Page MenuHomePhabricator
Create Task
Maniphest T381824

Data Platform access streamlining for WMDE staff
Closed, ResolvedPublic
Actions

Description

Opening this after discussion with @Ottomata on T380994.

In short, given the newly streamlined approval policy for direct WMF staff access to analytics-privatedata-users (T370424), the purpose of this task is to consider whether it makes sense to extend the same to WMDE staff.

As noted in T380994, these requests are going to be rarer (one data point: the last one of these access requests from a WMDE staff member appears to have been 2 months ago), so the reduction in overhead is clearly smaller.

At the same time, having different policies seems like a potential source of confusion.

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
admin: Deploy WMDE privatedata policy change to puppet repooperations/puppetproduction+6 -3
Customize query in gerrit

Related Objects

Event Timeline

Scott_French created this task.Dec 9 2024, 10:53 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 9 2024, 10:53 PM
Scott_French mentioned this in T370424: Streamline Data Platform access approvals for WMF staff.Dec 9 2024, 10:54 PM
Ottomata added subscribers: odimitrijevic, Ahoelzl.Dec 10 2024, 2:19 AM
Dzahn subscribed.Dec 10 2024, 3:01 AM

One thing to answer here would be how you would know who actually is WMDE staff. There used to be a public page that lists them but then that stopped existing.

MoritzMuehlenhoff subscribed.Dec 10 2024, 7:57 AM
In T381824#10392465, @Dzahn wrote:

One thing to answer here would be how you would know who actually is WMDE staff. There used to be a public page that lists them but then that stopped existing.

Every WMDE staff member who wants SSH access to production or any NDA-relevant LDAP group needs to have signed an NDA with the WMF Legal department. If they are not tracked in this spreadsheet, they need to first reach out to KFrancis and sign it: https://docs.google.com/spreadsheets/d/1xQNx5s2yErvayCMzvk9VkIA2ZihFXSBEhT5Z5ziCsi4

odimitrijevic added a comment.Dec 10 2024, 5:42 PM

Yes, I approve streamlining the access to WMDE staff in the same way that we do for WMF staff as proposed in https://phabricator.wikimedia.org/T370424

Ahoelzl moved this task from Incoming (new tickets) to Tag with Radar on the Data-Engineering board.Dec 16 2024, 6:44 PM
VirginiaPoundstone added a project: Data-Engineering-Radar.Jan 6 2025, 9:10 PM
Gehel edited projects, added Data-Platform-SRE (2024.11.30 - 2024.12.20); removed Data-Platform-SRE.Jan 8 2025, 8:29 AM
Gehel moved this task from Backlog - project to Backlog - operations on the Data-Platform-SRE (2024.11.30 - 2024.12.20) board.
Gehel edited projects, added Data-Platform-SRE (2025.01.11 - 2025.01.31); removed Data-Platform-SRE (2024.11.30 - 2024.12.20).Jan 10 2025, 10:39 AM
Gehel moved this task from Backlog - project to Backlog - operations on the Data-Platform-SRE (2025.01.11 - 2025.01.31) board.
jcrespo subscribed.EditedJan 21 2025, 5:56 PM

Is there anything else to do here (are there any concerns left?), other than fixing documentation to apply this change? (I can do the doc changes for SRE and access requests on wikitech, puppet on data.yaml). I will send to some people the changes for review.

Ottomata added a comment.Jan 21 2025, 6:00 PM

Olja approved, so no concerns left. Just needs to be implemented by fixing docs, etc. Thank you!

jcrespo claimed this task.Jan 21 2025, 6:00 PM
jcrespo triaged this task as Medium priority.
gerritbot added a comment.Jan 22 2025, 9:39 AM

Change #1113420 had a related patch set uploaded (by Jcrespo; author: Jcrespo):

[operations/puppet@production] admin: Deploying approved policy change to puppet repo

https://gerrit.wikimedia.org/r/1113420

gerritbot added a project: Patch-For-Review.Jan 22 2025, 9:39 AM
jcrespo added a subscriber: SLyngshede-WMF.Jan 22 2025, 3:06 PM

Feel free to review the patch above as well as the wiki changes documenting this, so we can resolve this (or raise concerns):

https://wikitech.wikimedia.org/w/index.php?title=SRE/Production_access&diff=prev&oldid=2262547

https://wikitech.wikimedia.org/w/index.php?title=SRE/Clinic_Duty/Access_requests&diff=2262550&oldid=2239783

CC @MoritzMuehlenhoff @SLyngshede-WMF

gerritbot added a comment.Jan 23 2025, 10:41 AM

Change #1113420 merged by Jcrespo:

[operations/puppet@production] admin: Deploy WMDE privatedata policy change to puppet repo

https://gerrit.wikimedia.org/r/1113420

jcrespo closed this task as Resolved.Jan 23 2025, 10:44 AM

This is now applied.

Maintenance_bot removed a project: Patch-For-Review.Jan 23 2025, 11:30 AM
Gehel edited projects, added Data-Platform-SRE (2025.02.10 - 2025.02.28); removed Data-Platform-SRE (2025.01.11 - 2025.01.31).Feb 11 2025, 10:04 AM
Gehel moved this task from Backlog - project to Backlog - operations on the Data-Platform-SRE (2025.02.10 - 2025.02.28) board.
Gehel moved this task from Backlog - operations to Done on the Data-Platform-SRE (2025.02.10 - 2025.02.28) board.
Gehel moved this task from Done to Reported on the Data-Platform-SRE (2025.02.10 - 2025.02.28) board.Feb 14 2025, 8:22 AM
Raine mentioned this in T407605: Requesting access to analytics-privatedata-users for vicaplet-wmde.Oct 23 2025, 12:32 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits