Page MenuHomePhabricator

Define in Puppet or remove rogue user accounts not currently defined in admin/data.yaml
Closed, ResolvedPublic

Description

PLEASE RESPOND IN YOUR RELEVANT SUBTASK IF MENTIONED.

There is a breakdown here:

http://etherpad.wikimedia.org/p/admin_accounts_cleanup

Paste version as of 2/26/15 P336

The unique list of unconfirmed but possible people who will be removed on some relevant server if we let loose the cleanup logic:

Known good removals (from the non-puppet-access-defined hosts):

Formalized existing access in puppet:

Users left to escalate/formalize access
<none>

Please be aware these accounts may be valid, and most probably are, but for a specific server in question the access could be old, manually added, or unknown to even the user in question. We have to justify the existence of the account in a group in data.yaml for it to persist.

I will be enabling our cleanup logic after a three phase approach to remedying this:

  1. Notify the people in question

1.5 If the user replies and says they don't need the access, manually remove the user.

  1. Wait a set amount of time (I plan on feeling enabled to allow cleanup after 2 business weeks which would mean as early as March 13th, 2015)
  2. Give teeth to https://phabricator.wikimedia.org/diffusion/OPUP/browse/production/modules/admin/files/enforce-users-groups.sh and let it make our environment consistent with data.yaml

Related Objects

StatusSubtypeAssignedTask
Resolved chasemp
Resolved chasemp
ResolvedDzahn
ResolvedRobH
ResolvedRobH
ResolvedRobH
ResolvedDzahn
ResolvedRobH
ResolvedDzahn
Resolvedcscott
ResolvedDzahn
ResolvedRobH
Resolvedhoo
ResolvedDzahn
ResolvedDzahn
ResolvedRobH
ResolvedMglaser
Resolved DarTar
ResolvedAmire80
ResolvedDzahn
ResolvedArielGlenn
Resolvedleila
ResolvedDzahn
ResolvedNuria
ResolvedDzahn

Event Timeline

chasemp raised the priority of this task from to Needs Triage.
chasemp updated the task description. (Show Details)
chasemp added a subscriber: chasemp.
chasemp updated the task description. (Show Details)
chasemp set Security to None.
chasemp updated the task description. (Show Details)

I have no idea why I have access to those hosts and don't think I've ever used them.

I (smalyshev) don't need account on cerium right now (probably left over from Titan work). If there are questions about any other hosts (I'm not sure if I read the etherpad correctly) please tell me.

Yeah, it looks like both of the ones I'm on are log collectors so I may well have used them in the past with udp2log etc during the fundraiser and probably don't really need now especially with hadoop etc. Did they use to be part of restricted? More importantly, I just logged in but had to use my old old key (which was deactivated ... over a year ago now? because of a stolen laptop (encrypted, it's likely it wasn't compromised, but still).

Yeah, it looks like both of the ones I'm on are log collectors so I may well have used them in the past with udp2log etc during the fundraiser and probably don't really need now especially with hadoop etc. Did they use to be part of restricted? More importantly, I just logged in but had to use my old old key (which was deactivated ... over a year ago now? because of a stolen laptop (encrypted, it's likely it wasn't compromised, but still).

This is an excellent reminder of why a house cleaning like this is needed. Cheers!

note: i simply moved folks from the unknown to the known good to delete section, i did NOT manually delete anyone at this time. (Im fine with doing so moving foward, just noting I didnt in the past.)

note: i edited the task description and added:

1.5 If the user replies and says they don't need the access, manually remove the user.

because to me, if a user says "i don't need this" i would like to just delete the user manually

i felt a subtask saying "..or delete user" should be resolved once it's actually deleted.

RobH updated the task description. (Show Details)
RobH updated the task description. (Show Details)
RobH updated the task description. (Show Details)
RobH updated the task description. (Show Details)

All blocking tasks have been completed. As such, I'm assigning this to Chase so he can continue with user enforcement steps mentioned.