Page MenuHomePhabricator
Create Task
Maniphest T363936

Fundraising access request for PPenloglou
Closed, ResolvedPublic
Actions

Description

This is a new access request for @ppenloglou. They require the following access: (mark each box with an x)

  • civicrm web access
    • standard access
    • donor services access
  • ssh access - if specific hosts: frdev1001
  • mysql - if specific hosts or databases: frdev1001
  • superset
  • other: please explain ----

New User Procedure / Checklist

When adding a new user to the fundraising / fr-tech ecosystem, we have a set of places where we need to create accounts and access.

Prerequisites

Before we can take any action to add a user, we need to verify that they are authorized to have such access. This requires confirmation from their manager and approval from the C level that access is approved.

[x] user_verification
Requires: user request
[x] access_rights: letter to C level (currently Lisa) verifying grant of access
[x] account name/contact info: verify on https://collab.wikimedia.org/wiki/Fundraising#Contact_List
[-] (if not advancement) add to okta notify list: create ITS ticket for adding to fr-tech okta notification list

Accounts and Services

[x] user account
Requires: user_verification
[x] Add the user to the users.yaml and group_members.yaml files as appropriate.
[x] Push out puppet changes.
[ ] yubikey
Requires: useraccount and ITS request to send out yubikey to user
[x] physical: Make a request to ITS to have a key sent to the user
[x] account_setup: Get public side and add to puppet-private/manifests/passwords/yubico.pp
[ ] follow_on: Make sure user can use yubikey for ssh access
[ ] ssh
Requires: useraccount and yubikey
[x] key_setup: Send template/docs for generating keypair and ~/.ssh/config file
[x] account_setup: Get public side and add to puppet-private/secrets/ssh/default/$username
[ ] follow_on: Verify user can ssh using correct creds and passphrases when needed.
[ ] mysql
Requires: useraccount, yubikey, ssh
[x] account_setup
    [x] Create user block in ~/puppet-private/secrets/mysql_grants/fundraising_qa
    [x] Ensure user is in correct blocks for select rights on dbs.
        - Generally use another user in same group as a guide
    [x] Run the grant script to get the grants.
    [x] Copy/paste to execute the grants on appropriate dbs.
    [x] Create the user a ~/.my.cnf file with the original password from account creation.
[ ] follow_on: Verify user can ssh to the required host and log in to mysql.

Event Timeline

spatton created this task.May 1 2024, 7:25 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 1 2024, 7:25 PM
Dwisehaupt subscribed.May 1 2024, 9:54 PM

Access approved.

Date: Wed, 1 May 2024 13:59:49
From: Lisa Seitz Gruwell
To: Sam Patton
Cc: Fundraising Tech Ops
Subject: Re: Approval to give two Fundraisers yubikeys for test reporting?
----------------------------------------

Yes, approved. 
Dwisehaupt updated the task description. (Show Details)May 1 2024, 9:56 PM
spatton updated the task description. (Show Details)May 2 2024, 7:18 PM
spatton added a subscriber: ppenloglou.
Dwisehaupt moved this task from Triage to Up Next on the fundraising-tech-ops board.May 2 2024, 7:19 PM
Dwisehaupt added a comment.May 2 2024, 7:25 PM

Created ITS request for yubikey.

Dwisehaupt updated the task description. (Show Details)May 8 2024, 5:53 PM
Dwisehaupt updated the task description. (Show Details)May 8 2024, 9:28 PM
ppenloglou added a comment.May 10 2024, 9:19 AM

Hi @Dwisehaupt , thanks for assisting with the setup here!

I already have two sets of SSH keys, one for production access and one for WCMS. Would one of these suffice or should I create a new SSH key according to this page?

Dwisehaupt added a comment.May 10 2024, 5:57 PM

Hi @ppenloglou, please create a new key specific for the fundraising environment. Thanks!

Dwisehaupt updated the task description. (Show Details)May 15 2024, 11:15 PM

Set up mariadb accounts in advance.

ppenloglou added a comment.May 16 2024, 1:59 PM

Hey @Dwisehaupt, I've created my fr specific SSH key pair!
These are the contents of my public key fr_id_ed25519.pub:

ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJF9eHBPcPfXJ7VM6w4KRmdoG1m6OW08uuCuElAvt8PX ppenloglou@wikimedia.org
Dwisehaupt updated the task description. (Show Details)May 16 2024, 4:00 PM

Thanks. Public key added to puppet and pushed out.

ppenloglou added a comment.Jun 6 2024, 9:48 AM

Hey @Dwisehaupt , here's my public part of the Yubikey:

cccccbnrbukk
Dwisehaupt updated the task description. (Show Details)Jun 6 2024, 7:32 PM
Dwisehaupt claimed this task.Jun 6 2024, 7:41 PM
Dwisehaupt moved this task from Up Next to In Progress on the fundraising-tech-ops board.

Added yubikey public key to puppet and deployed the change. Instructions sent via email on how to connect via SSH and how to connect to the database.

Dwisehaupt closed this task as Resolved.Mar 20 2025, 10:00 PM
Dwisehaupt moved this task from In Progress to Done on the fundraising-tech-ops board.

Login access hasn't been fully verified. If there are any issues, they can be opened in a follow on task.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits