Page MenuHomePhabricator
Create Task
Maniphest T285899

Root access to AQS cluster
Closed, ResolvedPublic
Actions

Description

In the past, @elukey and I have worked collaboratively on the foundation's Cassandra clusters. With him transitioned to another team I expect to be more actively involved in the maintenance/operations of the AQS cluster, and will need more access to be effective.

The aqs-admin group that I am currently a part of provides specific access to certain commands (for example, to restart services), but many necessary things aren't possible. For example, running the CQL shell (cqlsh) is not possible because the wrapper scripts require access to root-owned configuration files (the files contain secrets). Adjustments to what aqs-admins can do might be possible, but I suspect this will be a tedious game of wack-a-mole that never gets it quite right. For the RESTBase cluster, I am a part of the restbase-roots group, with unrestricted root access.

Details

SubjectRepoBranchLines +/-
Create an aqs-roots group, analogous to restbase-rootsoperations/puppetproduction+10 -1
Customize query in gerrit

Event Timeline

Eevans created this task.Jun 30 2021, 7:48 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 30 2021, 7:48 PM
gerritbot added a comment.Jun 30 2021, 7:49 PM

Change 702452 had a related patch set uploaded (by Eevans; author: Eevans):

[operations/puppet@production] Create an aqs-roots group, analogous to restbase-roots

https://gerrit.wikimedia.org/r/702452

gerritbot added a project: Patch-For-Review.Jun 30 2021, 7:49 PM
WDoranWMF added a subscriber: MNadrofsky.Jun 30 2021, 7:52 PM

As @Eevans manager, I would approve and support the requested access. Particularly, given the existing precedent of the restbase-roots group and Platform's responsibility in supporting the AQS cluster. Happy to discuss further after July 12th. Prior to that @MNadrofsky can be contacted.

Maintenance_bot added a project: SRE.Jun 30 2021, 8:45 PM
herron moved this task from Untriaged to SRE Meeting Review on the SRE-Access-Requests board.Jul 1 2021, 2:41 PM
herron subscribed.

Looks reasonable to me, and thanks much for writing the patch!

Typically group changes involving full root access are reviewed/approved during the SRE meeting, the next of which is scheduled for 7/12. So I'll transition this over to pending meeting review now, and barring any objections it should be able to move forward after that.

herron triaged this task as Medium priority.Jul 1 2021, 2:42 PM
BPirkle moved this task from Inbox to Tracking/Watching on the Platform Engineering board.Jul 13 2021, 5:36 PM
gerritbot added a comment.Jul 20 2021, 8:36 AM

Change 702452 merged by Muehlenhoff:

[operations/puppet@production] Create an aqs-roots group, analogous to restbase-roots

https://gerrit.wikimedia.org/r/702452

MoritzMuehlenhoff closed this task as Resolved.Jul 20 2021, 8:37 AM
MoritzMuehlenhoff claimed this task.
MoritzMuehlenhoff subscribed.

This was approved in the IF meeting and I've merged the patch now.

Maintenance_bot removed a project: Patch-For-Review.Jul 20 2021, 9:11 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL