Page MenuHomePhabricator
Create Task
Maniphest T383056

Offboard Muhammad Jazirahly from WMF systems
Closed, ResolvedPublic
Actions

Description

Muhammad Jazirahly (Wikitech user: Muhammad Jaziraly, shell username: muja, phabricator username: @Muhammad_Yasser_Jazirahly_WMDE) has provided software development services for WMDE but no longer does it as of Jan 1st 2025. As WMDE Engineering Manager I request offboarding <name/pronoun> from WMF systems.

Potentially incomplete list of permissions involved:

  • Remove from wmde LDAP group
  • Remove from nda LDAP group
  • Remove from airflow-wmde-ops LDAP group
  • remove from shell access groups (data.yaml; groups analytics-wmde-users, analytics-privatedata-users)
  • Revoke Phabricator privileges (acl*Project-Admins, possible others?)
  • Revoke +2 Gerrit rights from mediawiki and extensions (Gerrit wmde-mediawiki group)
  • disable Phabricator account
  • disable Wikitech account
  • disable Gerrit account

I might have missed some additional permissions that the user might have been granted. I'd appreciate if WMF staff audited that they no longer have any staff-related access to WMF systems.
Thank you!

Details

SubjectRepoBranchLines +/-
admin: offboard user mujaoperations/puppetproduction+5 -8
Customize query in gerrit

Event Timeline

WMDE-leszek created this task.Jan 6 2025, 2:34 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 6 2025, 2:34 PM
Aklapper updated the task description. (Show Details)Jan 6 2025, 3:12 PM
Aklapper removed a project: Phabricator.
Maintenance_bot added a project: SRE.Jan 6 2025, 3:29 PM
Dzahn changed the task status from Open to In Progress.Jan 7 2025, 4:23 PM
Dzahn claimed this task.
Dzahn triaged this task as High priority.
Dzahn updated the task description. (Show Details)
Dzahn updated the task description. (Show Details)
Dzahn updated the task description. (Show Details)Jan 7 2025, 4:30 PM
Dzahn moved this task from Untriaged to Patch in Review on the SRE-Access-Requests board.Jan 7 2025, 4:34 PM
gerritbot added a comment.Jan 7 2025, 4:35 PM

Change #1108784 had a related patch set uploaded (by Dzahn; author: Dzahn):

[operations/puppet@production] admin: offboard user muja

https://gerrit.wikimedia.org/r/1108784

gerritbot added a project: Patch-For-Review.Jan 7 2025, 4:35 PM
Stashbot added a comment.Jan 7 2025, 4:43 PM

Mentioned in SAL (#wikimedia-operations) [2025-01-07T16:43:54Z] <mutante> krb1001 - sudo manage_principals.py delete muja@WIKIMEDIA (T383056)

gerritbot added a comment.Jan 7 2025, 4:47 PM

Change #1108784 merged by Dzahn:

[operations/puppet@production] admin: offboard user muja

https://gerrit.wikimedia.org/r/1108784

Dzahn added a project: Infrastructure Security.Jan 7 2025, 4:48 PM
[ldap-maint1001:~] $ offboard-user -l muja
...
Is not member of any LDAP group
Is not a member in any privileged group
muja has a Kerberos user principal, make sure to remove it
...
---

[ldap-maint1001:~] $ offboard-user -p Muhammad_Yasser_Jazirahly_WMDE
...
Sprint 1 is an unprivileged group, can be retained
...
Trusted-Contributors is an unprivileged group, can be retained
Wikibase Architecture is an unprivileged group, can be retained
Wikibase Product Platform Team WPP is an unprivileged group, can be retained

---
Dzahn added subscribers: SLyngshede-WMF, Muehlenhoff.Jan 7 2025, 5:06 PM

@Muehlenhoff @SLyngshede-WMF @WMDE-leszek

I ...

  • manually removed from wmde, nda and airflow-wmde-ops groups
  • removed from Gerrit group wmde-mediawiki
  • uploaded and self-merged https://gerrit.wikimedia.org/r/c/operations/puppet/+/1108784 to remove from shell groups
  • Andre already deactivated Phabricator user
  • ran offboard-user with both -l and -p .. no more privileged groups found
  • deleted Kerberos prinicipal

"disable Wikitech" and "disable Gerrit" are imho no steps in normal offboarding and are not mentioned in the docs.

I think we might need some coordination how to handle WMDE staff offboarding in the future and what template to use with which checkboxes.

I am not entirely clear what else would be part of doing an audit but I think this is also generally handled by the IF team, hence I am adding you.

Dzahn added a comment.EditedJan 7 2025, 5:19 PM

Half an hour after the puppet patch was merged I ran the sre.idm.logout cookbook.

Dzahn removed Dzahn as the assignee of this task.Jan 7 2025, 5:27 PM
Dzahn lowered the priority of this task from High to Medium.
Dzahn updated the task description. (Show Details)
Dzahn subscribed.
Maintenance_bot removed a project: Patch-For-Review.Jan 7 2025, 5:31 PM
WMDE-leszek added a subscriber: MoritzMuehlenhoff.Jan 8 2025, 8:45 AM

I think we might need some coordination how to handle WMDE staff offboarding in the future and what template to use with which checkboxes.

Actually, I just remembered @MoritzMuehlenhoff shared the information on how to do it with me a few months ago which I have completely forgotten about in my not-fully-back-from-vacation head space. I should have not created this kind of ticket but rather followed the adviced procedure. Apologies.

Thank you for taking care of the offboarding nonetheless!

MoritzMuehlenhoff closed this task as Resolved.Jan 9 2025, 1:25 PM
MoritzMuehlenhoff assigned this task to Dzahn.

This looks all complete and Daniel is right; during offboard the Wikitech/Gerrit accounts remain, we only strip the NDA-sensitive permissions.

WMDE-leszek added a comment.Jan 9 2025, 1:44 PM

thank you all.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits