Page MenuHomePhabricator
Create Task
Maniphest T316922

Add pfischer to #wmf-nda on Phab and to #wmf on LDAP
Closed, ResolvedPublic
Actions

Description

Hi! I started working as engineer for search platform in September. Creating this ticket is part of my onboarding todos.

@pfischer will need to access NDA tasks on Phabricator to be able to follow and fix security issues on the Search Platform projects.

@pfischer will need to be a member of the #wmf LDAP group for access to logstash, turnilo, grafana, etc...

Phabricator account: pfischer
Shell username: pfischer
SSH Public Key: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH+qwSlb7Cz54C93i61yk5rwx5hyqaofOdJw/TkRVVCZ pfischer@wikimedia.org

Related Objects
Search...

Event Timeline

pfischer created this task.Sep 2 2022, 8:55 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 2 2022, 8:55 AM
Aklapper added a comment.Sep 2 2022, 9:07 AM

Hi @pfischer, thanks for taking the time to report this! Is this about the LDAP group, or about the Phabricator project tag? If the latter, then it should be part of the process for the former anyway, and not require filing a separate ticket anymore. (Is the onboarding checklist of your team available somewhere?)

pfischer added a comment.Sep 2 2022, 11:12 AM

Hi @Aklapper, I think it's about the phab group/project, see https://www.mediawiki.org/wiki/Wikimedia_Discovery/Team/Onboarding#Things_to_do_on_your_own

Gehel added a project: Discovery-Search.Sep 2 2022, 1:03 PM
Gehel edited projects, added Discovery-Search (Current work); removed Discovery-Search.Sep 2 2022, 1:08 PM
Gehel added a parent task: T316087: [tracking] Peter's Onboarding.
Gehel moved this task from Incoming to In Progress on the Discovery-Search (Current work) board.
Gehel subscribed.Sep 2 2022, 2:30 PM

@Aklapper : our onboarding doc might be outdated on this. It is referencing getting access to the NDA group in Phab, but @pfischer is also going to need to be added to the LDAP wmf group (for access to logstash, grafana, turnilo, etc...). If those 2 requests can be merged into a single one, then great! I'll update the description.

For the record, the doc about getting LDAP wmf access seems to be at https://wikitech.wikimedia.org/wiki/SRE/LDAP/Groups.

Gehel renamed this task from Add pfischer to #wmf-nda to Add pfischer to #wmf-nda on Phab and to #wmf on LDAP.Sep 2 2022, 2:33 PM
Gehel added a project: LDAP-Access-Requests.
Gehel updated the task description. (Show Details)
Maintenance_bot added a project: SRE.Sep 2 2022, 2:45 PM
Dzahn subscribed.EditedSep 2 2022, 10:07 PM

fwiw WMF-NDA on Phabricator and LDAP groups are entirely unrelated things and handled by different people. (not saying it can't be handled in one ticket, we just need to pass it along, no biggie). Just to make clear there is no relation between them.

Aklapper added a comment.Sep 3 2022, 2:03 PM

@Dzahn: Not in the special case of ldap/wmf though, per SRE instructions

MatthewVernon subscribed.Sep 6 2022, 9:10 AM

@pfischer I'm the clinic duty person this week.
Can you confirm your wikimedia email address, please, and that you set up a wikimedia developer account[0], please?

I ran the usual check script[1] against pfischer@ and it didn't find a wikitech account (nor a job title or manager)...

[0] cf https://wikitech.wikimedia.org/wiki/Help:Create_a_Wikimedia_developer_account
[1] https://wikitech.wikimedia.org/wiki/SRE/Clinic_Duty/Access_requests#Verifying_WMF_developer_accounts

MatthewVernon triaged this task as Medium priority.Sep 6 2022, 1:49 PM
pfischer added a comment.Sep 6 2022, 4:21 PM

@MatthewVernon, thank you, for looking into this. I already created a dev account, please have look at the attached screenshot

wmf_dev_account_pfischer.png (772×840 px, 230 KB)
.

bking subscribed.Sep 6 2022, 4:45 PM

Update: Unfortunately, even though @pfischer has created the Wikitech dev account, nothing has changed since @MatthewVernon 's comment above:

sudo check_user [redacted for spam prevention]
WikiTech Users:
	no user found with [redacted for spam prevention]

Gsuit User:
	Primary Email:	[redacted for spam prevention]
	Aliases:
	title:		No title found.
	manager:	No manager found.
	agreedToTerms:	True

I'm not sure if it takes awhile to sync this information. I will reach out to IT in Slack to see if they have any ideas on the Gsuite side of things.

bking added a comment.Sep 6 2022, 5:29 PM

@pfischer Can you add your SSH public key to this ticket so I can add you to shell users?

@Gehel Should Peter have access to all groups that EBernhardson and dcausse are in? If not, please specify which groups he needs to be in.

RKemper subscribed.Sep 6 2022, 5:43 PM
In T316922#8215118, @bking wrote:

Update: Unfortunately, even though @pfischer has created the Wikitech dev account, nothing has changed since @MatthewVernon 's comment above:

sudo check_user [redacted for spam prevention]
WikiTech Users:
	no user found with [redacted for spam prevention]

Gsuit User:
	Primary Email:	[redacted for spam prevention]
	Aliases:
	title:		No title found.
	manager:	No manager found.
	agreedToTerms:	True

I'm not sure if it takes awhile to sync this information. I will reach out to IT in Slack to see if they have any ideas on the Gsuite side of things.

Not sure if this is why, but I did find this:

Note that is possible that a developer account exists without a corresponding Wikitech account, if the user signed up for the account using the Toolforge admin console and has not logged into Wikitech.

RKemper added a comment.Sep 6 2022, 5:45 PM

@pfischer Per the above, you might need to log into Wikitech directly. Want to give that a try when you get a chance and then we'll see if you appear in WikiTech users afterwards?

Dzahn added a comment.Sep 6 2022, 5:45 PM
In T316922#8209855, @Aklapper wrote:

@Dzahn: Not in the special case of ldap/wmf though, per SRE instructions

Oops, of course you are absolutely right there, Andre.

RKemper updated the task description. (Show Details)Sep 6 2022, 5:51 PM
bking added a subtask: T316090: Production Shell access for Peter.Sep 6 2022, 6:11 PM
bking added a comment.Sep 6 2022, 7:03 PM

We added pfischer to the WMF LDAP group per these instructions , and added him to the WMF-NDA phabricator group.

Peter, please test out this access and let us know if we need to fix/change anything.

Gehel assigned this task to pfischer.Sep 6 2022, 7:31 PM
Gehel moved this task from In Progress to Needs review on the Discovery-Search (Current work) board.
pfischer reassigned this task from pfischer to bking.Sep 7 2022, 7:21 AM

@bking, thanks! I works, at least I'm able to log into thanos and grafana-rw, now. Do you still need my SSH public key? Would the one suffice I use for gerrit or would you recommend generating a separate one?

Gehel moved this task from Needs review to Needs Reporting on the Discovery-Search (Current work) board.Sep 12 2022, 3:20 PM
bking added a comment.Sep 12 2022, 3:26 PM

@pfischer After I asked for your public key, it looks like someone updated the original request with the key. Thus, I believe you should have access already. Can you try logging into an elastic and/or wdqs server and let us know if you can get in? Also, if you could verify root access via sudo -i, that would be helpful as well. Thanks!

Dzahn added a comment.Sep 12 2022, 4:11 PM

It seems this comment was about T316090

Dzahn mentioned this in T316090: Production Shell access for Peter.Sep 12 2022, 4:12 PM
Dzahn added a comment.Sep 12 2022, 4:28 PM

Hi @pfischer You are in the requested wmf LDAP group and the WMF-NDA group in Phabricator meanwhle.

If you could confirm that you can login at logstash/turnilo/grafana (and ideally also that you can read a non-public ticket) then we can close this ticket.

Dzahn reassigned this task from bking to pfischer.Sep 15 2022, 8:56 PM
Dzahn moved this task from Backlog to Awaiting User Input on the LDAP-Access-Requests board.
Dzahn closed subtask T316090: Production Shell access for Peter as Resolved.Sep 15 2022, 10:27 PM
Gehel closed this task as Resolved.Sep 16 2022, 3:00 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL