Subject | Repo | Branch | Lines +/- | |
---|---|---|---|---|
Update pws-trusted-users template file | operations/debs/wmf-sre-laptop | master | +3 -1 |
Details
Related Objects
- Mentioned In
- T298194: Research improvements to Pwstore process
- Mentioned Here
- T298194: Research improvements to Pwstore process
Event Timeline
Since I am planning to go on a sabbatical I should find someone to replace me as one of the only 2 users who can add/remove users in pwstore.
also: maybe it should be more than 2 people for all of SRE nowadays? not sure. cc: @Muehlenhoff
I don't think there's a need to _replace_ you, instead we should rather add a third person (ideally in an American timezone).
I wonder if we should just have this as an I/F owned process and have give everyone in I/F (with optional +N years tenure) the capability
I wonder if we should just have this as an I/F owned process and have give everyone in I/F (with optional +N years tenure) the capability
Agreed on making this an I/F owned process (when we setup pwstore there were no sub teams). Doesn't need to be linked to any tenure, I think anyone we trust with root access should be able to handle the steps.
But we can't easily extend it to _all_ I/F members on an ongoing basis since every change of the signers needs coordination so that everyone using pwstore adds their key to ~/.pws-trusted-users. But we can make a roll call in the next IF meeting who wants to deal with it and then send a mail so that people update their trust file to add those keys. Then we have sufficient redundancy for the next years.
Bumping for awareness to make sure we don't have a single point of failure for this process.
Following https://phabricator.wikimedia.org/T333212#8758222 I'll lean on @MoritzMuehlenhoff.
Change 984522 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):
[operations/debs/wmf-sre-laptop@master] Update pws-trusted-users template file
Change 984522 merged by Muehlenhoff:
[operations/debs/wmf-sre-laptop@master] Update pws-trusted-users template file
Done. New signers are Jesse, Simon, Riccardo and myself. Docs and the onboarding template have been updated and I've also send a mail with the steps people need to make to update their pwstore config.
Thanks, Moritz, cheers!
Made a small edit to the wiki page to replace my name with the new names.
The docs work for me! Just a minor thing that one of the user keys happened to expire just yesterday.