. (Show Details)
RhinosF1 subscribed.Feb 24 2021, 9:44 PM
jbond added subscribers: wkandek, KFrancis, jbond.Feb 25 2021, 1:07 PM

@wkandek or @thcipriani can you approve the access
@KFrancis are you able to confirm NDA status

jbond triaged this task as Medium priority.Feb 25 2021, 1:07 PM
jbond updated the task description. (Show Details)
thcipriani added a comment.Feb 25 2021, 1:58 PM
In T275679#6860798, @jbond wrote:

@wkandek or @thcipriani can you approve the access

Approve. Thanks!

KFrancis added a comment.Feb 26 2021, 7:33 PM

@jbond Hello, would you please confirm if Eugene Chernov us an employee or contractor for Speed & Function? Would you please also let me know what access to gitlab1001 / gitlab1002 would be for?

jbond added a comment.Feb 26 2021, 7:45 PM

@KFrancis they are not staff AFAIK the are contractors for Speed & Function. At a high level gitlab1001 / gitlab1002 are servers which will be used to build a PoC to replace the https://gerrit.wikimedia.org/. The NDA requirement is because theses servers will be on the production network and the contractors may need access to some of data sources that includes some PPI data.

@wkandek or @thcipriani should be able to provide more clarification

thanks

JMeybohm moved this task from Untriaged to Manager/NDA Approval/Confirmation on the SRE-Access-Requests board.Mar 1 2021, 11:35 AM
Eugene.chernov added a comment.Mar 1 2021, 2:29 PM

@brennen, L3 has been signed and ‘ichernov’ is ok as the username

greg mentioned this in T275677: Requesting access to gitlab1001 / gitlab1002 for Oly Kalinichenko from Speed & Function.Mar 1 2021, 6:17 PM
KFrancis added a comment.Mar 1 2021, 8:54 PM

@jbond Hello, I am confirming Eugene Chernov is covered under Speed & Function's existing agreement. Please proceed with the access.

jbond added a comment.Mar 2 2021, 12:51 PM

@Eugene.chernov

Preferred shell username: ichernov

This differs from the shell name you used when registering on wikitech, can you please confirm the shell name you have listed on https://wikitech.wikimedia.org/wiki/Special:Preferences., Which is the one we will use for production access

Eugene.chernov added a comment.Mar 2 2021, 1:18 PM

@jbond
Yes, sorry ‘eugene-chernov’ is the right one

gerritbot added a comment.Mar 2 2021, 1:30 PM

Change 667859 had a related patch set uploaded (by Jbond; owner: John Bond):
[operations/puppet@production] admin: add eugene-chernov

https://gerrit.wikimedia.org/r/667859

gerritbot added a project: Patch-For-Review.Mar 2 2021, 1:30 PM
jbond updated the task description. (Show Details)Mar 2 2021, 1:31 PM
gerritbot added a comment.Mar 2 2021, 3:15 PM

Change 667859 merged by Jbond:
[operations/puppet@production] admin: add eugene-chernov

https://gerrit.wikimedia.org/r/667859

jbond closed this task as Resolved.Mar 2 2021, 3:16 PM
jbond claimed this task.

This access has been enabled please allow upto 15 minutes for the change to fully propagate

Maintenance_bot removed a project: Patch-For-Review.Mar 2 2021, 4:10 PM
Dzahn subscribed.Mar 3 2021, 10:20 PM

Please note gitlab1001/gitlab1002 with private IPs have been deleted and instead gitlab1001.wikimedia.org with public IP has been created, based on T274459#6877185 ff. The same puppet role is applied to shell access moved with that.

@Eugene.chernov

[gitlab1001:~] $ gen_fingerprints
 +---------+---------+-----------------------------------------------------+
 | Cipher  | Algo    | Fingerprint                                         |
 +---------+---------+-----------------------------------------------------+
 | RSA     | SHA-256 | SHA256:u3BILUTd6NsM9/ItWulh3uzqcKh3SXzpkC+oNKmbG4k  |
 +---------+---------+-----------------------------------------------------+
 | ECDSA   | SHA-256 | SHA256:i+fWYVTGTn8XXsbrYDOVUHCZZCk6rRyCG4rJk5nxxh8  |
 +---------+---------+-----------------------------------------------------+
 | ED25519 | SHA-256 | SHA256:lKmdy0Xvi4AXeEWEbg3sM5Zc8GRSqqbhnP7uti8xKBs  |
 +---------+---------+-----------------------------------------------------+

 +---[RSA 2048]----+ +---[ECDSA 256]---+ +--[ED25519 256]--+
 |      .. o       | |           . o=*=| |       .o=*      |
 |     .  o .      | |            =.oB+| |        +X.      |
 |      ..         | |        .  =o.+.+| |       +==+      |
 |     . .o .      | |   .   o ..+.*.oo| |       *X+..     |
 |      o S* o . . | |  . X . S.o = =..| |    ..=oSo. .    |
 |     o +.o+.*.o  | |   O = E .oo   . | |  Eo.=o+ + .     |
 |    E = * o=*B   | |    o o +o .     | |   += .o=   .    |
 |       B +oB*++  | |       +. .      | |  ..  o. . . .   |
 |      =o+o.+==+  | |       ..        | |    .==+. . .    |
 +----[SHA256]-----+ +----[SHA256]-----+ +----[SHA256]-----+
[gitlab1001:~] $ id eugene-chernov
uid=30039(eugene-chernov) gid=500(wikidev) groups=500(wikidev),826(gitlab-roots)
gerritbot added a comment.Mar 4 2021, 10:07 AM

Change 668354 had a related patch set uploaded (by Jbond; owner: John Bond):
[operations/puppet@production] admin: and end date for speed and function contractors

https://gerrit.wikimedia.org/r/668354

gerritbot added a project: Patch-For-Review.Mar 4 2021, 10:07 AM
gerritbot added a comment.Mar 4 2021, 10:09 AM

Change 668354 merged by Jbond:
[operations/puppet@production] admin: and end date for speed and function contractors

https://gerrit.wikimedia.org/r/668354

Maintenance_bot removed a project: Patch-For-Review.Mar 4 2021, 10:11 AM
gerritbot added a comment.Mar 8 2021, 9:19 AM

Change 669741 had a related patch set uploaded (by JMeybohm; owner: JMeybohm):
[operations/puppet@production] Remove SSH keys reused in Cloud VPS

https://gerrit.wikimedia.org/r/669741

gerritbot added a project: Patch-For-Review.Mar 8 2021, 9:19 AM
gerritbot added a comment.Mar 8 2021, 9:36 AM

Change 669741 merged by JMeybohm:
[operations/puppet@production] Remove SSH keys reused in Cloud VPS

https://gerrit.wikimedia.org/r/669741

JMeybohm reopened this task as Open.Mar 8 2021, 9:44 AM
JMeybohm subscribed.

@Eugene.chernov I did remove your SSH key from your production account as you seem to have uploaded it to CloudVPS via the wikitech preferences page.
Please use a dedicated key for wmf production and do not reuse that one anywhere else!

You may post a new SSH Key here to have that added to your production account again.

Eugene.chernov added a comment.Mar 8 2021, 10:03 AM

hello @JMeybohm ,

Thank you. Here is the key for prod:
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDXSV4ht0Q6zuWnnNuBH08/li10vGy/23z4Zw42JbgeGIE8MNdNaZePFk8LIvWr89j2FLBsOCTNkpNfBAgQhnIDouZW+JlypZrTa9plWwxRKJ2UhBkSigN5D4cDg5s5UnAuDj39C4wdeexJUEK1ElXlyJGEUipWCNE6SNdZJaN54aepGKENybjWSK6L4eNIPz3G+mTeTgAAvFXxPwkVGOY2uH3PtjRJqThdH5zKtfPdttsCAMwvYOv2UghtHjW5klmerKOehfqfLzZJ9OlsE8NyEWTxS8Usnpy3ch1N30CK+2K2eRbbX4QUWDbZYYZQ7n2amch9Bti1T7yBrUxAmO1CKI52RuRnWyYwLSPCDqk6rW5z5OHmOfJhuTHzXwIL8N01Duf638aHc5vGiyGl87BPY+G9QTr8oIR2vD9dUEn/rIhVskBmQ9dWYx6lD6qxuJOIWN2OPPAQ+NGi3QmR+3Ihy6GJbVBqyZqSeL6cmqbdGy3mpbRTRyY4wlkflOhtjfE= ievgen_chernov

Maintenance_bot removed a project: Patch-For-Review.Mar 8 2021, 10:10 AM
Peachey88 mentioned this in T276761: Special:NovaKey should have a message not to add production keys.Mar 8 2021, 10:18 AM
JMeybohm updated the task description. (Show Details)Mar 8 2021, 10:49 AM
gerritbot added a comment.Mar 8 2021, 10:50 AM

Change 669768 had a related patch set uploaded (by JMeybohm; owner: JMeybohm):
[operations/puppet@production] Add new SSH key for eugene-chernov

https://gerrit.wikimedia.org/r/669768

gerritbot added a project: Patch-For-Review.Mar 8 2021, 10:50 AM
gerritbot added a comment.Mar 8 2021, 11:51 AM

Change 669768 merged by JMeybohm:
[operations/puppet@production] Add new SSH key for eugene-chernov

https://gerrit.wikimedia.org/r/669768

JMeybohm closed this task as Resolved.Mar 8 2021, 11:52 AM

Account has been updated

Maintenance_bot removed a project: Patch-For-Review.Mar 8 2021, 12:10 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL