Page MenuHomePhabricator

Requesting access to maintenance servers for mfossati
Closed, ResolvedPublicRequest

Description

Requestor provided information and prerequisites

This section is to be completed by the individual requesting access.

  • Wikitech username: Marco Fossati
  • Developer access username: mfossati
  • Email address: mfossati@wikimedia.org
  • SSH public key (must be a separate key from Wikimedia cloud SSH access): ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA5/YSLfsC+/YmMmMx91QzJ/yAsl4e3ubOFnBIqvPY2W galmac-prod
  • Requested group membership: restricted
  • Reason for access: as a member of Structured-Data-Backlog, I'd like to access the maintenance servers to run the maintenance script per T292147: [L] Send Image Suggestions notifications to experienced users
  • Name of approving party (manager for WMF/WMDE staff): @Seddon
  • Ensure you have signed the L3 Wikimedia Server Access Responsibilities document: Yes
  • Please coordinate obtaining a comment of approval on this task from the approving party.

See also previous request at T299343: Requesting access to analytics clients for mfossati.

SRE Clinic Duty Confirmation Checklist for Access Requests

This checklist should be used on all access requests to ensure that all steps are covered, including expansion to existing access. Please double check the step has been completed before checking it off.

This section is to be confirmed and completed by a member of the SRE team.

  • - User has signed the L3 Acknowledgement of Wikimedia Server Access Responsibilities Document.
  • - User has a valid NDA on file with WMF legal. (All WMF Staff/Contractor hiring are covered by NDA. Other users can be validated via the NDA tracking sheet)
  • - User has provided the following: wikitech username, email address, and full reasoning for access (including what commands and/or tasks they expect to perform)
  • - User has provided a public SSH key. This ssh key pair should only be used for WMF cluster access, and not shared with any other service (this includes not sharing with WMCS access, no shared keys.)
  • - access request (or expansion) has sign off of WMF sponsor/manager (sponsor for volunteers, manager for wmf staff)
  • - access request (or expansion) has sign off of group approver indicated by the approval field in data.yaml

For additional details regarding access request requirements, please see https://wikitech.wikimedia.org/wiki/Requesting_shell_access

Event Timeline

Approved, standing in as interim whilst @MarkTraceur is on sabbatical

Volans triaged this task as Medium priority.Jul 25 2022, 11:29 AM
Volans updated the task description. (Show Details)

I think that you want the restricted group:

description: access to mwmaint hosts, mwlog hosts (private data) and bastion hosts
             restricted folks use sudo to access www-data resources

I'm updating the task description and adding @thcipriani for approval as group owner.

Thanks for your action, @Volans ! @Cparle , can you confirm that restricted is the correct group? I don't see @matthiasmullie's shell account mlitn in it and it tells that's a subset of the deployment privileges.
Maybe deployment is a wider one that would prevent me from opening another request in case I need to deploy in the future?

@thcipriani just wanting to note there is a time pressure on this ticket and need for it by Wednesday

@Seddon: is this not waiting on a response to the above comment from @Cparle

Actually it's likely that @mfossati might need deployment while myself and @matthiasmullie are on leave (from Monday August 1), so if that includes access to the maint servers then let's go for that instead

@Cparle: thanks. @thcipriani is out of office today. You might have to escalate further up the chain.

@kchapman would you be able to sign off on this?

Hi all, after reviewing I'm going to approve this for restricted. @thcipriani is back tomorrow and can approve for deployment is that is what is needed.

@mfossati I just noticed that you already have shell access, as it was granted in T299343. Please mention it in subsequent requests for group membership changes as the form above can be greatly simplified, all the pre-requisite are already fulfilled if you have already access. For example there is no need to paste your SSH key, etc.

I'm sending the patch for restricted for now and in case it will be modified later if an agreement on deployment is reached.

Change 817191 had a related patch set uploaded (by Volans; author: Volans):

[operations/puppet@production] admin: add mfossati to restricted group

https://gerrit.wikimedia.org/r/817191

@mfossati I just noticed that you already have shell access, as it was granted in T299343. Please mention it in subsequent requests for group membership changes as the form above can be greatly simplified, all the pre-requisite are already fulfilled if you have already access. For example there is no need to paste your SSH key, etc.

I actually did that in the task description 🙂

I'm sending the patch for restricted for now and in case it will be modified later if an agreement on deployment is reached.

OK, thank you @Volans !

Change 817191 merged by Volans:

[operations/puppet@production] admin: add mfossati to restricted group

https://gerrit.wikimedia.org/r/817191

I think that you want the restricted group:

description: access to mwmaint hosts, mwlog hosts (private data) and bastion hosts
             restricted folks use sudo to access www-data resources

I'm updating the task description and adding @thcipriani for approval as group owner.

Hi all, after reviewing I'm going to approve this for restricted. @thcipriani is back tomorrow and can approve for deployment is that is what is needed.

+1 approved for restricted! Thanks for the merge @Volans

Actually it's likely that @mfossati might need deployment while myself and @matthiasmullie are on leave (from Monday August 1), so if that includes access to the maint servers then let's go for that instead

I'm open to this—the more deployers the better. If you're interested in learning how to do deploys, we can start to get you through that process.

Patch has been merged, it will be reflected in the fleet within ~30 minutes. @mfossati after 16:35 UTC you can verify you've access and if it's all good please resolve this task.

@Volans : I confirm I can ssh mwmaint1002.eqiad.wmnet.
@thcipriani : I attended a deployment training session, see T302204: Deployment training request for mfossati. I've also scheduled another one: T313812: Deployment training request for mfossati. It would be great to get into the deployment group as well.

@mfossati great! I think we could close this task then and when the time comes open a separate one for deployment. Please mention in the future request to convert restricted to deployment as the latter is a superset of the former.

mfossati claimed this task.

That sounds good, closing!