Page MenuHomePhabricator
Create Task
Maniphest T87094

Allow everyone in ops group in LDAP to login to all Labs instances
Closed, DeclinedPublic
Actions

Description

They can already login to pretty much every host in prod, and can get themselves added to any project. Should just be automatic instead.

Event Timeline

yuvipanda created this task.Jan 17 2015, 10:14 AM
yuvipanda raised the priority of this task from to Needs Triage.
yuvipanda updated the task description. (Show Details)
yuvipanda added a project: Cloud-Services.
yuvipanda subscribed.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 17 2015, 10:14 AM
yuvipanda added a subscriber: Andrew.Jan 20 2015, 8:02 AM

@Andrew thoughts?

Krenair subscribed.Oct 13 2015, 1:47 AM

Looks like this would be a change to modules/ldap/templates/access.conf.erb in puppet?

scfc subscribed.Oct 13 2015, 3:38 PM

Cf. also T85910 for a bigger revamp of access.conf.

chasemp triaged this task as High priority.Nov 30 2015, 5:13 PM
chasemp subscribed.
Krenair added a comment.Mar 13 2016, 8:00 PM

While poking around in LDAP I found this:

krenair@bastion-01:~$ ldapsearch -x "(&(ou:dn:=sudoers)(cn:dn:=ops))"
# extended LDIF
#
# LDAPv3
# base <dc=wikimedia,dc=org> (default) with scope subtree
# filter: (&(ou:dn:=sudoers)(cn:dn:=ops))
# requesting: ALL
#

# ops, sudoers, wikimedia.org
dn: cn=ops,ou=sudoers,dc=wikimedia,dc=org
objectClass: sudorole
objectClass: top
sudoOption: !authenticate
sudoCommand: ALL
sudoUser: %ops
cn: ops
sudoHost: ALL

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

So they have full sudo everywhere, but can't necessarily log in everywhere? We should probably document this at https://wikitech.wikimedia.org/wiki/LDAP_Groups#ops_grants_access_to:

Phabricator_maintenance removed a subscriber: yuvipanda.Jun 7 2017, 6:55 PM
Framawiki subscribed.Jun 17 2017, 11:53 AM
bd808 edited projects, added Cloud-VPS; removed Cloud-Services.Jan 4 2020, 9:58 PM
taavi closed this task as Declined.May 3 2022, 9:12 AM
taavi subscribed.

I don't think this makes sense. As you said, in an emergency anyone in the ops group can add themselves to any project (by SSHing to a cloudcontrol box and using the novaadmin credentials stored there). Most people in 'ops' are however not involved in the day-to-day management of the Cloud VPS platform and instead might only regularly use a few projects so being added to them manually like anyone else shouldn't be a huge problem. For those who do might need access to arbitrary instances, we already have a mechanism (root-authorized-keys in labs/private) that is fully independent of LDAP and can be used for this purpose.

Closing this given the little interest in this task over the years. Feel free to re-open if you disagree.

In T87094#2116406, @Krenair wrote:

So they have full sudo everywhere, but can't necessarily log in everywhere? We should probably document this at https://wikitech.wikimedia.org/wiki/LDAP_Groups#ops_grants_access_to:

ou=sudoers,dc=wikimedia,dc=org isn't actually read by any vps instance... but profile::wmcs::instance applies a very similar rule anyways. Not sure if it's worth keeping or should be removed.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL