Page MenuHomePhabricator
Create Task
Maniphest T71269

Give all members of the deployment-prep project sudo
Closed, ResolvedPublic
Actions

Description

In a recent irc conversation {{citation needed}} it was determined that the requirement for people to have signed an NDA is bogus. The ability to sudo all commands should be restored for all members of the project.

Version: unspecified
Severity: enhancement
See Also:
https://bugzilla.wikimedia.org/show_bug.cgi?id=48501

Details

Reference
bz69269

Related Objects

Event Timeline

bzimport raised the priority of this task from to Needs Triage.Nov 22 2014, 3:29 AM
bzimport added a project: Beta-Cluster-Infrastructure.
bzimport set Reference to bz69269.
bzimport added a subscriber: Unknown Object (MLST).
bd808 created this task.Aug 7 2014, 9:42 PM
hashar added a comment.Aug 8 2014, 2:28 PM

That has been done because we want to deploy real SSL certificate on the HTTPS handlers (on beta cluster, that is nginx on the varnish instances): bug 48501. So I went with a sudoer group under_NDA.

I lack knowledge about how SSL Certificate authority and certs work. There might be a way to have some custom SSL cert that we would not mind too much being stollen.

bd808 added a comment.Aug 8 2014, 3:36 PM

Making this change would essentially mean that we are abandoning the quest for installing commercially provided ssl certificates in beta and closing bug 48501 as WON'T FIX. We could still do something using self-signed certs of that is wanted/needed.

I would like to hear from Antoine and Chris McMahon on this topic. I'd personally come down on the side of allowing more people to participate in beta in a meaningful way, but I'm willing to be told that I'm missing a bigger picture need.

greg triaged this task as Medium priority.Nov 24 2014, 11:26 PM
greg moved this task from To Triage to Next: Feature on the Beta-Cluster-Infrastructure board.Nov 24 2014, 11:51 PM
greg mentioned this in T75919: Setup real ssl certs for Beta Cluster using a restricted project.Nov 25 2014, 7:57 PM
yuvipanda subscribed.Feb 2 2015, 4:34 PM

@greg any objections?

greg added a comment.Feb 2 2015, 4:40 PM

doit, but let it be known that this means we'll continually hit weird ssl-related issues that aren't seen in prod (and thus annoying as heck, and we'll (RelEng) need help diagnosing them).

See also: Safari not deleting cookies and redirecting to https and failing to login on beta.

yuvipanda added a comment.Mar 5 2015, 1:06 PM

Alright, doing this now...

yuvipanda added a comment.Mar 5 2015, 1:11 PM

Done. Everyone, NDA or not, can sudo on deployment-prep now. @greg I'll email releng list, am unsure where else this should be communicated...

yuvipanda closed this task as Resolved.Mar 5 2015, 1:14 PM
yuvipanda claimed this task.
yuvipanda moved this task from Next: Feature to Done on the Beta-Cluster-Infrastructure board.
hashar mentioned this in T50501: beta: Get SSL certificates for *.{projects}.beta.wmflabs.org.May 11 2015, 9:44 AM
Phabricator_maintenance removed a subscriber: yuvipanda.Jun 7 2017, 6:58 PM
taavi mentioned this in T161675: Re-think puppet management for deployment-prep.Mar 20 2021, 10:14 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits