Page MenuHomePhabricator

Requesting access to deployment for fkaelin
Closed, ResolvedPublicRequest


Requestor provided information and prerequisites

This section is to be completed by the individual requesting access.

  • Wikitech username: Fabian_Kaelin
  • Email address:
  • SSH public key (must be a separate key from Wikimedia cloud SSH access): ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHyKPeAQbIJzDPFnjM4i0gl4RbDUZRJB7aPhzTwtjpAH fab@wmf
  • Requested group membership: deployment
  • Reason for access: deploy miscweb Kubernetes service from deployment hosts
  • Name of approving party (manager for WMF/WMDE staff): @leila
  • Ensure you have signed the L3 Wikimedia Server Access Responsibilities document:
  • Please coordinate obtaining a comment of approval on this task from the approving party.

SRE Clinic Duty Confirmation Checklist for Access Requests

This checklist should be used on all access requests to ensure that all steps are covered, including expansion to existing access. Please double check the step has been completed before checking it off.

This section is to be confirmed and completed by a member of the SRE team.

  • - User has signed the L3 Acknowledgement of Wikimedia Server Access Responsibilities Document.
  • - User has a valid NDA on file with WMF legal. (All WMF Staff/Contractor hiring are covered by NDA. Other users can be validated via the NDA tracking sheet)
  • - User has provided the following: wikitech username, email address, and full reasoning for access (including what commands and/or tasks they expect to perform)
  • - User has provided a public SSH key. This ssh key pair should only be used for WMF cluster access, and not shared with any other service (this includes not sharing with WMCS access, no shared keys.)
  • - The provided SSH key has been confirmed out of band and is verified not being used in WMCS.
  • - access request (or expansion) has sign off of WMF sponsor/manager (sponsor for volunteers, manager for wmf staff)
  • - access request (or expansion) has sign off of group approver indicated by the approval field in data.yaml

For additional details regarding access request requirements, please see

Event Timeline

Approved on my end. Thank you!

  • L3 not yet signed.
  • LDAP user does not exist. Fabian should try logging in to wikitech and verify the email address, if required.
  • deployment group access needs additional OK from @thcipriani

Thanks @colewhite.

  • As part of the data eng onboarding (T267817), I signed the L3 and a LDAP user should have been created.
  • This is the wikitech account, and the shell name is fab.
  • The SSH in this ticket is also used for the data engineering infra, but not for the cloud services.

Please let me know if something is not in order.

Thanks @fkaelin!

Found the L3 signature. Good to go!
Found based on the shell name and existing data entry. The email is subaddressed making ldap search return false negative.

Just need a sign off from @thcipriani and we can merge the patch.

Change 948693 had a related patch set uploaded (by Cwhite; author: Cwhite):

[operations/puppet@production] admin: add fab to deployment group

Clement_Goubert changed the task status from Open to In Progress.Aug 16 2023, 2:22 PM

Approved from the deployment group. Rationale makes sense.

Change 948693 merged by Clément Goubert:

[operations/puppet@production] admin: add fab to deployment group

Clement_Goubert claimed this task.
Clement_Goubert added a subscriber: Clement_Goubert.

Patch merged, the access should be deployed by puppet in the next half-hour. Boldly resolving, feel free to reopen if there is any issue.