And other things too like phd and such!
@chasemp and @yuvipanda thought it was a good idea and brought it up this morning. @greg is approver.
And other things too like phd and such!
@chasemp and @yuvipanda thought it was a good idea and brought it up this morning. @greg is approver.
Subject | Repo | Branch | Lines +/- | |
---|---|---|---|---|
create a phab-roots admin group, add demon | operations/puppet | production | +5 -1 |
rOPUP Wikimedia Puppet | |||
rOPUP48afe4009fc7 phab allow chad h to admin sane things | |||
rOPUP04fa83ccb253 phab allow chad h to admin sane things |
Change 196425 had a related patch set uploaded (by Dzahn):
create a phab-roots admin group, add demon
give me a day or so to poke at this and make sure the perms and abilities are sane (i.e. you can do things). We haven't piecemealed it out before so it's new territory.
first we should create a new admin group for this, either phab-roots , that would assume it's a request for sudo ALL ALL, or phab-admins, that would mean to me that we can list the needed commands and limit sudo to the ones needed.
I'm assigning this to @chasemp for his check that this works, and all changes are sane.
@demon: please sign https://phabricator.wikimedia.org/L3
Additionally, as this is requesting sudo, it will need to be an agenda item in our monday operations meeting. As I'm on clinic duty, just assign this to me post @chasemp's review.
only if it is really requesting sudo as in full root / ALL ALL, not if we actually list just a couple needed commands to be allowed, if i'm not mistaken about the policy
Policy states https://wikitech.wikimedia.org/wiki/Requesting_shell_access:
As such, this is sudo. I wrote this part of the policy initially, and I meant it to be for all scopes of sudo (outside of those who have deployers) for any kind of actions (other than info pull by non-root-sudo use). I'm open to this being changed, but then we need to also review that in the ops meeting =]
The sudo review for this passed ops meeting review. We should continue to narrow the scope of the sudo rights on this host as needed, but overall approval is granted.
https://gerrit.wikimedia.org/r/#/c/196613/ has been merged and narrows the rights down to:
/srv/phab/phabricator/bin/phd
/srv/phab/phabricator/bin/worker
/srv/phab/phabricator/bin/repository
/srv/phab/phabricator/bin/remove destroy