Page MenuHomePhabricator

Grant ssh access to analytics-admins to dcausse and gmodena
Closed, ResolvedPublic

Description

Requestor provided information and prerequisites

This section is to be completed by the individual requesting access.

  • Requested group membership: analytics-admins
  • Reason for access: It would be helpful for event platform experiments if dcausse and gmodena had a little more access to things like kafka-test, etc. We'd like to put them in analytics-admins just to not have to ask for this in the future.

analytics-admins will grant them HDFS super user permissions, but I think this is okay, they work very closely with us day to day.

  • Name of approving party (manager for WMF/WMDE staff):
  • Gmodena: Will Doran or Matt Nadrofsky
  • Dcausse: @Gehel
  • Please coordinate obtaining a comment of approval on this task from the approving party.

SRE Clinic Duty Confirmation Checklist for Access Requests

This checklist should be used on all access requests to ensure that all steps are covered, including expansion to existing access. Please double check the step has been completed before checking it off.

This section is to be confirmed and completed by a member of the SRE team.

  • - User has signed the L3 Acknowledgement of Wikimedia Server Access Responsibilities Document.
  • - User has a valid NDA on file with WMF legal. (All WMF Staff/Contractor hiring are covered by NDA. Other users can be validated via the NDA tracking sheet)
  • - User has provided the following: wikitech username, email address, and full reasoning for access (including what commands and/or tasks they expect to perform)
  • - User has provided a public SSH key. This ssh key pair should only be used for WMF cluster access, and not shared with any other service (this includes not sharing with WMCS access, no shared keys.)
  • - access request (or expansion) has sign off of WMF sponsor/manager (sponsor for volunteers, manager for wmf staff)
  • - access request (or expansion) has sign off of group approver indicated by the approval field in data.yaml

For additional details regarding access request requirements, please see https://wikitech.wikimedia.org/wiki/Requesting_shell_access

Event Timeline

No objection from me. Do we need any additional approval from elsewhere in SRE or can we just go ahead and make the change? Maybe @odimitrijevic could second the request?

Do we need any additional approval from elsewhere in SRE or can we just go ahead and make the change

Regarding approvals, if the change is just of user groups, the regular method has to be followed (although most ticks will be already done)- this makes sure nothing is missing from the checkslist, and everybody is aware of the change. This same ticket can be used for that.

If the change means a change of sudo rights for an existing group, it will need #SRE-foundations discussion and approval.

According to Namely, Will and Guillome should approve for each + either Otto or Olja from your side (let me know if that is up to date).

To clarify- there is no blocker from SRE team ops to proceed with this, we are eager and waiting for the template to be added on this ticket to formally kickstart the process.

Thanks Jaime,
Here are the existing sudo permissions applicable to analytics-admins: https://github.com/wikimedia/puppet/blob/production/modules/admin/data/data.yaml#L389-L404

@WDoranWMF - Are you happy to approve these elevated privileges (analytics-admins) for @gmodena ?

@Gehel - Are you happy to approve the same for @dcausse ?

I think that since @Ottomata originally created the ticket and proposed the change, we don't need to seek additional approval from @odimitrijevic - but tagging her for visibility anyway.

@jcrespo I can make this change once the other approvals have been given.

Thanks Ottomata, please use the template with the checklist I linked to you; otherwise I think there is not enough visibility and clarity to follow the process as documented and not forgetting any step.

Done, I removed irrelevant parts, if that is okay.

Done, I removed irrelevant parts, if that is okay.

👍

Sorry to be pedantic about this, it is not mere bureaucracy- it helps searching and solving access issues in the future much quicker, and you make our life as SREs much easier! Leaving you taking care of it, but you can contact the clinician for this week for a +1 if needed.

@BTullis I approve this for @gmodena . With Will currently away, I'm acting manager for Gabriele. Let me know if you need anything else!

Hello @Gehel , do you approve @dcausse access to the analytics-admins group ?

BTullis updated the task description. (Show Details)

Change 860523 had a related patch set uploaded (by Btullis; author: Btullis):

[operations/puppet@production] Add dcausse and gmodena to analytics-admins

https://gerrit.wikimedia.org/r/860523

Change 860523 merged by Btullis:

[operations/puppet@production] Add dcausse and gmodena to analytics-admins

https://gerrit.wikimedia.org/r/860523

BTullis closed this task as Resolved.EditedNov 24 2022, 11:12 AM

@dcausse, @gmodena - Welcome to the analytics-admins group!

Please enjoy your elevated privileges responsibly and, as ever, feel free to ask if you have any queries.