Page MenuHomePhabricator
Create Task
Maniphest T333212

replace dzahn as signer in pwstore
Closed, ResolvedPublic
Actions

Details

SubjectRepoBranchLines +/-
Update pws-trusted-users template fileoperations/debs/wmf-sre-laptopmaster+3 -1
Customize query in gerrit

Related Objects

Event Timeline

Dzahn created this task.Mar 27 2023, 6:23 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 27 2023, 6:23 PM
Dzahn added a project: collaboration-services.Mar 27 2023, 6:23 PM
Dzahn added a comment.Mar 31 2023, 4:20 PM

Since I am planning to go on a sabbatical I should find someone to replace me as one of the only 2 users who can add/remove users in pwstore.

Aklapper awarded a token.Mar 31 2023, 4:34 PM
Dzahn added a subscriber: Muehlenhoff.Mar 31 2023, 5:05 PM

also: maybe it should be more than 2 people for all of SRE nowadays? not sure. cc: @Muehlenhoff

Dzahn renamed this task from replace myself as signer in pwstore to replace dzahn as signer in pwstore.Apr 1 2023, 1:34 AM
Dzahn added a project: Infrastructure Security.
Dzahn added a subscriber: jbond.
Dzahn added a subscriber: LSobanski.Apr 1 2023, 1:36 AM
LSobanski triaged this task as Medium priority.Apr 3 2023, 3:52 PM
LSobanski moved this task from Incoming to Work in Progress on the collaboration-services board.
MoritzMuehlenhoff subscribed.EditedApr 4 2023, 11:46 AM

I don't think there's a need to _replace_ you, instead we should rather add a third person (ideally in an American timezone).

jbond added a comment.Apr 4 2023, 3:51 PM
In T333212#8754044, @MoritzMuehlenhoff wrote:

I don't think there's a need to _replace_ you, instead we should rather add a third person (ideally in an American timezone).

I wonder if we should just have this as an I/F owned process and have give everyone in I/F (with optional +N years tenure) the capability

Dzahn added a comment.Apr 4 2023, 4:42 PM

+1 to jbond :)

MoritzMuehlenhoff added a comment.Apr 5 2023, 9:24 AM

I wonder if we should just have this as an I/F owned process and have give everyone in I/F (with optional +N years tenure) the capability

Agreed on making this an I/F owned process (when we setup pwstore there were no sub teams). Doesn't need to be linked to any tenure, I think anyone we trust with root access should be able to handle the steps.

But we can't easily extend it to _all_ I/F members on an ongoing basis since every change of the signers needs coordination so that everyone using pwstore adds their key to ~/.pws-trusted-users. But we can make a roll call in the next IF meeting who wants to deal with it and then send a mail so that people update their trust file to add those keys. Then we have sufficient redundancy for the next years.

jbond added a comment.Apr 5 2023, 10:43 AM
In T333212#8758222, @MoritzMuehlenhoff wrote:

I wonder if we should just have this as an I/F owned process and have give everyone in I/F (with optional +N years tenure) the capability

Agreed on making this an I/F owned process (when we setup pwstore there were no sub teams). Doesn't need to be linked to any tenure, I think anyone we trust with root access should be able to handle the steps.

But we can't easily extend it to _all_ I/F members on an ongoing basis since every change of the signers needs coordination so that everyone using pwstore adds their key to ~/.pws-trusted-users. But we can make a roll call in the next IF meeting who wants to deal with it and then send a mail so that people update their trust file to add those keys. Then we have sufficient redundancy for the next years.

SGTM

Dzahn awarded a token.Apr 5 2023, 3:53 PM
Dzahn removed Dzahn as the assignee of this task.Apr 5 2023, 4:30 PM
LSobanski moved this task from Work in Progress to Consultation on the collaboration-services board.Apr 7 2023, 4:27 PM
Dzahn added a comment.May 9 2023, 3:57 AM

friendly ping to get this back on the team meeting agenda

Dzahn mentioned this in T298194: Research improvements to Pwstore process.May 10 2023, 1:51 AM

Also see more general but related T298194

Dzahn added a comment.Jul 10 2023, 8:24 PM

There are about 3 days left before I am out at this point.

LSobanski added a comment.Aug 9 2023, 1:56 PM

Bumping for awareness to make sure we don't have a single point of failure for this process.

jhathaway subscribed.Aug 21 2023, 2:34 PM

I'm happy to be added on the North American side of the pond.

LSobanski removed a project: collaboration-services.Oct 18 2023, 8:29 AM
Aklapper added a comment.Oct 18 2023, 9:53 AM

@LSobanski: Who to ultimately make a decision to fix this bottleneck?

LSobanski added a comment.Oct 18 2023, 10:03 AM

Following https://phabricator.wikimedia.org/T333212#8758222 I'll lean on @MoritzMuehlenhoff.

gerritbot added a comment.Dec 20 2023, 12:23 PM

Change 984522 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[operations/debs/wmf-sre-laptop@master] Update pws-trusted-users template file

https://gerrit.wikimedia.org/r/984522

gerritbot added a project: Patch-For-Review.Dec 20 2023, 12:23 PM
gerritbot added a comment.Dec 20 2023, 12:26 PM

Change 984522 merged by Muehlenhoff:

[operations/debs/wmf-sre-laptop@master] Update pws-trusted-users template file

https://gerrit.wikimedia.org/r/984522

Maintenance_bot removed a project: Patch-For-Review.Dec 20 2023, 12:31 PM
MoritzMuehlenhoff edited projects, added Infrastructure-Foundations; removed Infrastructure Security.Dec 21 2023, 8:51 AM
MoritzMuehlenhoff closed this task as Resolved.Dec 21 2023, 9:16 AM
MoritzMuehlenhoff claimed this task.

Done. New signers are Jesse, Simon, Riccardo and myself. Docs and the onboarding template have been updated and I've also send a mail with the steps people need to make to update their pwstore config.

Dzahn added a comment.EditedDec 22 2023, 8:54 PM

Thanks, Moritz, cheers!

Made a small edit to the wiki page to replace my name with the new names.

The docs work for me! Just a minor thing that one of the user keys happened to expire just yesterday.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL