Page MenuHomePhabricator
Create Task
Maniphest T347979

Remove wmcs-admin access from production cumin hosts
Open, LowPublic
Actions

Description

Now that cloudcumin hosts are available, we should remove the wmcs-admin group from hieradata/role/common/cluster/management.yaml.

Before we want to make sure the members of that group can use cloudcumins to run the same commands they can now run from production cumin hosts: T347977: cloudcumin: allow wmcs-admin to run wikireplicas cookbooks and scripts.

Another reason why members of wmcs-admin might need to SSH to production cumin hosts is to downtime alerts through the alertmanager API. So we should also complete T347490: [wmcs-cookbooks] Downtime alerts from cloudcumins before this task can be started.

Related Objects
Search...

Event Timeline

fnegri created this task.Oct 3 2023, 11:28 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 3 2023, 11:28 AM
fnegri added a subtask: T347977: cloudcumin: allow wmcs-admin to run wikireplicas cookbooks and scripts.Oct 3 2023, 11:28 AM
fnegri updated the task description. (Show Details)Oct 3 2023, 11:32 AM
fnegri added a subtask: T347490: [wmcs-cookbooks] Downtime alerts from cloudcumins.
fnegri added a subscriber: dcaro.
MoritzMuehlenhoff changed the task status from Open to Stalled.Jan 29 2024, 2:16 PM
MoritzMuehlenhoff subscribed.

Given this is blocked on T347490, I'm marking it as Stalled.

fnegri edited projects, added: cloud-services-team (FY2023/2024-Q3-Q4); removed: cloud-services-team (FY2023/2024-Q1-Q2).Feb 1 2024, 11:14 AM
MoritzMuehlenhoff triaged this task as Low priority.Feb 12 2024, 3:36 PM
fnegri mentioned this in T337848: WMCS-roots wiki replica access.Mar 28 2024, 4:21 PM
taavi closed subtask T347490: [wmcs-cookbooks] Downtime alerts from cloudcumins as Resolved.Jun 14 2024, 12:38 PM
Raymond_Ndibe changed the task status from Stalled to Open.Jul 1 2024, 1:58 PM
fnegri added a comment.Jul 1 2024, 3:04 PM

This is currently blocked by T347977: cloudcumin: allow wmcs-admin to run wikireplicas cookbooks and scripts

Until that task is done, members of the wmcs-admin group cannot use cloudcumin hosts to run the wikireplica cookbooks (sre.wikireplicas.*) and have to use the production cumin hosts.

fnegri mentioned this in T344599: wikireplicas root access.Jul 2 2024, 3:43 PM
fnegri edited projects, added: cloud-services-team (FY2024/2025-Q1-Q2); removed: cloud-services-team (FY2023/2024-Q3-Q4).Aug 19 2024, 9:20 AM
fnegri closed subtask T347977: cloudcumin: allow wmcs-admin to run wikireplicas cookbooks and scripts as Declined.Sep 13 2024, 2:24 PM
taavi added a project: Data-Services.Sep 28 2024, 12:29 PM
taavi subscribed.

What's the future of this now that T347977: cloudcumin: allow wmcs-admin to run wikireplicas cookbooks and scripts was declined?

taavi moved this task from Backlog to Wiki replicas on the Data-Services board.Sep 28 2024, 12:29 PM
fnegri added a comment.Sep 30 2024, 1:11 PM

@taavi good question! Given that wikireplica hosts are not owned by a single team, my suggestion would be to keep the wikireplicas cookbooks in production cumins, and replace the wmcs-admin group with a new wikireplica-admins group that explicitly lists users that are not global roots but should be able to run the wikireplicas cookbooks. This group should not inherit users from wmcs-roots, but instead from the existing group wikireplica-roots.

We should also define a process for adding more users to both the wikreplica-admins and wikireplica-roots groups, who should approve new members to the groups and what are the requirements to become a member? I think this will have to happen along the current discussions about who should be reviewing and applying patches to wikireplica views, e.g. https://gerrit.wikimedia.org/r/c/operations/puppet/+/1073430

If there is some consensus around this plan, I will create a task and the related patch to implement it.

fnegri edited projects, added: cloud-services-team; removed: cloud-services-team (FY2024/2025-Q1-Q2).Jan 15 2025, 3:26 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits