Page MenuHomePhabricator
Create Task
Maniphest T283607

Requesting access to production deployment for David Lynch
Closed, InvalidPublicRequest
Actions

Description

Requestor provided information and prerequisites

This section is to be completed by the individual requesting access.

  • Wikitech username: kemayo
  • Email address: dlynch@wikimedia.org
  • SSH public key (must be a separate key from Wikimedia cloud SSH access): P8708
  • Requested group membership: deployment (unless restricted is required? Its description explicitly mentions mwmaint where deployment doesn't, but...)
  • Reason for access: I need access to mwmaint so I can deploy a new database table (T282699, Creating_new_tables#Deployment)
  • Name of approving party (manager for WMF/WMDE staff): Harumi Monroy (@HMonroy)
  • Ensure you have signed the L3 Wikimedia Server Access Responsibilities document: yes
  • Please coordinate obtaining a comment of approval on this task from the approving party.

SRE Clinic Duty Confirmation Checklist for Access Requests

This checklist should be used on all access requests to ensure that all steps are covered, including expansion to existing access. Please double check the step has been completed before checking it off.

This section is to be confirmed and completed by a member of the SRE team.

  • - User has signed the L3 Acknowledgement of Wikimedia Server Access Responsibilities Document.
  • - User has a valid NDA on file with WMF legal. (All WMF Staff/Contractor hiring are covered by NDA. Other users can be validated via the NDA tracking sheet)
  • - User has provided the following: wikitech username, email address, and full reasoning for access (including what commands and/or tasks they expect to perform)
  • - User has provided a public SSH key. This ssh key pair should only be used for WMF cluster access, and not shared with any other service (this includes not sharing with WMCS access, no shared keys.)
  • - access request (or expansion) has sign off of WMF sponsor/manager (sponsor for volunteers, manager for wmf staff)
  • - access request (or expansion) has sign off of group approver indicated by the approval field in data.yaml

For additional details regarding access request requirements, please see https://wikitech.wikimedia.org/wiki/Requesting_shell_access

Related Objects

Event Timeline

DLynch created this task.May 25 2021, 4:00 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 25 2021, 4:00 PM
ppelberg subscribed.May 25 2021, 4:12 PM
Urbanecm subscribed.May 25 2021, 4:27 PM

To clarify the groups: deployment is for code deployment, and it "includes" all capabilities of restricted (which is for running maintenance scripts). If you don't want to deploy code, only run maintenance scripts (which lets you to create tables), restricted is what you need. If you want to also deploy code, deployment is the right group.

Also, to clarify, do you expect to need this access level regularly, or only for getting T282699 done? If it's an one-time thing, I'm not sure granting this request is the best way forward, as deployment is – unfortunately – complicated, and needs future deployer to learn a lot.

I also commented on the table creation task.

Marostegui triaged this task as Medium priority.May 25 2021, 4:39 PM
Marostegui subscribed.

Thanks @Urbanecm - I agree, let's clarify if this is a one-time think or you need this on a regular basis.

Marostegui added a comment.May 25 2021, 4:41 PM

L3 signed: Jun 10 2019, 22:17

Marostegui updated the task description. (Show Details)May 25 2021, 4:41 PM
Maintenance_bot added a project: SRE.May 25 2021, 4:45 PM
Marostegui claimed this task.May 25 2021, 4:52 PM
DLynch added a comment.May 25 2021, 6:25 PM

@Urbanecm Yeah, I'd only need to run maintenance scripts, so I guess restricted would be fine.

I'm only asking for this because on the review task we were told that "deployment is self-service" and nobody on the team had the relevant access. If someone else wants to be available to run the appropriate maintenance scripts, I have no objection, and we could revisit this later if a need for repetition develops.

Marostegui added a comment.May 25 2021, 6:28 PM

"self service" means that you don't really need to get blocked on the DBA once the table is approved and filters are in place (if any), you can coordinate with anyone with deployment grants to create them at your convenience.

Urbanecm added a comment.May 25 2021, 6:31 PM
In T283607#7112219, @DLynch wrote:

[...]
I'm only asking for this because on the review task we were told that "deployment is self-service" and nobody on the team had the relevant access. If someone else wants to be available to run the appropriate maintenance scripts, I have no objection, and we could revisit this later if a need for repetition develops.

As @Marostegui says, it means it doesn't need a DBA to do it, but that it can be done by anyone with deployment access. I'm happy to help your team with T282699, and we can reconsider this request if the need shows to be repetitive. Would that work for you?

DLynch added a comment.May 25 2021, 6:32 PM

@Urbanecm Yeah, that's 100% fine.

Marostegui added a comment.May 25 2021, 6:33 PM

@DLynch ok to close this for now and we can reopen if needed in the future?

DLynch added a comment.May 25 2021, 6:35 PM

@Marostegui Sure thing!

Marostegui closed this task as Invalid.May 25 2021, 6:37 PM

Thank you both!

LSobanski subscribed.Jun 2 2021, 12:31 PM

I updated the Wikitech instructions page to clarify the requirements (diff here: https://wikitech.wikimedia.org/w/index.php?title=Creating_new_tables&type=revision&diff=1913898&oldid=1913356). @DLynch I would appreciate a comment on whether it's clear enough.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits