Page MenuHomePhabricator

Fundraising access request for KMorrow
Closed, ResolvedPublic


This is a new access request for @KMorrow-WMF. They require the following access: (mark each box with an x)

  • civicrm web access
    • standard access
    • donor services access
  • ssh access - if specific hosts: frdev1001
  • mysql - if specific hosts or databases: list here
  • superset
  • other: please explain ----

New User Procedure / Checklist

When adding a new user to the fundraising / fr-tech ecosystem, we have a set of places where we need to create accounts and access.


Before we can take any action to add a user, we need to verify that they are authorized to have such access. This requires confirmation from their manager and approval from the C level that access is approved.

[x] user_verification
Requires: user request
[x] access_rights: letter to C level (currently Lisa) verifying grant of access
[x] account name/contact info: verify on
[-] (if not advancement) add to okta notify list: create ITS ticket for adding to fr-tech okta notification list

Accounts and Services

[x] user account
Requires: user_verification
[x] Add the user to the users.yaml and group_members.yaml files as appropriate.
[x] Push out puppet changes.
[x] yubikey
Requires: useraccount and ITS request to send out yubikey to user
[x] physical: Make a request to ITS to have a key sent to the user
[x] account_setup: Get public side and add to puppet-private/manifests/passwords/yubico.pp
[x] follow_on: Make sure user can use yubikey for ssh access
[x] ssh
Requires: useraccount and yubikey
[x] key_setup: Send template/docs for generating keypair and ~/.ssh/config file
[x] account_setup: Get public side and add to puppet-private/secrets/ssh/default/$username
[x] follow_on: Verify user can ssh using correct creds and passphrases when needed.
[x] mysql
Requires: useraccount, yubikey, ssh
[x] account_setup
    [x] Create user block in ~/puppet-private/secrets/mysql_grants/fundraising_qa
    [x] Ensure user is in correct blocks for select rights on dbs.
        - Generally use another user in same group as a guide
    [x] Run the grant script to get the grants.
    [x] Copy/paste to execute the grants on appropriate dbs.
    [x] Create the user a ~/.my.cnf file with the original password from account creation.
[ ] follow_on: Verify user can ssh to the required host and log in to mysql.

Event Timeline

Access approved.

Date: Wed, 1 May 2024 13:59:49
From: Lisa Seitz Gruwell
To: Sam Patton
Cc: Fundraising Tech Ops
Subject: Re: Approval to give two Fundraisers yubikeys for test reporting?

Yes, approved. 

Created ITS request for yubikey.

Generated ssh key-pair. Contents of the public side of the key:

ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII+Tq0YDiVT9hjG79omlUnvrrsxdk6/UGP1rlzUch6G3

Received Yubikey today, here is the public side of it:


@KMorrow-WMF Thanks. If you have set up your ssh config file as specified in you should be able to ssh frdev1002 and connect.

Dwisehaupt claimed this task.
Dwisehaupt updated the task description. (Show Details)
Dwisehaupt moved this task from Up Next to Done on the fundraising-tech-ops board.

Verified logins are working.

Dwisehaupt moved this task from Done to In Progress on the fundraising-tech-ops board.

Set up with mysql access for getting data with scripts. Ready for testing.

Dwisehaupt moved this task from In Progress to Done on the fundraising-tech-ops board.

Verified scripts that call mysql are working.