Page MenuHomePhabricator
Create Task
Maniphest T377039

Fundraising Access For Ilse Ackerman
Closed, ResolvedPublic
Actions

Description

This is a new access request for Ilse Ackerman. They require the following access:

  • civicrm web access
    • standard access
    • donor services access
  • ssh access - analytics and dev/staging
  • mysql - analytics and dev/staging
  • superset
  • jupyter notebooks instance (?)

New User Procedure / Checklist

When adding a new user to the fundraising / fr-tech ecosystem, we have a set of places where we need to create accounts and access.

Prerequisites

Before we can take any action to add a user, we need to verify that they are authorized to have such access. This requires confirmation from their manager and approval from the C level that access is approved.

[x] user_verification
Requires: user request
[x] access_rights: letter to C level (currently Lisa) verifying grant of access
[x] account name/contact info: verify on https://collab.wikimedia.org/wiki/Fundraising#Contact_List
[-] (if not advancement) add to okta notify list: create ITS ticket for adding to fr-tech's entry in the Okta Workflows Table

Accounts and Services

[x] client_ssl_cert
Requires: user_verification
[x] cert_setup: generate cert on frpm1001 using ssl_user_admin
[x] account_setup: sms the user the password for the key (placed on frdev1002 instead)
[x] follow_on: assist with certificate installation
[x] civicrm
Requires: client_ssl_cert
[x] account_setup: Create user account. This will notify the user via email to update their password.
[x] follow_on: Verify user can log in to https://civicrm.wikimedia.org
[x] superset
Requires: client_ssl_cert
[x] account_setup: Create user account. Notify the user of their account name and password.
[x] follow_on: Verify user can log in to https://analytics.frdev.wikimedia.org
[x] archive_access: Add to google drive archive group. https://drive.google.com/drive/folders/0ADWGPlZtksGdUk9PVA
[x] user account
Requires: user_verification
[x] Add the user to the users.yaml and group_members.yaml files as appropriate.
[x] Push out puppet changes.
[x] yubikey
Requires: useraccount and ITS request to send out yubikey to user
[x] physical: Make a request to ITS to have a key sent to the user
[x] account_setup: Get public side and add to puppet-private/manifests/passwords/yubico.pp
[x] follow_on: Make sure user can use yubikey for ssh access

(Note that I have a yubikey of my own already, so don't need a physical key sent. 🔑)

[x] ssh
Requires: useraccount and yubikey
[x] key_setup: Send template/docs for generating keypair and ~/.ssh/config file
[x] account_setup: Get public side and add to puppet-private/secrets/ssh/default/$username
[x] follow_on: Verify user can ssh using correct creds and passphrases when needed.
[x] mysql
Requires: useraccount, yubikey, ssh
[x] account_setup
    [x] Create user block in ~/puppet-private/secrets/mysql_grants/fundraising_qa
    [x] Ensure user is in correct blocks for select rights on dbs.
        - Generally use another user in same group as a guide
    [x] Run the grant script to get the grants.
    [x] Copy/paste to execute the grants on appropriate dbs.
    [x] Create the user a ~/.my.cnf file with the original password from account creation.
[x] follow_on: Verify user can ssh to the required host and log in to mysql.

Related Objects

Event Timeline

ERoden-WMF created this task.Oct 11 2024, 7:31 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 11 2024, 7:31 PM
Dwisehaupt updated the task description. (Show Details)Oct 16 2024, 12:19 AM

Access request approval:

Date: Fri, 11 Oct 2024 14:02:59
From: Lisa Seitz Gruwell
To: Erica Roden
Cc: Dallas Wisehaupt , Greg Grossmeier , Jeff Green
Subject: Re: Approval system access - Ilse Ackerman (starting 10.16)
----------------------------------------

Yes, I approve. 

On Fri, Oct 11, 2024 at 12:37 PM Erica Roden wrote:

Hi Lisa

We need to set up access for Ilse.  Can you provide approval so Jeff or Dallas can set her up in Superset, Civi, and our databases?
 

Thanks!
Dwisehaupt moved this task from Triage to Up Next on the fundraising-tech-ops board.Oct 16 2024, 12:23 AM

@ERoden-WMF Do you have an idea yet which databases Ilse will need access to? This will require the use of ssh if direct DB access is required.

They were previously granted some access in T356110 but I'm assuming there may be some changes to what is required.

ERoden-WMF added a comment.Oct 16 2024, 12:56 PM

thanks @Dwisehaupt. Previous access was granted when she was a consultant, she will need this access linked to her Wikimedia credentials. @greg per our conversation last week could you confirm what access she needs.

greg added a comment.Oct 16 2024, 9:08 PM

My initial reaction is: "what Joseph has".

JMando subscribed.Oct 16 2024, 10:10 PM

@Dwisehaupt Same access as me should be correct (civicrm, drupal, all the analytics and analytics dev schemas). And same permissions as me as well (so read and write for the analytics schemas).

ERoden-WMF added a subscriber: IAckerman-WMF.Oct 21 2024, 2:16 PM

Hi @Dwisehaupt @Jgreen @greg Ilse has received her computer, could you let us know when you'll be able to get her access set up? cc @IAckerman-WMF

IAckerman-WMF updated the task description. (Show Details)Oct 21 2024, 6:20 PM
Jgreen added a comment.Oct 21 2024, 6:20 PM

@IAckerman-WMF & @ERoden-WMF: did ITS send Ilse a yubikey with the laptop?

IAckerman-WMF added a comment.Oct 21 2024, 6:22 PM

I have a Yubikey already, so we can skip IT sending me one.

Jgreen updated the task description. (Show Details)Oct 21 2024, 6:45 PM
Jgreen added a comment.Oct 21 2024, 6:47 PM
In T377039#10247916, @IAckerman-WMF wrote:

I have a Yubikey already, so we can skip IT sending me one.

Is it the same one we set up before, for T357456?

IAckerman-WMF added a comment.Oct 21 2024, 7:53 PM

Yep, same one!

Jgreen added a comment.Oct 21 2024, 8:12 PM

Great, I'll reactivate that key. Next step is for you to generate a new ssh keypair for use in the FR environment. Instructions are here.

https://wikitech.wikimedia.org/wiki/Fundraising/techops/docs/frack_ssh_access

Please post the public key on this task.

Jgreen updated the task description. (Show Details)Oct 21 2024, 8:12 PM
IAckerman-WMF added a comment.Oct 21 2024, 9:02 PM

Thanks. The public key is cccccbdfehjr.

Jgreen added a comment.Oct 21 2024, 9:10 PM
In T377039#10248434, @IAckerman-WMF wrote:

Thanks. The public key is cccccbdfehjr.

Please post the ssh public key too.

IAckerman-WMF added a comment.Oct 21 2024, 9:44 PM

Here you go: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMQvSzk2WIncyDP2sc52U9mxHag9u2jta+5+mRahMZB6 iackerman@wikimedia.org

Jgreen updated the task description. (Show Details)Oct 22 2024, 3:27 PM
Jgreen updated the task description. (Show Details)Oct 22 2024, 4:18 PM

@IAckerman-WMF your SSH account and SSL client cert are set up, please see email for additional info.

Jgreen updated the task description. (Show Details)Oct 22 2024, 4:26 PM
Jgreen changed the task status from Open to In Progress.Oct 22 2024, 5:12 PM
Jgreen triaged this task as High priority.
Jgreen updated the task description. (Show Details)
Jgreen updated the task description. (Show Details)Oct 22 2024, 5:43 PM

Database access is enabled including configured .my.cnf.

Jgreen updated the task description. (Show Details)Oct 23 2024, 2:13 PM
Dwisehaupt added a comment.Oct 28 2024, 4:22 PM

Civi account moved from Blocked to active and email address updated to wikimedia address.

Dwisehaupt updated the task description. (Show Details)Oct 28 2024, 4:23 PM
Dwisehaupt removed a project: fundraising-tech-ops.Oct 28 2024, 5:51 PM
Dwisehaupt added a project: fundraising-tech-ops.
Dwisehaupt added a comment.Oct 28 2024, 6:35 PM

Civi rights adjusted to standard rights instead of View Only.

Dwisehaupt closed this task as Resolved.Nov 1 2024, 9:51 PM
Dwisehaupt claimed this task.
Dwisehaupt updated the task description. (Show Details)
Dwisehaupt moved this task from Up Next to Done on the fundraising-tech-ops board.

Verified with ilse that civi access is working as needed. Closing this out.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits