Page MenuHomePhabricator
Create Task
Maniphest T92564

Chad H. needs access to iridium (Phabricator host) to manage repos
Closed, ResolvedPublic
Actions

Description

And other things too like phd and such!

@chasemp and @yuvipanda thought it was a good idea and brought it up this morning. @greg is approver.

Details

SubjectRepoBranchLines +/-
create a phab-roots admin group, add demonoperations/puppetproduction+5 -1
Customize query in gerrit

Revisions and Commits

rOPUP Wikimedia Puppet
rOPUP48afe4009fc7 phab allow chad h to admin sane things
rOPUP04fa83ccb253 phab allow chad h to admin sane things

Related Objects

Event Timeline

demon created this task.Mar 12 2015, 9:03 PM
demon raised the priority of this task from to Needs Triage.
demon updated the task description. (Show Details)
demon added projects: Phabricator, SRE-Access-Requests, Release-Engineering-Team.
demon added subscribers: demon, greg, chasemp, yuvipanda.
Restricted Application added a project: acl*sre-team. · View Herald TranscriptMar 12 2015, 9:03 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
gerritbot subscribed.Mar 12 2015, 9:08 PM

Change 196425 had a related patch set uploaded (by Dzahn):
create a phab-roots admin group, add demon

https://gerrit.wikimedia.org/r/196425

gerritbot added a project: Patch-For-Review.Mar 12 2015, 9:08 PM
chasemp added a comment.Mar 12 2015, 9:15 PM

give me a day or so to poke at this and make sure the perms and abilities are sane (i.e. you can do things). We haven't piecemealed it out before so it's new territory.

Dzahn subscribed.Mar 12 2015, 9:16 PM

first we should create a new admin group for this, either phab-roots , that would assume it's a request for sudo ALL ALL, or phab-admins, that would mean to me that we can list the needed commands and limit sudo to the ones needed.

Dzahn triaged this task as Medium priority.Mar 12 2015, 9:18 PM
greg added a comment.Mar 12 2015, 9:25 PM

I want to have a meme I can use to indicate my manager approval.

Approve.

Dzahn added a comment.Mar 12 2015, 9:35 PM

http://knowyourmeme.com/memes/approval-guy

What are you approving though? :)

greg added a comment.Mar 12 2015, 9:40 PM

approval_guy_orig.jpg (526×647 px, 31 KB)

In T92564#1114939, @Dzahn wrote:

What are you approving though? :)

Whatever access chad needs to manage repos in Phab.

RobH assigned this task to chasemp.Mar 12 2015, 11:54 PM
RobH subscribed.

I'm assigning this to @chasemp for his check that this works, and all changes are sane.

@demon: please sign https://phabricator.wikimedia.org/L3

Additionally, as this is requesting sudo, it will need to be an agenda item in our monday operations meeting. As I'm on clinic duty, just assign this to me post @chasemp's review.

Dzahn added a comment.Mar 12 2015, 11:56 PM
In T92564#1115364, @RobH wrote:

Additionally, as this is requesting sudo, it will need to be an agenda item in our monday operations meeting.

only if it is really requesting sudo as in full root / ALL ALL, not if we actually list just a couple needed commands to be allowed, if i'm not mistaken about the policy

RobH added a comment.Mar 12 2015, 11:59 PM

Policy states https://wikitech.wikimedia.org/wiki/Requesting_shell_access:

  1. If your access request includes any level of sudo privileges on a system, your request will have a 'mandatory' security review in the weekly operations meetings. Sudo access is granted on an extremely limited basis, and will typically apply to the smallest permissions possible (user/process restricted over all). Expect this process to take at least one business week.

As such, this is sudo. I wrote this part of the policy initially, and I meant it to be for all scopes of sudo (outside of those who have deployers) for any kind of actions (other than info pull by non-root-sudo use). I'm open to this being changed, but then we need to also review that in the ops meeting =]

Dzahn added a comment.Mar 13 2015, 12:00 AM

gotcha, then to the meeting Etherpad it goes

demon added a comment.Mar 13 2015, 2:52 PM
In T92564#1115364, @RobH wrote:

@demon: please sign https://phabricator.wikimedia.org/L3

Signed.

Oh man, now I'm responsible for my behavior? :p

chasemp added a comment.Mar 13 2015, 6:09 PM

https://gerrit.wikimedia.org/r/#/c/196613/

gerritbot added a comment.Mar 13 2015, 6:20 PM

Change 196425 abandoned by Dzahn:
create a phab-roots admin group, add demon

https://gerrit.wikimedia.org/r/196425

RobH added a comment.Mar 16 2015, 6:31 PM

The sudo review for this passed ops meeting review. We should continue to narrow the scope of the sudo rights on this host as needed, but overall approval is granted.

Dzahn added a comment.Mar 16 2015, 8:15 PM

https://gerrit.wikimedia.org/r/#/c/196613/ has been merged and narrows the rights down to:

/srv/phab/phabricator/bin/phd
/srv/phab/phabricator/bin/worker
/srv/phab/phabricator/bin/repository
/srv/phab/phabricator/bin/remove destroy

Dzahn closed this task as Resolved.Mar 16 2015, 11:49 PM

16:23 < mutante> ^d: phab access should work
16:23 < ^d> It does

greg mentioned this in T93151: Mukunda needs sudo on iridium (phab host).Mar 18 2015, 11:06 PM
greg moved this task from INBOX to Done on the Release-Engineering-Team board.Mar 20 2015, 6:10 PM
chasemp added a commit: rOPUP04fa83ccb253: phab allow chad h to admin sane things.Mar 23 2015, 3:52 PM
chasemp mentioned this in rOPUP2e251aa5cf6d: phab make mail processing bin executable.
chasemp added a commit: rOPUP48afe4009fc7: phab allow chad h to admin sane things.Apr 28 2016, 3:22 AM
Restricted Application added a subscriber: TerraCodes. · View Herald TranscriptApr 28 2016, 3:22 AM
Phabricator_maintenance removed a subscriber: yuvipanda.Jun 7 2017, 6:53 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL