Fundraising access request for Wenjun Fan
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	Cstone
	Dec 14 2021, 7:33 PM

Description

This is a new access request for Wenjun Fan. They require the following access: (mark each box with an x)

New User Procedure / Checklist

When adding a new user to the fundraising / fr-tech ecosystem, we have a set of places where we need to create accounts and access.

Prerequisites

Before we can take any action to add a user, we need to verify that they are authorized to have such access. This requires confirmation from their manager and approval from the C level that access is approved.

[x] user_verification

Requires: user request
[x] access_rights: letter to C level (currently Lisa) verifying grant of access
[x] account name/contact info: verify on https://collab.wikimedia.org/wiki/Fundraising#Contact_List

Accounts and Services

[x] user account

Requires: user_verification
[x] Add the user to the users.yaml and group_members.yaml files as appropriate.
[x] Push out puppet changes.

[x] client_ssl_cert

Requires: user_verification
[x] cert_setup: generate cert on frpm1001 using ssl_user_admin
[x] account_setup: sms the user the password for the key
[x] follow_on: assist with certificate installation

[x] yubikey

Requires: useraccount and ITS request to send out yubikey to user
[x] physical: Make a request to ITS to have a key sent to the user
[x] account_setup: Get public side and add to puppet-private/manifests/passwords/yubico.pp
[x] follow_on: Make sure user can use yubikey for ssh access

[x] ssh

Requires: useraccount and yubikey
[x] key_setup: Send template/docs for generating keypair and ~/.ssh/config file
[x] account_setup: Get public side and add to puppet-private/secrets/ssh/default/$username
[x] follow_on: Verify user can ssh using correct creds and passphrases when needed.

[x] mysql

Requires: useraccount, yubikey, ssh
[x] account_setup
    [x] Create user block in ~/puppet-private/secrets/mysql_grants/fundraising_qa
    [x] Ensure user is in correct blocks for select rights on dbs.
        - Generally use another user in same group as a guide
    [x] Run the grant script to get the grants.
    [x] Copy/paste to execute the grants on appropriate dbs.
    [x] Create the user a ~/.my.cnf file with the original password from account creation.
[x] follow_on: Verify user can ssh to the required host and log in to mysql.

[x] civicrm

Requires: client_ssl_cert
[x] account_setup: Create user account. This will notify the user via email to update their password.
[x] follow_on: Verify user can log in to https://civicrm.wikimedia.org

[x] superset

Requires: client_ssl_cert
[x] account_setup: Create user account. Notify the user of their account name and password.
[x] follow_on: Verify user can log in to https://analytics.frdev.wikimedia.org
[x] archive_access: Add to google drive archive group.

[x] Repository reviewer

Add to the necessary fundraising repos to be notified as a reviewer: https://www.mediawiki.org/wiki/Git/Reviewers

Event Timeline

Cstone created this task.Dec 14 2021, 7:33 PM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 14 2021, 7:33 PM

Cstone updated the task description. (Show Details)Dec 14 2021, 7:34 PM

Dwisehaupt updated the task description. (Show Details)Dec 14 2021, 9:59 PM

Access request sent. Verified details on the Contact List.

Date: Tue, 14 Dec 2021 14:24:44
From: Lisa Gruwell
To: Dallas Wisehaupt
Cc: Dylan Kozlowski, Wenjun Fan
Subject: Re: Fundraising access request for Wenjun Fan
Parts/Attachments:
   1   OK     11 lines  Text
   2 Shown   ~64 lines  Text
----------------------------------------

Yes, I approve.

Dwisehaupt updated the task description. (Show Details)Dec 14 2021, 10:35 PM

Dwisehaupt updated the task description. (Show Details)Dec 14 2021, 11:29 PM

SSL client cert generated and sent via email. Password sent via sms. Civi account created. Superset account created, set with temp password, temp password sent via sms, password change link sent via email.

Verified access is working for civi and superset.

Dwisehaupt claimed this task.Dec 16 2021, 5:07 PM

Dwisehaupt moved this task from Triage to In Progress on the fundraising-tech-ops board.

Yubikey request made by Dylan.

Dwisehaupt updated the task description. (Show Details)Dec 16 2021, 11:58 PM

AnnWF subscribed.Dec 17 2021, 12:19 AM

Cccccbbhkvlj
this is the public side of the key, thanks :)

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDEjLOetxcruVmEu1kwyYDdacFw+h+Js1CpKWenpeAxI9m1mgg6WmKq4fBDUjeIiJV1/MLMYNbIoW1a5UyO1ZSS2TK1x9kQsmmLgF6qjVzWEdV8XEqkYi19wKX5kFyeHlEVNw6UrSyAuFUWDSj/gnwDAfOVnkrGRL0/ev5f/zlqJtJHGjEjJ+qRe+HjIFDvssMaLa+S2CTqDksoY09wmeDDdNGK6zokZAQ2g2ZAoB4s/tBBUlRgtWeZsxy0M0O0a+yGJxHaixGG1UNBWd/vniDv27ap18XkKJVqVqe8dXBQsYuq3Fg5YubS8QMSWR842Ow6OK0IAC9dh5gd+Q7X6XY8hVIGyy0Qr7VuTf5WXhHZZoUS1MakwO5VIrea2sVh/EeLd3ySZKEaF6fkxyrE34rwL69wRLCIr6p7Yfnwi0/Kr/T+MJmGowr5PEDih4FgCYIBffa2eto4BkPjO8iADzbb2HTYUaVxbK2fqjWd892Qq7Fkae2IYZjH8UXb7PGoRVlVqO5VcaxNzvZLpfq8KAgj939Y0yKHzBL9PRCtvHcbL+yFsgS+6OLDEoHTettumE0QYwucqwVkuMFOcNWAaN3EUAQAJSSkHT33HFccESp56gE21tOYdDiSMsiRNIP0sw3R3DVZsjYUi3cmwry8QyDbNfvifqsNpDFI6ZgY0V/WEw== wfan@wikimedia.org

Dwisehaupt updated the task description. (Show Details)Dec 22 2021, 6:31 PM

Yubikey public key added to puppet. SSH public key added to puppet. mariadb grant portions added to make_grants scripts.

Keys pushed out. Grants applied. .my.cnf file created. mariadb access verified for frdev1001 and frdb1003.

Verified login and access is working.

Fundraising access request for Wenjun FanClosed, ResolvedPublicActions