Page MenuHomePhabricator
Create Task
Maniphest T292827

Cloud admin for Majavah
Closed, ResolvedPublic
Actions

Description

@aborrero thinks I should be a "cloud admin" and "cloud-wide root" (as defined by https://wikitech.wikimedia.org/wiki/Help:Access_policies). This would let me run Cumin commands on all projects and make myself a member of any project, which would be let me work on cloud vps infrastructure services spread accross various service projects. I meet the policy-mandated requirements as I already am a project admin on Toolforge.

Details

SubjectRepoBranchLines +/-
Add taavi/majavah root keylabs/privatemaster+2 -0
Customize query in gerrit

Related Objects

Event Timeline

taavi created this task.Oct 8 2021, 10:36 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 8 2021, 10:36 AM
aborrero triaged this task as Low priority.Oct 8 2021, 10:37 AM
aborrero moved this task from Inbox to Needs discussion on the cloud-services-team (Kanban) board.
bd808 awarded a token.Oct 8 2021, 3:45 PM
RhinosF1 subscribed.Oct 9 2021, 7:51 AM
Legoktm awarded a token.Oct 9 2021, 11:34 PM
nskaggs awarded a token.Oct 12 2021, 3:01 PM
aborrero added a comment.Oct 13 2021, 11:12 AM

If nobody opposes, this request can be executed starting 2021-10-15.

taavi signed these changes with MFA.Oct 13 2021, 1:46 PM

I generated a new SSH key (with a strong passphraise and other relevant security practices) that can be used as a cloud-wide root key:

ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJOH8BG56Gh6c9ggaMGP04R9xY/bf06HFdT0ThkvN/jC taavi wmcs-wide root key
nskaggs subscribed.Oct 13 2021, 4:34 PM

This was agreed to in the 2021-10-13 meeting. Congrats and well deserved! Thank you for all the work you do in helping make our platforms and services better!

bd808 moved this task from Needs discussion to Clinic Duty on the cloud-services-team (Kanban) board.Oct 15 2021, 2:17 PM
gerritbot added a comment.Oct 18 2021, 6:53 PM

Change 731796 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):

[labs/private@master] Add taavi/majavah root key

https://gerrit.wikimedia.org/r/731796

gerritbot added a project: Patch-For-Review.Oct 18 2021, 6:53 PM
gerritbot added a comment.Oct 18 2021, 6:56 PM

Change 731796 merged by Andrew Bogott:

[labs/private@master] Add taavi/majavah root key

https://gerrit.wikimedia.org/r/731796

Andrew closed this task as Resolved.Oct 18 2021, 6:57 PM
Andrew claimed this task.
Andrew subscribed.

@Majavah , I've merged your root key and granted you the 'admin' role both in the 'admin' project and in the default domain.

It's probably worth confirming that your root key works in a half hour or so. The new openstack roles will make Horizon look funny (it'll show more options and features, some of them broken) but shouldn't restrict anything you could do before.

Stashbot added a comment.Oct 18 2021, 6:58 PM

Mentioned in SAL (#wikimedia-cloud) [2021-10-18T18:58:24Z] <andrewbogott> granting majavah 'admin' role in the 'admin' project and also in the default domain. T292827

Andrew mentioned this in rLPRIb5b626b331d1: Add taavi/majavah root key.Oct 18 2021, 6:59 PM
Maintenance_bot removed a project: Patch-For-Review.Oct 18 2021, 7:11 PM
Stashbot added a comment.Oct 18 2021, 7:21 PM

Mentioned in SAL (#wikimedia-cloud) [2021-10-18T19:21:22Z] <andrewbogott> also ticked the 'admin' box on wikitech for majavah T292827

taavi added a comment.Oct 18 2021, 7:52 PM
In T292827#7437955, @Andrew wrote:

It's probably worth confirming that your root key works in a half hour or so.

Confirmed that I can ssh to any VM I tried as root. Thanks!

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits