This is a new access request for ncreasy. They require the following access: (**Mark the box for each requirement with an x**)
[x] civicrm web access
[x] standard access
[ ] donor services access
[x] ssh access - if specific hosts: fran1001, frdev1001 - same as what Joseph and Runjini have
[x] mysql - if specific hosts or databases: fran1001, frdev1001 -- same as what Joseph and Runjini have
[x] superset
[ ] other: `please explain`
----
== New User Procedure / Checklist ==
When adding a new user to the fundraising / fr-tech ecosystem, we have a set of places where we need to create accounts and access.
=== Prerequisites ===
Before we can take any action to add a user, we need to verify that they are authorized to have such access. This requires confirmation from their manager and approval from the C level that access is approved.
==== [x] user_verification ====
Requires: user request
[x] access_rights: letter to C level (currently Lisa) verifying grant of access
[x] account name/contact info: verify on https://collab.wikimedia.org/wiki/Fundraising#Contact_List
[ ] (if not advancement) add to okta notify list: create ITS ticket for adding to fr-tech okta notification list
=== Accounts and Services ===
==== [ ] client_ssl_cert ====
Requires: user_verification
[x] cert_setup: generate cert on frpm1001 using ssl_user_admin
[x] account_setup: sms the user the password for the key
[ ] follow_on: assist with certificate installation
==== [ ] civicrm ====
Requires: client_ssl_cert
[ ] account_setup: Create user account. This will notify the user via email to update their password.
[ ] follow_on: Verify user can log in to https://civicrm.wikimedia.org
==== [ ] superset ====
Requires: client_ssl_cert
[ ] account_setup: Create user account. Notify the user of their account name and password.
[ ] follow_on: Verify user can log in to https://analytics.frdev.wikimedia.org
[ ] archive_access: Add to google drive archive group. https://drive.google.com/drive/folders/0ADWGPlZtksGdUk9PVA
==== [ ] user account ====
Requires: user_verification
[ ] Add the user to the users.yaml and group_members.yaml files as appropriate.
[ ] Push out puppet changes.
==== [ ] yubikey ====
Requires: useraccount and ITS request to send out yubikey to user
[ ] physical: Make a request to ITS to have a key sent to the user
[ ] account_setup: Get public side and add to puppet-private/manifests/passwords/yubico.pp
[ ] follow_on: Make sure user can use yubikey for ssh access
==== [ ] ssh ====
Requires: useraccount and yubikey
[ ] key_setup: Send template/docs for generating keypair and ~/.ssh/config file
[ ] account_setup: Get public side and add to puppet-private/secrets/ssh/default/$username
[ ] follow_on: Verify user can ssh using correct creds and passphrases when needed.
==== [ ] mysql ====
Requires: useraccount, yubikey, ssh
[ ] account_setup
[ ] Create user block in ~/puppet-private/secrets/mysql_grants/fundraising_qa
[ ] Ensure user is in correct blocks for select rights on dbs.
- Generally use another user in same group as a guide
[ ] Run the grant script to get the grants.
[ ] Copy/paste to execute the grants on appropriate dbs.
[ ] Create the user a ~/.my.cnf file with the original password from account creation.
[ ] follow_on: Verify user can ssh to the required host and log in to mysql.
==== [ ] jupyter ====
Requires: useraccount, yubikey, ssh
[ ] account_setup
[ ] Add user port mapping in hieradata/hostname/fran1001.yaml
[ ] Add user password hash in manifests/passwords/jupyter.pp
[ ] Provide user with necessary ssh port forwarding config and password
[ ] follow_on: Verify user can log in to fran1001 and connect to instance