Page MenuHomePhabricator
Create Task
Maniphest T367833

Update grants for mailman
Closed, ResolvedPublic
Actions

Description

We're moving mailman to a new host, and while reviewing the state of things before the maintenance, we noticed that the grants for mailman hardcode the old host in place.

Can you please update the grants to also allow traffic from lists1004.wikimedia.org and lists2001.wikimedia.org?

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
mariadb: Remove direct grants on mailman databasesoperations/puppetproduction+0 -3
Customize query in gerrit

Related Objects
Search...

Event Timeline

eoghan created this task.Jun 17 2024, 10:55 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 17 2024, 10:55 PM
eoghan reassigned this task from eoghan to Ladsgroup.Jun 17 2024, 10:57 PM
eoghan updated the task description. (Show Details)
eoghan added a comment.Jun 17 2024, 10:59 PM

https://gerrit.wikimedia.org/g/operations/puppet/+/refs/heads/production/modules/profile/templates/mariadb/grants/production-m5.sql.erb#26

It's possible that the grants are already covered by the proxies listed here, but it would be good to check before we start our migration

Dzahn subscribed.Jun 17 2024, 11:12 PM
Marostegui subscribed.Jun 18 2024, 4:34 AM

There is a problem before we can even check the grants, there's no connection between those two hosts and the proxies. I guess a FW rules needs to be added somewhere:

root@lists1004:/etc# telnet dbproxy1021.eqiad.wmnet 3306
Trying 10.64.32.180...


# telnet dbproxy2001.codfw.wmnet 3306
Trying 10.192.0.129...

And this is the current host:

# telnet dbproxy1021.eqiad.wmnet 3306
Trying 10.64.32.180...
Connected to dbproxy1021.eqiad.wmnet.
Escape character is '^]'.
]
5.5.5-10.6.16-MariaDB-log'�t&DeN9qOs�y&L.?5)lhDYtmysql_native_passwordConnection closed by foreign host.
ABran-WMF moved this task from Triage to Refine on the DBA board.Jun 18 2024, 6:43 AM
Marostegui moved this task from Refine to Blocked on the DBA board.Jun 18 2024, 7:24 AM
Marostegui reassigned this task from Ladsgroup to eoghan.Jun 18 2024, 7:27 AM
eoghan added a comment.EditedJun 18 2024, 7:47 AM

That's right -- we'll be doing that as part of the maintenance work later today. We kept them firewalled off so that the non-active host isn't writing to the database at the same time as the active. In the future it might make more sense to allow all hosts access but have a read/write user for the active host, and read only for the non-active.

https://gerrit.wikimedia.org/r/c/operations/puppet/+/1046785
https://phabricator.wikimedia.org/T367521

Marostegui added a comment.Jun 18 2024, 7:53 AM

Yes, we have that RW and RO users in other services.

Ladsgroup added a comment.Jun 18 2024, 1:42 PM

This is done I think but then maybe we should drop the grant on lists1001 then?

Marostegui added a comment.Jun 18 2024, 1:45 PM
In T367833#9903360, @Ladsgroup wrote:

This is done I think but then maybe we should drop the grant on lists1001 then?

+1 - we should review puppet grants in case we mention lists1001 somewhere

gerritbot added a comment.Jun 19 2024, 10:32 AM

Change #1047474 had a related patch set uploaded (by Ladsgroup; author: Amir Sarabadani):

[operations/puppet@production] mariadb: Remove direct grants on mailman databases

https://gerrit.wikimedia.org/r/1047474

gerritbot added a project: Patch-For-Review.Jun 19 2024, 10:32 AM
LSobanski moved this task from Incoming to Work in Progress on the collaboration-services board.Jun 21 2024, 9:43 AM
eoghan reassigned this task from eoghan to Ladsgroup.EditedJul 2 2024, 9:06 PM

Spoken with @Ladsgroup , I think there's nothing immediate for sre-collab to do here so reassigning. Feel free to send it back to me if that changes!

gerritbot added a comment.Jul 4 2024, 2:56 PM

Change #1047474 merged by Ladsgroup:

[operations/puppet@production] mariadb: Remove direct grants on mailman databases

https://gerrit.wikimedia.org/r/1047474

Ladsgroup closed this task as Resolved.Jul 8 2024, 5:40 PM

^ dropped the user in production on m5.

Maintenance_bot removed a project: Patch-For-Review.Jul 9 2024, 7:50 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits