Page MenuHomePhabricator

Grant Access to ldap/wmf for Marco_Fossati
Closed, ResolvedPublic

Description

  • The username of your existing account on wikitech.wikimedia.org: Marco_Fossati
  • Do you currently have shell access (Yes/No)? No
  • Purpose (Specify which service you need to get access to, e.g. Icinga, Grafana, Superset etc): Superset (I guess)
  • The specific LDAP group that you want to be added to (optional):

For contractors only:

  • Contract end date:
  • Contract contact person:

Event Timeline

Does shell access mean regular or production one? I don't have the latter yet.

Dzahn changed the task status from Open to In Progress.Jan 7 2022, 8:07 PM
Dzahn moved this task from Backlog to Manager Approval Pending on the LDAP-Access-Requests board.
cmooney triaged this task as Medium priority.

Approved! Re: Specific access, this is part of our onboarding checklist. It says:

"Create a Phabricator task to request access to the group ldap/wmf for your Gerrit account[.] ... This group gives you general code review approval rights in the system, as well as access to myriad different tools and services."

Change 753463 had a related patch set uploaded (by Cathal Mooney; author: Cathal Mooney):

[operations/puppet@production] Add Marco Fossati to LDAP WMF Group

https://gerrit.wikimedia.org/r/753463

Change 753463 merged by Cathal Mooney:

[operations/puppet@production] Add Marco Fossati to LDAP WMF Group

https://gerrit.wikimedia.org/r/753463

@mfossati I have added you to the required LDAP group now.

Can you test your access and advise if it is working? Thanks.

Thanks for your action @cmooney . I've tried to access all the blue-linked services in https://wikitech.wikimedia.org/wiki/SRE/LDAP/Groups#wmf_group . The following ones are failing:

servicereason
https://integration.wikimedia.org/ci/configureSecurity/Access Denied - Marco Fossati is missing the Overall/Administer permission
https://piwik.wikimedia.org/Error: Wrong Username and password combination.
https://grafana.wikimedia.org/Server Error: failed to log in as user, specified in auth proxy header

Hey @mfossati,

re: integration.wikmedia.org - I would say it's expected that you get "denied" for that specific URL (the configureSecurity part), I do too. But you should not see an error for example for https://integration.wikimedia.org/ci/job/operations-puppet-catalog-compiler/ and still be able to use that.

re: piwik.wikimedia.org - this is a question for people running piwik but I can confirm it's not just you, I get that too. It seems piwik might actually have an issue or is intentionally doing that

re: grafana.wikimedia.org - this should not actually need a login but when you click on "sign in" in the lower left corner, you should get redirected to "grafana-rw" (https://grafana-rw.wikimedia.org/?orgId=1) and be logged in there and that should work

Thanks for your comments @Dzahn , very useful!

re: grafana.wikimedia.org - this should not actually need a login but when you click on "sign in" in the lower left corner, you should get redirected to "grafana-rw" (https://grafana-rw.wikimedia.org/?orgId=1) and be logged in there and that should work

Yep, that's what I was trying to do. Thanks to @cmooney , we've sorted out the server error.

At this point, feel free to close this task. I'll integrate your feedback on Wiki at https://wikitech.wikimedia.org/wiki/SRE/LDAP/Groups#wmf_group

Thanks @mfossati for the feedback, and indeed @Dzahn for the detailed info, appreciate it.