Page MenuHomePhabricator

Root access to AQS cluster
Closed, ResolvedPublic

Description

In the past, @elukey and I have worked collaboratively on the foundation's Cassandra clusters. With him transitioned to another team I expect to be more actively involved in the maintenance/operations of the AQS cluster, and will need more access to be effective.

The aqs-admin group that I am currently a part of provides specific access to certain commands (for example, to restart services), but many necessary things aren't possible. For example, running the CQL shell (cqlsh) is not possible because the wrapper scripts require access to root-owned configuration files (the files contain secrets). Adjustments to what aqs-admins can do might be possible, but I suspect this will be a tedious game of wack-a-mole that never gets it quite right. For the RESTBase cluster, I am a part of the restbase-roots group, with unrestricted root access.

Event Timeline

Change 702452 had a related patch set uploaded (by Eevans; author: Eevans):

[operations/puppet@production] Create an aqs-roots group, analogous to restbase-roots

https://gerrit.wikimedia.org/r/702452

As @Eevans manager, I would approve and support the requested access. Particularly, given the existing precedent of the restbase-roots group and Platform's responsibility in supporting the AQS cluster. Happy to discuss further after July 12th. Prior to that @MNadrofsky can be contacted.

herron added a subscriber: herron.

Looks reasonable to me, and thanks much for writing the patch!

Typically group changes involving full root access are reviewed/approved during the SRE meeting, the next of which is scheduled for 7/12. So I'll transition this over to pending meeting review now, and barring any objections it should be able to move forward after that.

herron triaged this task as Medium priority.Jul 1 2021, 2:42 PM

Change 702452 merged by Muehlenhoff:

[operations/puppet@production] Create an aqs-roots group, analogous to restbase-roots

https://gerrit.wikimedia.org/r/702452

MoritzMuehlenhoff claimed this task.

This was approved in the IF meeting and I've merged the patch now.