They can already login to pretty much every host in prod, and can get themselves added to any project. Should just be automatic instead.
While poking around in LDAP I found this:
krenair@bastion-01:~$ ldapsearch -x "(&(ou:dn:=sudoers)(cn:dn:=ops))" # extended LDIF # # LDAPv3 # base <dc=wikimedia,dc=org> (default) with scope subtree # filter: (&(ou:dn:=sudoers)(cn:dn:=ops)) # requesting: ALL # # ops, sudoers, wikimedia.org dn: cn=ops,ou=sudoers,dc=wikimedia,dc=org objectClass: sudorole objectClass: top sudoOption: !authenticate sudoCommand: ALL sudoUser: %ops cn: ops sudoHost: ALL # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1
So they have full sudo everywhere, but can't necessarily log in everywhere? We should probably document this at https://wikitech.wikimedia.org/wiki/LDAP_Groups#ops_grants_access_to:
I don't think this makes sense. As you said, in an emergency anyone in the ops group can add themselves to any project (by SSHing to a cloudcontrol box and using the novaadmin credentials stored there). Most people in 'ops' are however not involved in the day-to-day management of the Cloud VPS platform and instead might only regularly use a few projects so being added to them manually like anyone else shouldn't be a huge problem. For those who do might need access to arbitrary instances, we already have a mechanism (root-authorized-keys in labs/private) that is fully independent of LDAP and can be used for this purpose.
Closing this given the little interest in this task over the years. Feel free to re-open if you disagree.
ou=sudoers,dc=wikimedia,dc=org isn't actually read by any vps instance... but profile::wmcs::instance applies a very similar rule anyways. Not sure if it's worth keeping or should be removed.