Page MenuHomePhabricator

Fundraising access request for Emma Hughes
Open, Needs TriagePublic


This is a new access request for @ehughes. They require the following access: (mark each box with an x)

  • civicrm web access
    • standard access
    • donor services access
  • ssh access - if specific hosts: frdev1001
  • mysql - if specific hosts or databases: list here
  • superset
  • other: please explain

Thank you!

New User Procedure / Checklist

When adding a new user to the fundraising / fr-tech ecosystem, we have a set of places where we need to create accounts and access.


Before we can take any action to add a user, we need to verify that they are authorized to have such access. This requires confirmation from their manager and approval from the C level that access is approved.

[x] user_verification
Requires: user request
[x] access_rights: letter to C level (currently Lisa) verifying grant of access
[x] account name/contact info: verify on

Accounts and Services

[x] user account
Requires: user_verification
[x] Add the user to the users.yaml and group_members.yaml files as appropriate.
[x] Push out puppet changes.
[ ] yubikey
Requires: useraccount and ITS request to send out yubikey to user
[x] physical: Make a request to ITS to have a key sent to the user
[x] account_setup: Get public side and add to puppet-private/manifests/passwords/yubico.pp
[ ] follow_on: Make sure user can use yubikey for ssh access
[ ] ssh
Requires: useraccount and yubikey
[x] key_setup: Send template/docs for generating keypair and ~/.ssh/config file
[x] account_setup: Get public side and add to puppet-private/secrets/ssh/default/$username
[ ] follow_on: Verify user can ssh using correct creds and passphrases when needed.
[ ] mysql
Requires: useraccount, yubikey, ssh
[x] account_setup
    [x] Create user block in ~/puppet-private/secrets/mysql_grants/fundraising_qa
    [x] Ensure user is in correct blocks for select rights on dbs.
        - Generally use another user in same group as a guide
    [x] Run the grant script to get the grants.
    [x] Copy/paste to execute the grants on appropriate dbs.
    [x] Create the user a ~/.my.cnf file with the original password from account creation.
[ ] follow_on: Verify user can ssh to the required host and log in to mysql.

Event Timeline

@ehughes already has a superset account Please let me know if a password reset is needed.

[frack::puppet] a2a65353 Adding ehughes accounts
[frack::puppet::private] c7418f9 Add ehughes yubikey pub key
[frack::puppet::private] 60f73a1 Add ehughes mysql account and grants

Unix account created and pushed out. mysql accounts created with grants mirroring spatton. Documentation sent on how to create the ssh keypair and ssh config file.

Hi @Dwisehaupt here's the public key for my ssh keypair:

ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBGMKizxsslWM4FY5+g86i3ae7sNT30k2wqv5Ssl/5QE

Thanks @ehughes. I'll be sending on the instructions for testing your connection in just a few minutes.