Page MenuHomePhabricator

Create new group for root access to snapshot*, dumpsdata* and labstore1006,7 with holger in it
Closed, ResolvedPublic

Description

@holger.knust will be dumps co-maintainer with me, and as such, he should be able to do all tasks that don't require SRE-level access (i.e. access to cumin etc). This includes rebooting hosts to pick up security fixes, disabling/enabling/running puppet, rsyncing manually fixed datasets, disabling and re-enabling cron jobs, checking logs, installing updated packages, and so on.

A new group should be created for this level of access to the specific hosts.

This will need discussion at the SRE meeting.

Tagging @WDoranWMF for manager approval. Tagging @Bstorm for visibility because the two labstore boxes are WMCS.

Event Timeline

Change 672879 had a related patch set uploaded (by ArielGlenn; owner: ArielGlenn):
[operations/puppet@production] Create group for root access to snapshot, dumpsdata and labstore1006,7 hosts

https://gerrit.wikimedia.org/r/672879

ArielGlenn edited subscribers, added: holger.knust; removed: Holger.

@ArielGlenn This is actually a two-fold requests. This one is for the new group creation requires discussion in the next SRE meeting (I've just added it).
We need also a group approver that will be marked in data.yaml with the approval key. Who would that person be in this case?

When the group will be there then we'll need a separate request for the addition of Holger in it with approval by their manager and the group approver as any other access request.

@ArielGlenn This is actually a two-fold requests. This one is for the new group creation requires discussion in the next SRE meeting (I've just added it).
We need also a group approver that will be marked in data.yaml with the approval key. Who would that person be in this case?

When the group will be there then we'll need a separate request for the addition of Holger in it with approval by their manager and the group approver as any other access request.

I always forget about the approval line. It's been added in the latest version of the patch, same as the other snapshot-related access groups.

This was approved in yesterday's SRE meeting, though I guess someone on that team probably ought to say so instead of me :-)

Change 672879 merged by ArielGlenn:
[operations/puppet@production] Create group for root access to snapshot, dumpsdata and labstore1006,7 hosts

https://gerrit.wikimedia.org/r/672879

Taking John Bond's +1 on the patchset as "someone on that team saying so", and duly noting the approval from the appropriate manager, I have merged this. Once I have confirmed that Holger has the desired access, I'll close the task.

Any news on access check for @holger.knust ?

It might be some days before we're able to check, the task can just idle here until I update it. Sorry for the clutter :-)

Any news on this?

I apologize but it's still not possible to check. I have not forgotten about it though. I will update the task once there is more information.

Dzahn changed the task status from Open to Stalled.May 3 2021, 7:02 PM
herron added a subscriber: herron.

Hey @ArielGlenn, Since this has been idling in the access request queue for some time I'm going to untag SRE-Access-Requests for the time being. If any follow up is needed please do re-tag. Thanks!

Hey this is now verified and we're closing. Thanks for your patience, everybody!

Change 705006 had a related patch set uploaded (by ArielGlenn; author: ArielGlenn):

[operations/puppet@production] add dumps-roots to the dumpsdata roles so people in that group get access

https://gerrit.wikimedia.org/r/705006

Change 705006 merged by ArielGlenn:

[operations/puppet@production] add dumps-roots to the dumpsdata roles so people in that group get access

https://gerrit.wikimedia.org/r/705006