Page MenuHomePhabricator

define in Puppet or remove user account - tnegrin
Closed, ResolvedPublic

Description

Toby,

We're in the process of auditing and cleaning up our access lists to servers. During this audit, we found that your account is enabled on a one system, but not accounted for in our admins module.

stat1001.eqiad.wmnet

The statistics users have a few different levels of access in admins. If you could provide feedback on what exactly you are using this access for, and what permissions you need to maintain, we would appreciate it.

Please note feedback is required, as we'll be removing the access of anyone we don't account for during this audit.

Thanks in advance,

Event Timeline

RobH assigned this task to Tnegrin.
RobH raised the priority of this task from to High.
RobH updated the task description. (Show Details)

I need access to this system to run various queries against hadoop and
other databases. I do not need admin access.

thanks,

-Toby

@mark could you approve this? Unsure who else to ask.

Dzahn added a subscriber: Dzahn.

As discussed during the operations meeting, @mark will need to comment on this task to approve getting toby's access set in puppet for these hosts.

When done, please set to assigned to nobody for triage to pick it up.

mark removed mark as the assignee of this task.Mar 10 2015, 11:36 AM

Toby's access to stat1001 is approved.

I've merged live toby's corrected access to stat1001; resolving ticket.

Sorry Chase -- I don't actually need this now since I don't manage the
analytics team anymore. Probably best to remove the access.

thanks,

-Toby

@Tnegrin thanks for the update, reopened the ticket, we'll take care of it

Dzahn lowered the priority of this task from High to Medium.Apr 28 2016, 4:53 AM

@20after4 @chasemp @Tnegrin I think this notification about an old thing only happened right now because the releng team is importing git commits from gerrit into phabricator and it gets a timestamp from when phab imports it. nevertheless.. it's good to deactivate accounts that are not used and if we got notified this way, why not :p

it says "Still Importing...
This commit is still importing. Changes will be visible once the import finishes." on

https://phabricator.wikimedia.org/rOPUP12582629b25e628673917e50d9f52864cb3a4087

it was actually authored on March 2nd

Change 285898 had a related patch set uploaded (by Dzahn):
admin: remove access for tnegrin pt1

https://gerrit.wikimedia.org/r/285898

Change 285899 had a related patch set uploaded (by Dzahn):
admin: remove access for tnegrin pt2

https://gerrit.wikimedia.org/r/285899

@fgiunchedi ^ could you take a look? reverse access request

@Tnegrin Just to make sure before i merge this, did you mean you don't need any shell access on WMF servers anymore or just not the access on the host stat1001 while still needing access to other servers?

I haven't logged into anything except my MacBook in months so I think
you're good to go!

Change 285898 merged by Dzahn:
admin: remove access for tnegrin pt1

https://gerrit.wikimedia.org/r/285898

Gotcha! .. and done

stat1001 - Notice: /Stage[main]/Ssh::Server/File[/etc/ssh/userkeys/tnegrin]/ensure: removed
bast1001 - Notice: /Stage[main]/Ssh::Server/File[/etc/ssh/userkeys/tnegrin]/ensure: removed

...

Change 285899 merged by Dzahn:
admin: remove access for tnegrin pt2

https://gerrit.wikimedia.org/r/285899