Requesting access to the deployment POSIX group for aikochou and kevinbazira
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	elukey
	May 13 2022, 8:46 AM

Description

Requestor provided information and prerequisites

This section is to be completed by the individual requesting access.

shell username: aikochou and kevinbazira
Requested group membership: deployment
Reason for access:

Recently permissions for Helm config files changed (https://phabricator.wikimedia.org/T305729) to allow only members of the deployment group to read them, and some ml-team members not in it started to see permissions problems while deploying:

Permission in helmfile while using it, since the HELM_CACHE_HOME was not writable/readable anymore. This problem can be worked around exporting a new cache home directory for each user like explained in T307927#7920508.
Permission to read files under /etc/helmfile-defaults/private, ending up in wrong deployment actions/diffs (like removing Secrets etc.. because not readable anymore, see T307927#7921020).

If it was only HELM_CACHE_HOME the problem, we could have added another one for the ml-team use case, but since more helmfile config files are involved, the quickest solution seems to be to add ml-team deployers to the deployment group.

A more long term solution may be needed, but I'd prefer to allow members of my team to keep deploying right now without being blocked.

https://gerrit.wikimedia.org/r/c/operations/puppet/+/791036/

Name of approving party (manager for WMF/WMDE staff): Chris Albon
Ensure you have signed the L3 Wikimedia Server Access Responsibilities document:
Please coordinate obtaining a comment of approval on this task from the approving party.

SRE Clinic Duty Confirmation Checklist for Access Requests

This checklist should be used on all access requests to ensure that all steps are covered, including expansion to existing access. Please double check the step has been completed before checking it off.

This section is to be confirmed and completed by a member of the SRE team.

- User has signed the L3 Acknowledgement of Wikimedia Server Access Responsibilities Document.
- User has a valid NDA on file with WMF legal. (All WMF Staff/Contractor hiring are covered by NDA. Other users can be validated via the NDA tracking sheet)
- User has provided the following: wikitech username, email address, and full reasoning for access (including what commands and/or tasks they expect to perform)
- User has provided a public SSH key. This ssh key pair should only be used for WMF cluster access, and not shared with any other service (this includes not sharing with WMCS access, no shared keys.)
- access request (or expansion) has sign off of WMF sponsor/manager (sponsor for volunteers, manager for wmf staff)
- access request (or expansion) has sign off of group approver indicated by the approval field in data.yaml

For additional details regarding access request requirements, please see https://wikitech.wikimedia.org/wiki/Requesting_shell_access

Details

	Subject	Repo	Branch	Lines +/-
	Add aikochou and kevinbazira to deployment	operations/puppet	production	+3 -1

Customize query in gerrit

Related Objects

Mentioned In: T340165: Drop the `deploy-service` right, move three included users to `deployment` (or drop access)?
T305729: Kubernetes credentials on deployment servers should be available to deployers, not all users
Mentioned Here: T305729: Kubernetes credentials on deployment servers should be available to deployers, not all users
T307927: Unable to run helmfile and check pods

Event Timeline

elukey created this task.May 13 2022, 8:46 AM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 13 2022, 8:46 AM

I may have created this task too soon, some discussion on T305729 is still happening, let's wait before proceeding.

Maintenance_bot added a project: SRE.May 13 2022, 9:29 AM

elukey mentioned this in T305729: Kubernetes credentials on deployment servers should be available to deployers, not all users.May 13 2022, 1:25 PM

In T308308#7926592, @elukey wrote:

I may have created this task too soon, some discussion on T305729 is still happening, let's wait before proceeding.

No worries -- assigning this back over to you just so the state is clear. Whenever this needs action, you can set the status back to Open and unassign it, and the SRE on clinic duty will pick it up. (We'll ask you to fill in the information from the usual template, except that you can leave out the SSH keys since it's just a group change.)

RLazarus triaged this task as Medium priority.May 13 2022, 5:45 PM

elukey moved this task from Unsorted to Active Tasks on the Machine-Learning-Team board.May 17 2022, 2:11 PM

elukey edited projects, added Machine-Learning-Team (Active Tasks); removed Machine-Learning-Team.

elukey moved this task from Parked to Blocked on the Machine-Learning-Team (Active Tasks) board.May 17 2022, 2:18 PM

elukey renamed this task from Add Aiko and Kevin to the deployment posix group to Requesting access to the deployment POSIX group for aikochou and kevinbazira.May 17 2022, 2:27 PM

elukey updated the task description. (Show Details)

elukey updated the task description. (Show Details)May 17 2022, 2:37 PM

elukey changed the task status from Stalled to Open.May 18 2022, 7:06 AM

elukey removed elukey as the assignee of this task.

elukey updated the task description. (Show Details)

Resetting the task to open, since I think that Kevin and Aiko should end up in the deployment group. They will not need all the sudo capabilities for MediaWiki etc.., but as far as I can see the group is already composed by people that don't need it as well. We'll probably need to segment deployment further in the future, we'll see :)

@calbon: to complete the paperwork, could you add your "approval" stamp?

Marostegui subscribed.May 18 2022, 7:11 AM

I approve

achou subscribed.May 18 2022, 3:15 PM

kevinbazira subscribed.May 18 2022, 3:16 PM

@thcipriani Hi! When you have a moment, could you please review this request and let me know if it is a good use case for deployment ? Thanks :)

elukey moved this task from Awaiting User Input to In Discussion on the SRE-Access-Requests board.May 20 2022, 6:48 AM

elukey moved this task from In Discussion to Manager/NDA Approval/Confirmation on the SRE-Access-Requests board.

In T308308#7943673, @elukey wrote:

@thcipriani Hi! When you have a moment, could you please review this request and let me know if it is a good use case for deployment ? Thanks :)

Makes sense to me. Approved!

akosiaris updated the task description. (Show Details)May 24 2022, 1:19 PM

Change 798664 had a related patch set uploaded (by Alexandros Kosiaris; author: Alexandros Kosiaris):

[operations/puppet@production] Add aikochou and kevinbazira to deployment

https://gerrit.wikimedia.org/r/798664

gerritbot added a project: Patch-For-Review.May 24 2022, 1:21 PM

Change 798664 merged by Dzahn:

[operations/puppet@production] Add aikochou and kevinbazira to deployment

https://gerrit.wikimedia.org/r/798664

Dzahn changed the task status from Open to In Progress.May 26 2022, 10:08 PM

deployed / resolved.

Both users exist on the deployment server now. They will also exist on all the appservers within the next 30 min when puppet runs there.

You should be ready to go. Just give it a couple minutes. Feel free to reopen if you run into any problems.

[deploy1002:~] $ id kevinbazira
uid=21773(kevinbazira) gid=500(wikidev) groups=500(wikidev),705(deployment),763(deploy-service),833(deploy-ml-service)
[deploy1002:~] $ id aikochou
uid=22731(aikochou) gid=500(wikidev) groups=500(wikidev),705(deployment),833(deploy-ml-service)

Dzahn closed this task as Resolved.May 26 2022, 10:15 PM

Dzahn claimed this task.

Maintenance_bot removed a project: Patch-For-Review.May 26 2022, 10:30 PM

taavi mentioned this in T340165: Drop the `deploy-service` right, move three included users to `deployment` (or drop access)?.Jun 29 2023, 9:00 PM

Requesting access to the deployment POSIX group for aikochou and kevinbaziraClosed, ResolvedPublicActions