Page MenuHomePhabricator
Create Task
Maniphest T284773

Requesting access to mwmaint1002 for mepps
Closed, ResolvedPublicRequest
Actions

Description

  • Wikitech username: mepps
  • Email address: mepps@wikimedia.org
  • SSH public key (must be a separate key from Wikimedia cloud SSH access):
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDohDQkFG5FrhN50ZtS1MGd1xiY0D2OO9yzn8Y31xqVq mepps@wmf2679
  • Requested group membership:
  • Reason for access: To run media moderation script
  • Name of approving party (manager for WMF/WMDE staff): Marcella Florence
  • Ensure you have signed the L3 Wikimedia Server Access Responsibilities document:
  • Please coordinate obtaining a comment of approval on this task from the approving party.

SRE Clinic Duty Confirmation Checklist for Access Requests

This checklist should be used on all access requests to ensure that all steps are covered, including expansion to existing access. Please double check the step has been completed before checking it off.

This section is to be confirmed and completed by a member of the SRE team.

  • - User has signed the L3 Acknowledgement of Wikimedia Server Access Responsibilities Document.
  • - User has a valid NDA on file with WMF legal. (All WMF Staff/Contractor hiring are covered by NDA. Other users can be validated via the NDA tracking sheet)
  • - User has provided the following: wikitech username, email address, and full reasoning for access (including what commands and/or tasks they expect to perform)
  • - User has provided a public SSH key. This ssh key pair should only be used for WMF cluster access, and not shared with any other service (this includes not sharing with WMCS access, no shared keys.)
  • - access request (or expansion) has sign off of WMF sponsor/manager (sponsor for volunteers, manager for wmf staff)
  • - access request (or expansion) has sign off of group approver indicated by the approval field in data.yaml

For additional details regarding access request requirements, please see https://wikitech.wikimedia.org/wiki/Requesting_shell_access

Details

SubjectRepoBranchLines +/-
admin: add mepps to restricted groupoperations/puppetproduction+2 -2
Customize query in gerrit

Event Timeline

mepps created this task.Jun 10 2021, 6:43 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 10 2021, 6:43 PM
Maintenance_bot added a project: SRE.Jun 10 2021, 6:45 PM
Volans triaged this task as Medium priority.Jun 11 2021, 10:23 PM
Volans added subscribers: marcella, MoritzMuehlenhoff, Volans.

@mepps:

  • Please sign L3 (Wikimedia Server Access Responsibilities document)
  • Access to production hosts is based on unix groups mapped to clusters and not mapping single users to hosts. From a quick look there are a couple of existing groups that might fit your use case, one is restricted and the other is maintenance-log-readers. The latter might be sufficient but seems meant to be used for a different use case, while the former grants also additional permissions and access to additional hosts. The other option would be to require the creation of a newly dedicated group, but I'm not sure if it would be a good fit. @MoritzMuehlenhoff do you have any suggestion on this?

@marcella: your approval is required as @mepps manager

Volans updated the task description. (Show Details)Jun 11 2021, 10:24 PM
Volans moved this task from Untriaged to In Discussion on the SRE-Access-Requests board.
mepps added a comment.Jun 14 2021, 2:11 PM

@Volans Signed!

marcella added a comment.Jun 14 2021, 2:13 PM

Approved as @mepps's manager. Thank you!

ssingh updated the task description. (Show Details)Jun 14 2021, 4:00 PM
Volans added a subscriber: wkandek.Jun 14 2021, 4:13 PM

@wkandek given that this access refers to hosts managed by SRE ServiceOps what of the existing groups mentioned in T284773#7152739 should be used for this use case?

Urbanecm subscribed.Jun 14 2021, 4:32 PM
In T284773#7155785, @Volans wrote:

@wkandek given that this access refers to hosts managed by SRE ServiceOps what of the existing groups mentioned in T284773#7152739 should be used for this use case?

Just noting this here as a frequent deployer: The usecase listed in this ticket says "To run media moderation script", which is a MediaWiki maintenance script. This means @mepps needs to be able to sudo as www-data (to use mwscript to run the script). This sudo capability is allowed only to restricted (and deployment, but there doesn't appear to be a need to deploy code). restricted gives also access to mwlog1002, which has MediaWiki logs. Reading MW logs is often needed when running scripts, as they have useful info when debugging.

wkandek added a comment.Jun 14 2021, 6:53 PM

Let's use the restricted group

gerritbot added a comment.Jun 14 2021, 7:43 PM

Change 699799 had a related patch set uploaded (by Ssingh; author: Ssingh):

[operations/puppet@production] admin: add mepps to restricted group

https://gerrit.wikimedia.org/r/699799

gerritbot added a project: Patch-For-Review.Jun 14 2021, 7:43 PM
gerritbot added a comment.Jun 14 2021, 7:47 PM

Change 699799 merged by Ssingh:

[operations/puppet@production] admin: add mepps to restricted group

https://gerrit.wikimedia.org/r/699799

ssingh closed this task as Resolved.Jun 14 2021, 7:49 PM
ssingh claimed this task.
ssingh subscribed.

@mepps: You have been added to the restricted group. Please let us know if there are any questions, thanks!

Maintenance_bot removed a project: Patch-For-Review.Jun 14 2021, 8:10 PM
mepps added a comment.Jun 14 2021, 8:36 PM

Thank you! I checked and I can connect :).

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL