They can already login to pretty much every host in prod, and can get themselves added to any project. Should just be automatic instead.
Description
Event Timeline
Looks like this would be a change to modules/ldap/templates/access.conf.erb in puppet?
While poking around in LDAP I found this:
krenair@bastion-01:~$ ldapsearch -x "(&(ou:dn:=sudoers)(cn:dn:=ops))" # extended LDIF # # LDAPv3 # base <dc=wikimedia,dc=org> (default) with scope subtree # filter: (&(ou:dn:=sudoers)(cn:dn:=ops)) # requesting: ALL # # ops, sudoers, wikimedia.org dn: cn=ops,ou=sudoers,dc=wikimedia,dc=org objectClass: sudorole objectClass: top sudoOption: !authenticate sudoCommand: ALL sudoUser: %ops cn: ops sudoHost: ALL # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1
So they have full sudo everywhere, but can't necessarily log in everywhere? We should probably document this at https://wikitech.wikimedia.org/wiki/LDAP_Groups#ops_grants_access_to:
I don't think this makes sense. As you said, in an emergency anyone in the ops group can add themselves to any project (by SSHing to a cloudcontrol box and using the novaadmin credentials stored there). Most people in 'ops' are however not involved in the day-to-day management of the Cloud VPS platform and instead might only regularly use a few projects so being added to them manually like anyone else shouldn't be a huge problem. For those who do might need access to arbitrary instances, we already have a mechanism (root-authorized-keys in labs/private) that is fully independent of LDAP and can be used for this purpose.
Closing this given the little interest in this task over the years. Feel free to re-open if you disagree.
ou=sudoers,dc=wikimedia,dc=org isn't actually read by any vps instance... but profile::wmcs::instance applies a very similar rule anyways. Not sure if it's worth keeping or should be removed.