Page MenuHomePhabricator
Create Task
Maniphest T90956

define in Puppet or remove user account - milimetric
Closed, ResolvedPublic
Actions

Description

@Milimetric

We're in the process of auditing and cleaning up our access lists to servers. During this audit, we found your user in place on a few sysetms, without having admin module entries. We need to review these systems and confirm you still require access to them, and why. Since we don't have this on record or in puppet, we'll have to go through the normal approval process. As such, please simply have your manager approve on this task which systems you confirm you need to continue to access.

stat1001.eqiad.wmnet:

Please note what you need to do on each system, as we'll need to ensure you maintain the proper access levels when we add you to the admins module.

Feedback is required, as we'll be removing the access of anyone we don't account for during this audit.

Thanks in advance,

Related Objects
Search...

Event Timeline

RobH created this task.Feb 26 2015, 9:51 PM
RobH assigned this task to Milimetric.
RobH raised the priority of this task from to High.
RobH updated the task description. (Show Details)
RobH added projects: acl*security, acl*sre-team, SRE-Access-Requests.
RobH added subscribers: Tnegrin, Milimetric.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 26 2015, 9:51 PM
Milimetric added a subscriber: RobH.Feb 26 2015, 9:54 PM

Thanks for the ping @RobH. I only need basic access to stat1001, no sudo or special access. I am a member of the analytics team and thus need to be able to look at what people are doing on that machine if they point me to something there.

Dzahn reassigned this task from Milimetric to RobH.Feb 26 2015, 11:18 PM
Dzahn subscribed.
RobH added a comment.Feb 27 2015, 4:38 PM

@Milimetric,

I'm not 100% which group we'd put you in then, sorry for the back and forth.

On stat1001 I see a group for statistics-web-users, which includes: ezachte, qchris, joal. This group has the note access for stats.wikimedia.org. Is this the level of access you needed?

If so, I'll make the changes and we can get your managers approval on this task to formalize it.

Please advise,

Milimetric added a comment.Feb 27 2015, 4:55 PM

@RobH, yes, the statistics-web-users group is perfectly fine. I'm the one who's sorry I didn't know to tell you in the first place. Thanks again.

RobH reassigned this task from RobH to Tnegrin.Feb 27 2015, 6:00 PM

@Tnegrin,

Would you please comment on this task to approve that @Milimetric can be added to statistics-web-users group, which formalizes his access to stat1001.

This came up due to our audit of user accounts, and it seems his account wasn't properly setup for stat1001. So he has access now, and will keep it with your approval.

Thanks in advance,

RobH added a comment.Feb 27 2015, 6:13 PM

https://gerrit.wikimedia.org/r/#/c/193396/ is the patchset for this change, once we have Toby's approval.

RobH mentioned this in T90923: Define in Puppet or remove rogue user accounts not currently defined in admin/data.yaml.Feb 27 2015, 6:19 PM
Dzahn added a comment.Mar 3 2015, 7:08 PM

@Tnegrin one more approval is needed here please

chasemp subscribed.Mar 4 2015, 5:16 PM

@Tnegrin ping :)

Tnegrin added a comment.Mar 5 2015, 1:07 AM

approved

Dzahn mentioned this in rOPUPf85ad375ec89: formalizing milimetric's access to stat1001.Mar 5 2015, 1:52 AM
Dzahn added a comment.EditedMar 5 2015, 1:58 AM
In T90956#1074055, @RobH wrote:

https://gerrit.wikimedia.org/r/#/c/193396/ is the patchset for this change, once we have Toby's approval.

@Tnegrin thanks! merged

@RobH if you put "Bug:T90956" instead of just "T90956" in the commit message the bot will automatically update the ticket on upload and merge

@Milimetric nothing should have changed on stat1001. this just let puppet manage your existing key, but it's good that it's formalized now and installed with configuration management. i saw puppet replace it and technically the checksum of your key file changed, but that was just about a newline that is now gone

Dzahn closed this task as Resolved.Mar 5 2015, 1:59 AM
Dzahn claimed this task.
chasemp added a project: Security.Feb 10 2020, 10:56 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:16 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits