Page MenuHomePhabricator
Create Task
Maniphest T376790

Split the permission to access Logstash from the cn=wmf and cn=nda groups
Open, HighPublic
Actions

Description

Currently the membership of cn=wmf and cn=nda grants access to Logstash. This access is fairly sensitive and by far not anyone who's in these groups for other reasons actually needs Logstash. As such, the plan is to split it out to a separate group cn=logstash-access.

Next steps:

  • Create the group
  • Generate an initial list of users who have access Logstash in the last X days
  • Create a process to request users to cn=logstash-access for those who don't have it yet (eventually this will be implemened in Bitu/idm.wikimedia.org, but in the interim probably via Clinic Duty)

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Add logstash-access to list of groups to drop on offboardingoperations/puppetproduction+1 -0
Remove access to logstash for cn=wmfoperations/puppetproduction+2 -2
logstash: Grant access to cn=opsoperations/puppetproduction+1 -0
Enable logstash-access for production bituoperations/puppetproduction+6 -0
Grant access to logstash to cn=logstash-accessoperations/puppetproduction+1 -0
Grant access to logstash to cn=logstash-accessoperations/puppetproduction+1 -0
Customize query in gerrit

Event Timeline

MoritzMuehlenhoff created this task.Oct 9 2024, 10:32 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 9 2024, 10:32 AM
MoritzMuehlenhoff triaged this task as High priority.Oct 9 2024, 10:32 AM
Ladsgroup awarded a token.Oct 9 2024, 10:35 AM
gerritbot added a comment.Oct 30 2024, 10:42 AM

Change #1084732 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[operations/puppet@production] Grant access to logstash to cn=logstash-access

https://gerrit.wikimedia.org/r/1084732

gerritbot added a project: Patch-For-Review.Oct 30 2024, 10:42 AM
gerritbot added a comment.Oct 30 2024, 12:15 PM

Change #1084732 merged by Muehlenhoff:

[operations/puppet@production] Grant access to logstash to cn=logstash-access

https://gerrit.wikimedia.org/r/1084732

Maintenance_bot removed a project: Patch-For-Review.Oct 30 2024, 12:31 PM
MoritzMuehlenhoff added a comment.Oct 30 2024, 1:03 PM

For transparency: The ssotest03 user is used by myself for tests and has been temporarily added to cn=logstash-access.

herron added a project: SRE Observability.Oct 30 2024, 1:06 PM
herron added a subscriber: colewhite.
herron subscribed.
gerritbot added a comment.Nov 7 2024, 3:47 PM

Change #1088322 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[operations/puppet@production] Grant access to logstash to cn=logstash-access

https://gerrit.wikimedia.org/r/1088322

gerritbot added a project: Patch-For-Review.Nov 7 2024, 3:47 PM
gerritbot added a comment.Nov 7 2024, 3:56 PM

Change #1088322 merged by Muehlenhoff:

[operations/puppet@production] Grant access to logstash to cn=logstash-access

https://gerrit.wikimedia.org/r/1088322

Maintenance_bot removed a project: Patch-For-Review.Nov 7 2024, 4:30 PM
lmata moved this task from Inbox to Radar on the SRE Observability board.Nov 13 2024, 3:09 PM
Novem_Linguae subscribed.Dec 5 2024, 8:34 AM
gerritbot added a comment.Jan 31 2025, 10:52 AM

Change #1115808 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[operations/puppet@production] logstash: Grant access to cn=ops

https://gerrit.wikimedia.org/r/1115808

gerritbot added a project: Patch-For-Review.Jan 31 2025, 10:52 AM
gerritbot added a comment.Jan 31 2025, 11:15 AM

Change #1115811 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[operations/puppet@production] Enable logstash-access for production bitu

https://gerrit.wikimedia.org/r/1115811

gerritbot added a comment.Feb 3 2025, 8:22 AM

Change #1115811 merged by Slyngshede:

[operations/puppet@production] Enable logstash-access for production bitu

https://gerrit.wikimedia.org/r/1115811

gerritbot added a comment.Feb 6 2025, 7:35 AM

Change #1115808 merged by Muehlenhoff:

[operations/puppet@production] logstash: Grant access to cn=ops

https://gerrit.wikimedia.org/r/1115808

Maintenance_bot removed a project: Patch-For-Review.Feb 6 2025, 8:30 AM
gerritbot added a comment.Mar 5 2025, 9:22 AM

Change #1124732 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[operations/puppet@production] Remove access to logstash for cn=wmf

https://gerrit.wikimedia.org/r/1124732

gerritbot added a project: Patch-For-Review.Mar 5 2025, 9:22 AM
gerritbot added a comment.Mar 5 2025, 2:03 PM

Change #1124732 merged by Muehlenhoff:

[operations/puppet@production] Remove access to logstash for cn=wmf

https://gerrit.wikimedia.org/r/1124732

Maintenance_bot removed a project: Patch-For-Review.Mar 5 2025, 2:31 PM
MoritzMuehlenhoff added a comment.Mar 7 2025, 11:00 AM

Status update: Access to Logstash has been split out of cn=wmf, cn=nda is next.

gerritbot added a comment.Mar 10 2025, 11:53 AM

Change #1126008 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[operations/puppet@production] Add logstash-access to list of groups to drop on offboarding

https://gerrit.wikimedia.org/r/1126008

gerritbot added a project: Patch-For-Review.Mar 10 2025, 11:53 AM
gerritbot added a comment.Mar 10 2025, 12:15 PM

Change #1126008 merged by Muehlenhoff:

[operations/puppet@production] Add logstash-access to list of groups to drop on offboarding

https://gerrit.wikimedia.org/r/1126008

Maintenance_bot removed a project: Patch-For-Review.Mar 10 2025, 12:31 PM
Zabe subscribed.Aug 26 2025, 1:11 PM
JAllemandou subscribed.Dec 11 2025, 1:58 PM

Hi folks, as part of this ticket I lost access to logstash. Can one of you please add me to the cn=logstash-access ldap group? Many thanks.

Novem_Linguae added a comment.Dec 11 2025, 2:04 PM

I think applying for logstash access is now done by visiting https://idm.wikimedia.org/permissions/ and filling out a short form. Hope that helps.

JAllemandou added a comment.Dec 11 2025, 4:40 PM

Thanks so much @Novem_Linguae , I confirm the link worked for me.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits