Page MenuHomePhabricator

Define in Puppet or remove rogue user accounts not currently defined in admin/data.yaml
Closed, ResolvedPublic

Description

PLEASE RESPOND IN YOUR RELEVANT SUBTASK IF MENTIONED.

There is a breakdown here:

http://etherpad.wikimedia.org/p/admin_accounts_cleanup

Paste version as of 2/26/15 P336

The unique list of unconfirmed but possible people who will be removed on some relevant server if we let loose the cleanup logic:

Known good removals (from the non-puppet-access-defined hosts):

Formalized existing access in puppet:

Users left to escalate/formalize access
<none>

Please be aware these accounts may be valid, and most probably are, but for a specific server in question the access could be old, manually added, or unknown to even the user in question. We have to justify the existence of the account in a group in data.yaml for it to persist.

I will be enabling our cleanup logic after a three phase approach to remedying this:

  1. Notify the people in question

1.5 If the user replies and says they don't need the access, manually remove the user.

  1. Wait a set amount of time (I plan on feeling enabled to allow cleanup after 2 business weeks which would mean as early as March 13th, 2015)
  2. Give teeth to https://phabricator.wikimedia.org/diffusion/OPUP/browse/production/modules/admin/files/enforce-users-groups.sh and let it make our environment consistent with data.yaml

Related Objects

StatusSubtypeAssignedTask
Resolvedchasemp
Resolvedchasemp
ResolvedDzahn
ResolvedRobH
ResolvedRobH
ResolvedRobH
ResolvedDzahn
ResolvedRobH
ResolvedDzahn
Resolvedcscott
ResolvedDzahn
ResolvedRobH
Resolvedhoo
ResolvedDzahn
ResolvedDzahn
ResolvedRobH
ResolvedMglaser
Resolved DarTar
ResolvedAmire80
ResolvedDzahn
ResolvedArielGlenn
Resolvedleila
ResolvedDzahn
ResolvedNuria
ResolvedDzahn

Event Timeline

chasemp created this task.Feb 26 2015, 8:40 PM
chasemp raised the priority of this task from to Needs Triage.
chasemp updated the task description. (Show Details)
chasemp added a subscriber: chasemp.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 26 2015, 8:40 PM
chasemp triaged this task as High priority.Feb 26 2015, 8:41 PM
chasemp updated the task description. (Show Details)
chasemp set Security to None.
chasemp updated the task description. (Show Details)
chasemp added subscribers: Tfinc, ssastry, Tnegrin and 2 others.
chasemp added subscribers: Milimetric, santhosh, Smalyshev, hoo.
chasemp updated the task description. (Show Details)Feb 26 2015, 8:45 PM

I have no idea why I have access to those hosts and don't think I've ever used them.

chasemp updated the task description. (Show Details)Feb 26 2015, 8:57 PM

I (smalyshev) don't need account on cerium right now (probably left over from Titan work). If there are questions about any other hosts (I'm not sure if I read the etherpad correctly) please tell me.

Yeah, it looks like both of the ones I'm on are log collectors so I may well have used them in the past with udp2log etc during the fundraiser and probably don't really need now especially with hadoop etc. Did they use to be part of restricted? More importantly, I just logged in but had to use my old old key (which was deactivated ... over a year ago now? because of a stolen laptop (encrypted, it's likely it wasn't compromised, but still).

chasemp updated the task description. (Show Details)Feb 26 2015, 9:06 PM

Yeah, it looks like both of the ones I'm on are log collectors so I may well have used them in the past with udp2log etc during the fundraiser and probably don't really need now especially with hadoop etc. Did they use to be part of restricted? More importantly, I just logged in but had to use my old old key (which was deactivated ... over a year ago now? because of a stolen laptop (encrypted, it's likely it wasn't compromised, but still).

This is an excellent reminder of why a house cleaning like this is needed. Cheers!

chasemp updated the task description. (Show Details)Feb 26 2015, 9:11 PM
Dzahn edited subscribers, added: RobH; removed: Krenair, Jalexander, Legoktm and 8 others.Feb 26 2015, 10:17 PM
RobH updated the task description. (Show Details)Feb 26 2015, 10:49 PM
RobH added a comment.Feb 26 2015, 11:26 PM

note: i simply moved folks from the unknown to the known good to delete section, i did NOT manually delete anyone at this time. (Im fine with doing so moving foward, just noting I didnt in the past.)

Dzahn updated the task description. (Show Details)Feb 26 2015, 11:26 PM
Dzahn added a subscriber: Dzahn.Feb 26 2015, 11:28 PM

note: i edited the task description and added:

1.5 If the user replies and says they don't need the access, manually remove the user.

because to me, if a user says "i don't need this" i would like to just delete the user manually

i felt a subtask saying "..or delete user" should be resolved once it's actually deleted.

RobH updated the task description. (Show Details)Feb 26 2015, 11:45 PM
RobH updated the task description. (Show Details)Feb 26 2015, 11:48 PM
RobH updated the task description. (Show Details)
RobH updated the task description. (Show Details)Feb 26 2015, 11:51 PM
RobH updated the task description. (Show Details)
RobH updated the task description. (Show Details)Feb 26 2015, 11:54 PM
RobH updated the task description. (Show Details)
RobH updated the task description. (Show Details)Feb 27 2015, 6:19 PM
RobH updated the task description. (Show Details)Feb 27 2015, 7:11 PM
RobH updated the task description. (Show Details)
chasemp updated the task description. (Show Details)Mar 4 2015, 5:15 PM
Dzahn updated the task description. (Show Details)Mar 5 2015, 3:34 AM
RobH assigned this task to chasemp.Mar 10 2015, 4:27 PM

All blocking tasks have been completed. As such, I'm assigning this to Chase so he can continue with user enforcement steps mentioned.

chasemp updated the task description. (Show Details)Mar 10 2015, 7:29 PM
chasemp closed this task as Resolved.Mar 11 2015, 7:52 PM
Restricted Application added a subscriber: Malyacko. · View Herald TranscriptApr 28 2016, 4:51 AM