Change Details

Opening this task to address access requests so @Jclark-ctr can execute all the necessary cookbooks to perform his day-to-day tasks. context: IF historically has been working on reducing the number of people with global root-level access see: [T244840] and [T289779]. Additional considerations for added security controls for SRE edge cases exist [T299989]. However, the need for John to be able to perform necessary actions in his day to day duties does not change, and there are a couple of options: # grant global root access # propose a list of sudo commands to grant access on the cumin hosts while the longer-term solution of a Kerberos non-root cumin configuration is generally available and ready. Discussing with the team, it feels like the latter option is the most sensible approach. Following is a placeholder (for now) for the list of cookbooks and additional commands needed to access via sudo Commands required to run with escalated privileges `sudo`: ### Cumin hosts: [ ] cookbook sre.hosts.provision [ ] cookbook sre.hosts.reimage [ ] cookbook sre.dns.netbox [ ] homer ### Puppetmasters [ ] puppet-merge ### apt hosts [ ] run-puppet-agent Once this list is complete, we can proceed with granting the necessary access.

Opening this task to address access requests so @Jclark-ctr can execute all the necessary cookbooks to perform his day-to-day tasks. context: IF historically has been working on reducing the number of people with global root-level access see: [T244840] and [T289779]. Additional considerations for added security controls for SRE edge cases exist [T299989]. However, the need for John to be able to perform necessary actions in his day to day duties does not change, and there are a couple of options: # grant global root access # propose a list of sudo commands to grant access on the cumin hosts while the longer-term solution of a Kerberos non-root cumin configuration is generally available and ready. Discussing with the team, it feels like the latter option is the most sensible approach. Following is a placeholder (for now) for the list of cookbooks and additional commands needed to access via sudo Commands required to run with escalated privileges `sudo`: ### Cumin hosts: [x] cookbook sre.hosts.provision [x] cookbook sre.hosts.reimage [x] cookbook sre.dns.netbox [x] homer ### Puppetmasters [ ] puppet-merge ### apt hosts [ ] run-puppet-agent Once this list is complete, we can proceed with granting the necessary access.

Opening this task to address access requests so @Jclark-ctr can execute all the necessary cookbooks to perform his day-to-day tasks. context: IF historically has been working on reducing the number of people with global root-level access see: [T244840] and [T289779]. Additional considerations for added security controls for SRE edge cases exist [T299989]. However, the need for John to be able to perform necessary actions in his day to day duties does not change, and there are a couple of options: # grant global root access # propose a list of sudo commands to grant access on the cumin hosts while the longer-term solution of a Kerberos non-root cumin configuration is generally available and ready. Discussing with the team, it feels like the latter option is the most sensible approach. Following is a placeholder (for now) for the list of cookbooks and additional commands needed to access via sudo Commands required to run with escalated privileges `sudo`: ### Cumin hosts: [ x] cookbook sre.hosts.provision [ x] cookbook sre.hosts.reimage [ x] cookbook sre.dns.netbox [ x] homer ### Puppetmasters [ ] puppet-merge ### apt hosts [ ] run-puppet-agent Once this list is complete, we can proceed with granting the necessary access.