Requesting shell access for Brian King
Closed, ResolvedPublicRequest
Actions

Assigned To

Authored By

	bking
	Dec 16 2021, 8:58 PM

Description

Requestor provided information and prerequisites

This section is to be completed by the individual requesting access.

Wikitech username: Bking
Email address: bking@wikimedia.org
SSH public key (must be a separate key from Wikimedia cloud SSH access): ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJoIiYDYAlWVxK2i1xGHGp5a5+qH0LHJyoJqsHitqsAF bking@clankio2
Requested group membership: analytics-privatedata-users with kerberos access, ops (both shell + LDAP) and wmf LDAP group (See T297910#7577062)
Reason for access: New SRE on the Search Platform team
Name of approving party (manager for WMF/WMDE staff) : @Gehel .
L3 Wikimedia Server Access Responsibilities document signed
Please coordinate obtaining a comment of approval on this task from the approving party.

Note: Ryan Kemper is also an SRE on the Search Platform team; you may wish to use his permissions as a reference.

SRE Clinic Duty Confirmation Checklist for Access Requests

This checklist should be used on all access requests to ensure that all steps are covered, including expansion to existing access. Please double check the step has been completed before checking it off.

This section is to be confirmed and completed by a member of the SRE team.

- User has signed the L3 Acknowledgement of Wikimedia Server Access Responsibilities Document.
- User has a valid NDA on file with WMF legal. (All WMF Staff/Contractor hiring are covered by NDA. Other users can be validated via the NDA tracking sheet)
- User has provided the following: wikitech username, email address, and full reasoning for access (including what commands and/or tasks they expect to perform)
- User has provided a public SSH key. This ssh key pair should only be used for WMF cluster access, and not shared with any other service (this includes not sharing with WMCS access, no shared keys.)
- access request (or expansion) has sign off of WMF sponsor/manager (sponsor for volunteers, manager for wmf staff)
- access request (or expansion) has sign off of group approver indicated by the approval field in data.yaml

For additional details regarding access request requirements, please see https://wikitech.wikimedia.org/wiki/Requesting_shell_access

Details

	Subject	Repo	Branch	Lines +/-
	admin: Add Brian King to ops and analytics_privatedata_users groups	operations/puppet	production	+2 -2
	admin: add bking to shell users	operations/puppet	production	+9 -0

Customize query in gerrit

Related Objects
Search...

Status	Subtype	Assigned	Task
Resolved	Request	bking	T297910 Requesting shell access for Brian King
Resolved		bking	T297907 SRE Onboarding - Brian King, Search Platform team
Resolved		bking	T298144 Complete onboarding tasks listed in mediawiki

Event Timeline

bking created this task.Dec 16 2021, 8:58 PM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 16 2021, 8:58 PM

bking renamed this task from Requesting access to RESOURCE for Brian King (bking@wikimedia.org) to Requesting access to LDAP groups for Brian King (bking@wikimedia.org).Dec 16 2021, 8:58 PM

RKemper updated the task description. (Show Details)Dec 16 2021, 9:03 PM

RKemper updated the task description. (Show Details)Dec 16 2021, 9:09 PM

Approved!

Dzahn renamed this task from Requesting access to LDAP groups for Brian King (bking@wikimedia.org) to Requesting shell access for Brian King (bking@wikimedia.org).Dec 16 2021, 9:34 PM

Dzahn added a project: LDAP-Access-Requests.

Dzahn moved this task from Backlog to Manager Approval Pending on the LDAP-Access-Requests board.Dec 16 2021, 9:38 PM

Dzahn moved this task from Untriaged to Manager/NDA Approval/Confirmation on the SRE-Access-Requests board.

Dzahn changed the task status from Open to In Progress.Dec 16 2021, 9:41 PM

Dzahn triaged this task as Medium priority.

Maintenance_bot added a project: SRE.Dec 16 2021, 9:45 PM

Reedy renamed this task from Requesting shell access for Brian King (bking@wikimedia.org) to Requesting shell access for Brian King.Dec 17 2021, 12:08 AM

Brian and I will pair tomorrow on making the various puppet patches for the access request.

(Also we should have approval from gehel tomorrow)

Approved!

Isn't the 'ops' LDAP group only supposed to be for people in the 'ops' shell group?

In T297910#7577051, @RhinosF1 wrote:

Isn't the 'ops' LDAP group only supposed to be for people in the 'ops' shell group?

@bking is an SRE in the Search Platform team, so he should be in the "ops" shell group. Those requests might have been made in the wrong order, but it seems reasonable to me.

After discussion with @RhinosF1 :

there are a number of other peoples who are in both ops and analytics-privatedata-users, so that's probably not an issue
we also have an analytics-search group which is a system_members of analytics-privatedata-users, in the case of @bking it might make more sense to use the more specific group (@Ottomata can you confirm?)

RhinosF1 updated the task description. (Show Details)Dec 17 2021, 8:17 AM

In T297910#7577062, @Gehel wrote:

After discussion with @RhinosF1 :

there are a number of other peoples who are in both ops and analytics-privatedata-users, so that's probably not an issue

Yep this is on purpose, so even ops people need to follow the usual process to request access, authenticate where needed, etc.. (without any sudo)

we also have an analytics-search group which is a system_members of analytics-privatedata-users, in the case of @bking it might make more sense to use the more specific group (@Ottomata can you confirm?)

In this case the group analytics-search-users is meant to allow people in it to sudo as the system user, so Brian can skip it in my option.

Peachey88 added a subtask: T297907: SRE Onboarding - Brian King, Search Platform team.Dec 17 2021, 8:29 AM

Thanks @elukey

As task says they will upload patches

In T297910#7577009, @RKemper wrote:

Brian and I will pair tomorrow on making the various puppet patches for the access request.

(Also we should have approval from gehel tomorrow)

I'm SRE on Clinic Duty this week, but given this comment, I'm not going to work on this. If that's wrong, please let me know! :)

Change 748135 had a related patch set uploaded (by Bking; author: Bking):

[operations/puppet@production] admin: add bking to shell users

https://gerrit.wikimedia.org/r/748135

gerritbot added a project: Patch-For-Review.Dec 17 2021, 2:45 PM

Change 748137 had a related patch set uploaded (by Bking; author: Bking):

[operations/puppet@production] admin: Add Brian King to ops and analytics_privatedata_users groups

https://gerrit.wikimedia.org/r/748137

Change 748135 merged by Ryan Kemper:

[operations/puppet@production] admin: add bking to shell users

https://gerrit.wikimedia.org/r/748135

Change 748137 merged by Ryan Kemper: