Page MenuHomePhabricator

When WMF staff requests to be added to ldap/wmf, also add their Phabricator account to #WMF-NDA
Closed, ResolvedPublic

Description

Background

For the last 9 years it has been fine to assume that new WMF staff is under an NDA, however in my understanding adding new staff to the ldap/wmf LDAP group and to the WMF-NDA Phab project cannot be part of the WMF onboarding process itself, as new staff first themselves need to create their developer/LDAP user account (and their Phab user account), while WMF ITS' onboarding only includes creating a SUL user account for new staff.

Situation

Currently, manually processing WMF-NDA Phab project membership requests under WMF-NDA-Requests requires:

  • checking the mediawiki.org SUL account that the Phabricator account is linked against on the Phab user profile of the requester
  • checking https://www.mediawiki.org/wiki/Special:CentralAuth on which exact wiki site that SUL user account was created, and
  • checking Special:Log on that exact wiki site if the SUL user account was created by a staff account that is/was a WMF ITS member (I'm dropping the chain of trust at this stage)
  • sometimes asking requesters to first link also their SUL user account to their Phab user account if they used their developer/LDAP user account to create their Phab user account, and in rare cases request to connect their WMF ITS created SUL staff user account to their Phab user account instead of a self-created SUL non-staff user account.

This is a bit cumbersome for all involved parties (requester having to file two separate tickets; one person to add to ldap/wmf and another person to add to WMF-NDA while this could be done by the same person).

(For completeness: I assume that checking the developer/LDAP user account linked to a Phab user account, and then checking if that account is listed on https://ldap.toolforge.org/group/wmf could be an alternative workflow that I had not been aware of until a few minutes ago.)

Proposal

When a staff member uses their Phabricator account to file a request under LDAP-Access-Requests to become a member of the ldap/wmf LDAP group, this staff member's Phabricator account should also get added as a member to WMF-NDA.

This action obviously requires edit permissions, and SRE folks should have them: According to the Edit policy of WMF-NDA at https://phabricator.wikimedia.org/project/edit/61/ , currently members of acl*sre-team, @eross, @bcampbell, @eliza, @offboarding, and Phab administrators can edit members of WMF-NDA.

If this workflow was implemented, it should probably be documented at https://wikitech.wikimedia.org/wiki/SRE/Clinic_Duty#Review_incoming_tasks .
Also on https://phabricator.wikimedia.org/project/manage/1564/ the link to https://wikitech.wikimedia.org/wiki/SRE_Clinic_Duty#LDAP_group_changes should be updated (as there is no such anchor).

See also non-public T289552 for a slightly related discussion.

Event Timeline

Should I file a very similar ticket for ldap/wmde, or include it in this ticket? or rather wait and see the outcome here?

I'd probably wait first where this ticket might go, in order to have conversations in one place (and I'm aware of T290414 :)

akosiaris triaged this task as Medium priority.Sep 9 2021, 1:05 PM

I would expect this to be automatic, yes. I think the proposal makes sense. We will need to edit our instructions for adding someone to the wmf ldap group though.

Yes, the proposal makes sense and I can confirm everything Andre listed in such detail above. Using the 2 separate Phabricator groups has always been cumbersome. A group just to request being added to another group never really made sense for our use case.

I will boldly edit the docs and reference this ticket.

@Aklapper I mailed SRE about this and if there are no concerns coming up we can call this resolved.

Thanks a lot. (Docs could directly link to https://phabricator.wikimedia.org/project/members/61/add/ for convenience, if wanted.)

No replies so far. I am calling this done and will reopen it if that changes.