Requesting access to restricted for Daimona
Closed, ResolvedPublicRequest
Actions

Assigned To

Authored By

	Daimona
	Mar 3 2021, 4:19 PM

Description

Requestor provided information and prerequisites

This section is to be completed by the individual requesting access.

Wikitech username: Daimona Eaytoy
Preferred shell username: daimona
Email address: daimona.wiki@gmail.com
Ssh public key (must be dedicated key for wmf production):

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDGoHMHjUVr1SjVzIlQvZBxaSQj/ex2P95D54y2wZzAd14tJ4vnVPh800Uspg+gfJ1ibNrx7WRdWFJXk3vK32oCvhbo7RNPMAQFrai4OFeHxGYPGEB1XMNC/4sy1HNgAD56IltqYHfVp0/EfQiSiv1wYWBkAdpRUW/Aqa9qwl51SLR8EE1cFojQCtkvCYJOo0uS2qL5Z0qJEP/SN3ocuDlD89rdxxVA+VGBeXHfMpqJBpeUyA6Xmx9sKUV3KFO2A6kQAN55x9BFEC3BtUuu9SRx4AgaDJLeNU5+D1Uqfg8bzgBXjaSyGc6vSqISqQLViFh4Y61lFlCOz1NvVQ/yv6LM95d2fKy98jxQGvIUf2O9F2sBjRUQlBMdKkbT2/4v4ldHLf+VUbyHN1po2PBQfXff4B7+DTrmI/UAiRYoW7sTmqRu1j1nSSY1QgHrRVkR+gCcwGhkYnlkmTDcKqVgNkEKwTYSQtyU9pZ4OaccQ/0b028xnOvc95VGh1/ffGatNoXexdspqWffxKgT5dIGSaSXofAaJdIV9UJBb4X1MUT6wvghT+WSgrg55IC5QN4fCbAZO1jhVdCcwBfBUqTcZZr+TSDhdM8oQeYJuo6gOVhWP2c+awPr5dIF/XTVYMHZ9G8dDLX+SSYvQpqdKQkR5KZ4nYQEvOHJ0sLchprJdiFUNw== daimona.wiki@gmail.com

Requested group membership: restricted
Reason for access: I've found myself needing to do "shell stuff" several times. One example is running several maintenance scripts for AbuseFilter (T228655, T269713, T246539, T231137, T209565). More generally, sometimes I would benefit from being able to view detailed logs, use a REPL, run a live DB query (without the replicas filters) or similar tools in prod; two recent examples where this happened and I had to ask somebody else: T268696, T274514. Sometimes I also have to ask other people to deploy sec patches, mainly for AbuseFilter (see T276237 for an overview), but I'm leaving deployment access out of this request because I don't feel like I'd need it very often.
Name of approving party (hiring manager for WMF staff): @Legoktm
Requestor -- Please Acknowledge that you have read and signed the L3 Wikimedia Server Access Responsibilities document: I confirm.
Requestor -- Please coordinate obtaining a comment of approval on this task from the approving party.

SRE Clinic Duty Confirmation Checklist for Access Requests

This checklist should be used on all access requests to ensure that all steps are covered, including expansion to existing access. Please double check the step has been completed before checking it off.

This section is to be confirmed and completed by a member of the SRE team.

- User has signed the L3 Acknowledgement of Wikimedia Server Access Responsibilities Document.
- User has a valid NDA on file with WMF legal. (This can be checked by Operations via the NDA tracking sheet & is included in all WMF Staff/Contractor hiring.)
- User has provided the following: wikitech username, preferred shell username, email address, and full reasoning for access (including what commands and/or tasks they expect to perform)
- User has provided a public SSH key. This ssh key pair should only be used for WMF cluster access, and not share with any other service (this includes not sharing with WMCS access, no shared keys.)
- access request (or expansion) has sign off of WMF sponsor/manager (sponser for volunteers, manager for wmf staff)
~~- non-staff requests: 3 business day wait must pass with no objections being noted on the task~~
- Patchset for access request

For additional details regarding access request requirements, please see https://wikitech.wikimedia.org/wiki/Requesting_shell_access

Details

	Project	Branch	Lines +/-	Subject
	operations/puppet	production	+10 -5	admin: Add daimona shell access and restriced group

Customize query in gerrit

Related Objects

Mentioned Here: T209565: Dry run for normalizeThrottleParameters.php
T228655: Dry-run, then actually run fixOldLogEntries for AbuseFilter
T231137: Run fixFirstBlockAutopromoteEntries in production
T246539: Dry-run, then actually run updateVarDumps
T268696: Only on meta, "action=edit&prefix=foo" redirects to [[meta:Main_Page]] (as the site's main page is a special page)
T269713: Run the MigrateAflFilter script for AbuseFilter

Event Timeline

Daimona created this task.Mar 3 2021, 4:19 PM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 3 2021, 4:19 PM

I wholeheartedly support Daimona's request for this access level, as they're frequently helpful with stuff needing shell access, and they recently needed a lot of scripts executed for their AbuseFilter work.

I trust them to not abuse the access, and to ask questions if they're unsure about anything.

I'm also happy to help them with learning how WMF production works once this is approved, as an active deployer.

Urbanecm added a project: SRE.Mar 3 2021, 4:33 PM

RhinosF1 added a subscriber: RhinosF1.Mar 3 2021, 4:50 PM

I wholeheartedly endorse this request, though I had suggested to Daimona that they get deploy access rather than just "restricted" :) But yes, I think just being able to run maintenance scripts and do unfiltered SQL queries will be very useful.

Legoktm updated the task description. (Show Details)Mar 3 2021, 5:28 PM

Aklapper awarded a token.Mar 3 2021, 5:55 PM

sbassett awarded a token.Mar 3 2021, 6:04 PM

taavi added a subscriber: taavi.Mar 3 2021, 6:13 PM

MarcoAurelio awarded a token.Mar 3 2021, 6:17 PM

JMeybohm triaged this task as Medium priority.Mar 4 2021, 11:31 AM

JMeybohm updated the task description. (Show Details)Mar 4 2021, 11:46 AM

JMeybohm moved this task from Untriaged to 3 Business Day Wait on the SRE-Access-Requests board.Mar 4 2021, 11:53 AM

Change 668382 had a related patch set uploaded (by JMeybohm; owner: JMeybohm):
[operations/puppet@production] admin: Add daimona shell access and restriced group

https://gerrit.wikimedia.org/r/668382

gerritbot added a project: Patch-For-Review.Mar 4 2021, 12:03 PM