Page MenuHomePhabricator

cross-validate-accounts: Malformed membership for ops user ..., has additional group(s): {'deployment-ci-admins'}
Closed, ResolvedPublic

Description

While following the procedure for verifying the SSH public key of this request, I got some unexpected output for cross-validate-accounts:

razzi@mwmaint1002:~$ cross-validate-accounts --username ebysans --uid 36868 --email snwachukwu@wikimedia.org --real-name "Sandra Ebele Nwachukwu" --ssh-key "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILdxCaU2CJ8Q+P8lJgbodjK5HijU24+XuihTLdUY sandra" --kerberos
Malformed membership for ops user ..., has additional group(s): {'deployment-ci-admins'}
Malformed membership for ops user ..., has additional group(s): {'deployment-ci-admins'}
... repeated a bunch of times ...

There was no output having to do with the query itself; in fact changing the query to use dummy values and removing part of the ssh key I got the same output:

razzi@mwmaint1002:~$ cross-validate-accounts --username bogus --uid 00000 --email nobody@wikimedia.org --real-name "asdf" --ssh-key "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILdxCaU2CJ8Q+P8lJgbo sandra" --kerberos
Malformed membership for ops user ...
...

Event Timeline

Noticed the same thing "Malformed membership for ops user" but via the emails sent by the same script to root.

Dzahn renamed this task from Lots of error output for cross-validate-accounts, but nothing to do with the parameters to cross-validate-accounts: Malformed membership for ops user ..., has additional group(s): {'deployment-ci-admins'}.Jan 7 2022, 10:07 PM
Dzahn added a project: serviceops.
Dzahn added a subscriber: Joe.
Dzahn triaged this task as Medium priority.Jan 7 2022, 10:16 PM

Soo... since the change above the new group deployment-ci-admins contains contint-admins and contint-admins contains ops.

The cross-validate-accounts script wants to check that a user in ops isn't also in other groups. It considers that redundant and wants us to use only ops afaict.

It doesn't seem like anything is broken in prod but it confuses users doing unrelated access requests and creates cron spam to root.

Change 752022 had a related patch set uploaded (by RhinosF1; author: RhinosF1):

[operations/puppet@production] cross-validate-accounts: add deployment-ci-admins to ops expected list

https://gerrit.wikimedia.org/r/752022

Change 752022 merged by Muehlenhoff:

[operations/puppet@production] cross-validate-accounts: add deployment-ci-admins to ops expected list

https://gerrit.wikimedia.org/r/752022

MoritzMuehlenhoff claimed this task.
MoritzMuehlenhoff subscribed.

Fixed with the patch by RhinosF1, closing.

Sorry I didn't realize I needed to add the group to the cross-validate-accounts lists.

Yep, same here, now aware of the list. Thanks for the patch @RhinosF1