Page MenuHomePhabricator
Create Task
Maniphest T346174

Fundraising access request for ncreasy
Open, Needs TriagePublic
Actions

Description

This is a new access request for ncreasy. They require the following access: (Mark the box for each requirement with an x)

  • civicrm web access
    • standard access
    • donor services access
  • ssh access - if specific hosts: fran1001, frdev1001 - same as what Joseph and Runjini have
  • mysql - if specific hosts or databases: fran1001, frdev1001 -- same as what Joseph and Runjini have
  • superset
  • other: please explain

New User Procedure / Checklist

When adding a new user to the fundraising / fr-tech ecosystem, we have a set of places where we need to create accounts and access.

Prerequisites

Before we can take any action to add a user, we need to verify that they are authorized to have such access. This requires confirmation from their manager and approval from the C level that access is approved.

[x] user_verification
Requires: user request
[x] access_rights: letter to C level (currently Lisa) verifying grant of access
[x] account name/contact info: verify on https://collab.wikimedia.org/wiki/Fundraising#Contact_List
[ ] (if not advancement) add to okta notify list: create ITS ticket for adding to fr-tech okta notification list

Accounts and Services

[x] client_ssl_cert
Requires: user_verification
[x] cert_setup: generate cert on frpm1001 using ssl_user_admin
[x] account_setup: sms the user the password for the key
[x] follow_on: assist with certificate installation
[x] civicrm
Requires: client_ssl_cert
[x] account_setup: Create user account. This will notify the user via email to update their password.
[x] follow_on: Verify user can log in to https://civicrm.wikimedia.org
[x] superset
Requires: client_ssl_cert
[x] account_setup: Create user account. Notify the user of their account name and password.
[x] follow_on: Verify user can log in to https://analytics.frdev.wikimedia.org
[x] archive_access: Add to google drive archive group. https://drive.google.com/drive/folders/0ADWGPlZtksGdUk9PVA
[x] user account
Requires: user_verification
[x] Add the user to the users.yaml and group_members.yaml files as appropriate.
[x] Push out puppet changes.
[x] yubikey
Requires: useraccount and ITS request to send out yubikey to user
[x] physical: Make a request to ITS to have a key sent to the user
[x] account_setup: Get public side and add to puppet-private/manifests/passwords/yubico.pp
[x] follow_on: Make sure user can use yubikey for ssh access
[x] ssh
Requires: useraccount and yubikey
[x] key_setup: Send template/docs for generating keypair and ~/.ssh/config file
[x] account_setup: Get public side and add to puppet-private/secrets/ssh/default/$username
[x] follow_on: Verify user can ssh using correct creds and passphrases when needed.
[x] mysql
Requires: useraccount, yubikey, ssh
[x] account_setup
    [x] Create user block in ~/puppet-private/secrets/mysql_grants/fundraising_qa
    [x] Ensure user is in correct blocks for select rights on dbs.
        - Generally use another user in same group as a guide
    [x] Run the grant script to get the grants.
    [x] Copy/paste to execute the grants on appropriate dbs.
    [x] Create the user a ~/.my.cnf file with the original password from account creation.
[x] follow_on: Verify user can ssh to the required host and log in to mysql.
[ ] jupyter
Requires: useraccount, yubikey, ssh
[x] account_setup
    [x] Add user port mapping in hieradata/hostname/fran1001.yaml
    [x] Add user password hash in manifests/passwords/jupyter.pp
    [x] Provide user with necessary ssh port forwarding config and password
[ ] follow_on: Verify user can log in to fran1001 and connect to instance

Event Timeline

Dwisehaupt created this task.Sep 12 2023, 5:31 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 12 2023, 5:31 PM
RMurthy subscribed.Sep 12 2023, 6:14 PM

Hope this covers it! Thanks!

  • civicrm web access
    • standard access [ ] donor services access
  • ssh access - if specific hosts: list here: fran1001, frdev1001 -- same as what Joseph and Runjini have
  • mysql - if specific hosts or databases: list here: fran1001, frdev1001 -- same as what Joseph and Runjini have
  • superset [ ] other: please explain
Dwisehaupt updated the task description. (Show Details)Sep 12 2023, 6:23 PM
Dwisehaupt changed the edit policy from "Custom Policy" to "All Users".
Dwisehaupt added a comment.Sep 12 2023, 6:38 PM
Date: Tue, 12 Sep 2023 11:22:23
From: Lisa Seitz Gruwell
To: Runjini Murthy
Cc: Dallas Wisehaupt, fr-tech-ops@wikimedia.org
Subject: Re: Superset access for Natasha Creasy (contractor)
----------------------------------------

Approved. 

On Tue, Sep 12, 2023 at 9:54 AM Runjini Murthy wrote:
      Hi Lisa,
I hope you're having a great week!

We have a new fundraising analyst starting tomorrow, and I wanted to get her access to Superset.  Could you kindly approve
access at your earliest convenience?

Thank you so much!
Runjini
Dwisehaupt updated the task description. (Show Details)Sep 12 2023, 6:51 PM
Dwisehaupt updated the task description. (Show Details)Sep 13 2023, 6:19 PM
Dwisehaupt moved this task from Triage to In Progress on the fundraising-tech-ops board.

Welcome email sent. SSL client certificate created and sent via email. Password sent via SMS.

Dwisehaupt updated the task description. (Show Details)Sep 13 2023, 7:01 PM

Civi account created and set with random password. Email sent with instructions on how to change the password.

Superset account set and random password set. Password sent via SMS. Email sent with instructions on how to change the password.

NCreasy subscribed.Sep 13 2023, 8:05 PM

SSH Key Pair generated.
Public Key:
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJDucOKBClXZYVB2WTw410o020Q78aFGOHGVpz5BthBk ncreasy-ctr@wikimedia.org

NCreasy added a comment.Sep 13 2023, 8:27 PM

SSL cert installed and successfully logged into CiviCRM

NCreasy added a comment.Sep 14 2023, 5:11 PM

Successfully logged into SuperSet account and password updated.

Dwisehaupt updated the task description. (Show Details)Sep 14 2023, 8:22 PM

Yubikey request sent to techsupport. Will start the ssh account setup when we have confirmation that the yubikey is on the way.

Dwisehaupt moved this task from In Progress to Blocked on the fundraising-tech-ops board.Jan 9 2024, 12:06 AM
NCreasy added a comment.Mar 19 2024, 6:47 PM

SSH key pair generated. Public key:
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJDucOKBClXZYVB2WTw410o020Q78aFGOHGVpz5BthBk ncreasy-ctr@wikimedia.org

Yubikey public side: Cccccbknuhce

Thanks!

Dwisehaupt updated the task description. (Show Details)Mar 20 2024, 5:42 AM
Dwisehaupt updated the task description. (Show Details)Mar 20 2024, 5:56 AM
NCreasy added a comment.Mar 25 2024, 7:41 PM

I had an issue with my SSH passphrase so needed to generate a new key pair, overwriting the previous one.

New public key details:
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHZS73fLcs/f0DcTwWHiLhPk4CPFUhnZJclAvgLPuHr/ ncreasy-ctr@wikimedia.org

Could you please update the associated details? Apologies for the inconvenience.
Thanks!

Dwisehaupt added a comment.Mar 25 2024, 10:15 PM

Key updated.

Dwisehaupt moved this task from Blocked to In Progress on the fundraising-tech-ops board.Mar 25 2024, 10:20 PM
Dwisehaupt updated the task description. (Show Details)Mar 26 2024, 5:22 PM

Verified ssh and mysql access is working.

Dwisehaupt updated the task description. (Show Details)Mar 26 2024, 5:44 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL