In operations we need to have a bot user who can relay certain messages into tickets (via email). These tickets will often be limited to WMF-NDA and thus the @emailbot user needs to be in WMF-NDA to access them. This is a bot controlled by the ops team. There is no direct login and the certificate is hidden in the SRE private repo.
UPDATE
Talked to Rob and due to the really sensitive nature of things he is thinking #opsen is the more appropriate grouping.
@csteipp, do you have any objection? I can't think of any other way to solve this problem that isn't worse.
I've assigned this to Chris for his commentary.
Chris: Please provide feedback and then feel free to unassign yourself as owner (or assign to me since I'll be working on this as it gets resolved (likely with chase)).
This shouldn't be a huge problem. Do make sure the account has an appropriate password, interacts over https, etc. And (if possible, although I haven't looked into exactly how phabricator set their OAuth server up) use OAuth tokens with limited rights instead of storing the password.
Just to clarify, since reviewing this task doesn't quite make it clear WHY @emailbot needs this.
Example: System X has a failed mainboard, so we send in a support request to our Vendor. Since it includes serials and mailing addresses, they should be private issues viewable ONLY by operations. Since this means restricting to operations, said email bot has to support viewing/adding to them.
I think so yeah. The bot certificate is in secret via the normal mechanism and the bot uses https and lives on the Phab host itself. So I think this is fine.