Page MenuHomePhabricator
Create Task
Maniphest T314917

Grant ops-monitoring-bot WMF-NDA and acl*sre-term access
Closed, ResolvedPublic
Actions

Description

It would be convenient if the @ops-monitoring-bot could write on tasks restricted to WMF-NDA and acl*sre-team

My usecase is the new sre.network.debug cookbook, that adds debug output to tasks. Unfortunately such tasks are often restricted as they mention 3rd party providers and the Cookbook fails with:
phabricator.APIError: ERR-CONDUIT-CORE: Monogram "T314511" does not identify a valid object.

Of course I understand if it's not safe security-wise.
Opening this task in case we were waiting for a valid usecase before granting such privileges.
Or maybe there is a way to only grant write access with no read access which would mitigate the risk.

Related Objects

Event Timeline

ayounsi triaged this task as Low priority.Aug 10 2022, 8:52 AM
ayounsi created this task.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 10 2022, 8:52 AM
ayounsi added a comment.Aug 22 2022, 2:39 PM

We discussed it during our team meeting and agreed that it would be great to have.

@Aklapper do you know if it's possible to grand write only (or even "comment only") access to this bot?

If it's possible then that's great. If not we will have a closer look at who have access to this bot's credentials to know if it's safe to grant it read/write.

Aklapper added a comment.Aug 22 2022, 2:48 PM

I cannot spot any such grants differentiation in https://secure.phabricator.com/book/phabricator/article/users/#bot-accounts or https://phabricator.wikimedia.org/settings/user/ops-monitoring-bot/ - looks like it's all or nothing

ayounsi assigned this task to Volans.Aug 23 2022, 10:03 AM

Ok, thanks! Boldly assigning it to @Volans to know more as I think he created the bot and tooling around it.

Volans added a comment.Sep 5 2022, 9:28 AM

The credentials for this bot are managed by puppet, it's currently installed in those hosts:

alert[1001,2001].wikimedia.org,cumin2002.codfw.wmnet,cumin1001.eqiad.wmnet

in /etc/phabricator_ops-monitoring-bot.conf with permissions -r--r----- 1 root root
with the password defined in the puppet's private repo.
AFAIK it's currently used only by Spicerack (cumin hosts) and the Icinga raid event handler (alert hosts).

In both cases, with the current feature set, its access is basically write-only as in both cases it's just either creating a new task or appending a comment to an existing task. But that might change in the future, in particular in the wmflib implementation used by Spicerack.

That said, given the current setup model I would not see it a security issue to grant the bot the WMF-NDA permission. I'll re-check in today's team meeting with the rest of the group.

MoritzMuehlenhoff added a comment.Sep 5 2022, 9:41 AM
In T314917#8210934, @Volans wrote:

I'll re-check in today's team meeting with the rest of the group.

We discussed it in a previous IF meeting (while you were on vacation) and the consensus was that noone had objections, but wanted to ask you still :-)

Volans closed this task as Resolved.Sep 5 2022, 5:57 PM

As agreed in the SRE I/F today's meeting I've added the sre-monitoring-bot to both WMF-NDA and acl*sre-team policies. Resolving.

Volans mentioned this in T335879: spicerack.phabricator: Don't fail when logging to a restricted task.Sep 18 2023, 7:57 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL