This is a new access request for Stacy Burnett, new Product Manager in Fundraising Technology.
They require the following access:
- civicrm web access
- standard access
- donor services access
- ssh access - if specific hosts: list here
- mariadb - if specific hosts or databases: list here
- trino
- metabase/superset
- jupyter
- other: please explain
New User Procedure / Checklist
When adding a new user to the fundraising / fr-tech ecosystem, we have a set of places where we need to create accounts and access.
Prerequisites
Before we can take any action to add a user, we need to verify that they are authorized to have such access. This requires confirmation from their manager and approval from the C level that access is approved.
[x] user_verification
Requires: user request [x] access_rights: letter to C level (currently Lisa) verifying grant of access [x] account name/contact info: verify on https://collab.wikimedia.org/wiki/Fundraising#Contact_List [ ] (if not advancement) add to okta notify list: create ITS ticket for adding to fr-tech's entry in the Okta Workflows Table
Accounts and Services
[x] client_ssl_cert
Requires: user_verification [x] cert_setup: generate cert on frpm1002 using ssl_user_admin [x] account_setup: sms the user the password for the key [x] follow_on: assist with certificate installation
[x] civicrm
Requires: client_ssl_cert [x] account_setup: Create user account. This will notify the user via email to update their password. [x] follow_on: Verify user can log in to https://civicrm.wikimedia.org
[x] metabase
Requires: client_ssl_cert [x] account_setup: Reach out to FR-Analytics about new user requiring access
[-] superset
Requires: client_ssl_cert [ ] account_setup: Create user account. Notify the user of their account name and password. [ ] follow_on: Verify user can log in to https://superset.frdev.wikimedia.org [ ] archive_access: Add to google drive archive group. https://drive.google.com/drive/folders/0ADWGPlZtksGdUk9PVA
[-] user account
Requires: user_verification [ ] Add the user to the users.yaml and group_members.yaml files as appropriate. [ ] Push out puppet changes.
[-] yubikey
Requires: useraccount and ITS request to send out yubikey to user [ ] physical: Make a request to ITS to have a key sent to the user [ ] account_setup: Get public side and add to puppet-private/manifests/passwords/yubico.pp [ ] follow_on: Make sure user can use yubikey for ssh access
[-] ssh
Requires: useraccount and yubikey [ ] key_setup: Send template/docs for generating keypair and ~/.ssh/config file [ ] account_setup: Get public side and add to puppet-private/secrets/ssh/default/$username [ ] follow_on: Verify user can ssh using correct creds and passphrases when needed.
[-] mariadb
Requires: useraccount, yubikey, ssh
[ ] account_setup
[ ] Create user block in puppet-private/secrets/mariadb_grants/users.yaml
[ ] Deploy and run the grant script on the appropriate database servers.
[ ] Create the user a ~/.my.cnf file with the original password from account creation.
[ ] follow_on: Verify user can ssh to the required host and log in to mariadb.[-] trino
Requires: useraccount, yubikey, ssh
[ ] account_setup
[ ] Add user password hash in puppet-private/secrets/trino/password.pp
[ ] Create ~/.analytics.env on the analytics application server
[ ] follow_on: Verify user can ssh to the required host and run trino-cli.[-] jupyter
Requires: useraccount, yubikey, ssh
[ ] account_setup
[ ] Add user port mapping in hieradata/hosts.yaml
[ ] Add user password hash in puppet-private/manifests/passwords/jupyter.pp
[ ] Provide user with necessary ssh port forwarding config and password
[ ] follow_on: Verify user can log in and connect to instance[-] Repository reviewer
- Add to the necessary fundraising repos to be notified as a reviewer: https://www.mediawiki.org/wiki/Git/Reviewers