Page MenuHomePhabricator

Deactivate fundraising accounts for lmedley
Closed, ResolvedPublic

Description

Departing User Procedure / Checklist

When removing a user from the fundraising / fr-tech ecosystem, we have a set of places where we need to remove accounts and access.

Prerequisites

Before we take action to remove a user, we need to verify that they have departed. This should come as a confirmation from their manager and tracked as a phabricator ticket.

[x] user_verification

User Data and Processes

Data to be retained
Relates only to data on residing fundraising systems
[x] Identify any data the user has created or used that needs to be retained. This may affect account removal but should not affect deactivation.
[-] Archive off any data that should be retained
[-] Remove other data associated with the user (ie, scratch databases, etc)
Processes running under the user's account
Relates only to processes executing on fundraising systems
[x] Identify any business essential processes running as the user
[x] Identify any business essential processes running from within the user's data locations (ie homedir scripts, cron jobs, etc.)
[-] Transfer any business essential processes to a new user or service account
[-] Remove any cronjobs or ongoing process executions tied to the user

Accounts and Services

[x] user account
Shell account specifically
[x] account_setup:
    [x] Mark the user as _ensure: 'absent'_ in the users.yaml file.
    [x] Remove the user entries in the group_members.yaml file as appropriate.
    [x] Push out puppet changes.
    [-] Remove the user principal from kerberos as appropriate.
[x] client_ssl_cert
Provides access to multiple services
[x] Revoke the cert on frpm1001 using:  ssl_user_admin revoke username
[x] Check in the updated CRL to puppet-private
[x] Push out puppet changes.
[x] yubikey
Requires: useraccount
Just covering fundraising systems. ITS handles use of yubikey with any other systems
[x] Remove the user entry in puppet-private/manifests/passwords/yubico.pp
[x] Push out the puppet changes.
[x] ssh
Only related to fundraising systems
Requires: useraccount, yubikey
[x] Remove ssh public key file from puppet-private/secrets/ssh/default/$username
[x] Push out the puppet changes.
[x] mysql
Requires: useraccount, yubikey, ssh
[x] account_setup
    [x] Mark user as 'remove' => 1, in appropriate grant files
    [x] For cleanliness you can remove user from all rights blocks on dbs.
    [x] Run the grant script to get the grants.
    [x] Copy/paste to execute the grants or run the grants on the appropriate primary db
[x] user_data
    [-] Determine if there are any user specific dbs that need retention
    [-] Archive off any dbs that are no longer needed with expiration set
[x] civicrm
Requires: client_ssl_cert
[x] Change user account to Blocked
[x] Remove from any campaign notifications.
    [x] Check using: mysql drupal -e "select * from wmf_campaigns_campaign;"
    [-] Remove using mysql or https://civicrm.wikimedia.org/admin/config/wmf_campaigns/list
[-] Remove from large donantion notifications.
    [-] Remove using https://civicrm.wikimedia.org/admin/config/large_donation/configure
[x] superset
Requires: client_ssl_cert
[x] account_setup
    [x] Mark user account as inactive
[x] archive_access
    [x] Remove from google drive archive group. https://drive.google.com/drive/folders/0ADWGPlZtksGdUk9PVA
[] failmail / email lists
fr-tech-failmail (possibly others)
[-] Production lists
    [-] Remove from list in production private puppet repo
    [-] Push out change
[-] Fail Mail
    [-] grep the puppet repo for instances of the user's account
    [-] Remove instances
    [-] Push out change
[-] civicrm
    [-] Remove from civicrm failmail recipients
        https://civicrm.wikimedia.org/admin/config/wmf_common/configure
[-] jupyter
Requires: useraccount, yubikey, ssh
[-] remove user port mapping in hieradata/hostname/fran1001.yaml
[-] remove user password mapping in manifests/passwords/jupyter.pp
[-] Repository reviewer
[x] External console accounts
Some processors have multiple consoles
[x] acoustic
[x] adyen
[x] apple
[x] braintree
[x] dlocal
[x] ingenico
[x] paypal

Event Timeline

SSL certificate revoked and ssh pubkey removed on 2024-06-14. Final account cleanups happened today. Need to verify processor consoles weren't used by lmedley.

Dwisehaupt updated the task description. (Show Details)
Dwisehaupt moved this task from In Progress to Done on the fundraising-tech-ops board.

Verified with emartin and khaggard that external console accounts have been removed. Closing.