Page MenuHomePhabricator
Create Task
Maniphest T175882

Requesting access to scb* and pdfrender-admin for tgr
Closed, ResolvedPublic
Actions

Description

Username: tgr
Full name: Gergő Tisza
Phab: @Tgr

For monitoring (and restarting, if needed) Electron during T175868: Deploy and test new book rendering (Remex + Electron). Probably will be handy during the Electron replacement project (Proton) in Q2 as well.

ops checklist for access

  • - user has existing shell name
  • - user has signed L3
  • - manager approval (@dr0ptp4kt granted.)
  • - user patchset prepared https://gerrit.wikimedia.org/r/#/c/378060/
  • - approval in ops meeting (Monday, 2017-09-18) for sudo requests. When approved, merge above patchset.

Details

SubjectRepoBranchLines +/-
add tgr to pdfrender-admin sudo groupoperations/puppetproduction+1 -1
Customize query in gerrit

Related Objects
Search...

Event Timeline

Tgr created this task.Sep 14 2017, 1:19 AM
Restricted Application added a project: SRE. · View Herald TranscriptSep 14 2017, 1:19 AM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Tgr added a parent task: T175868: Deploy and test new book rendering (Remex + Electron).Sep 14 2017, 1:20 AM
Tgr updated the task description. (Show Details)Sep 14 2017, 1:32 AM
Tgr renamed this task from Requesting access to pdfrender-admin for tgr to Requesting access to scb* and pdfrender-admin for tgr.Sep 14 2017, 1:34 AM

Given that I already have shell access for most boxes and this is a pretty limited expansion of privileges, if it's possible to waive the requirement of waiting for three business days, I'd ask for that. I was planning the deploy for tomorrow and only now realized I don't have access to scb*.

dr0ptp4kt added a subscriber: bearND.EditedSep 14 2017, 2:39 PM

I approve of the access request being fulfilled. I'm in support of expediting if possible.

CC @bearND and @Mholloway for visibility.

dr0ptp4kt added a subscriber: Mholloway.Sep 14 2017, 2:39 PM
RobH added subscribers: mark, RobH.EditedSep 14 2017, 3:29 PM

Access checklist:

  • - user has existing shell name
  • - user has signed L3 (as of 2017-09-14 @ 15:34 GMT it has not been signed.)
  • - manager approval (@dr0ptp4kt granted.)
  • - user provides exact usergroups for inclusion

[]- user has to await approval in ops meeting for sudo requests.

I see you requesting access to SCB (but not listing the access group) and access to

pdfrender-admin:
    description: Group of pdfrender admins
    gid: 790
    members: [gwicke, ppchelko, eevans, mobrovac]
    privileges: ['ALL = NOPASSWD: /usr/sbin/service pdfrender *',
                 'ALL = (pdfrender) NOPASSWD: ALL']

I think you want the sc admins group for admin on scb, but it grants root to the full cluster of sc[a|b}

sc-admins:

description: General service cluster admins - sc(a|b)
gid: 779
members: [eevans, gwicke, mobrovac, ppchelko]
privileges: ['ALL = NOPASSWD: /usr/bin/puppet agent *',
           'ALL = NOPASSWD: /usr/sbin/service changeprop *',
           'ALL = NOPASSWD: /usr/sbin/service citoid *',
           'ALL = NOPASSWD: /usr/sbin/service cpjobqueue *',
           'ALL = NOPASSWD: /usr/sbin/service cxserver *',
           'ALL = NOPASSWD: /usr/sbin/service graphoid *',
           'ALL = NOPASSWD: /usr/sbin/service mathoid *',
           'ALL = NOPASSWD: /usr/sbin/service mobileapps *',
           'ALL = NOPASSWD: /usr/sbin/service pdfrender *',
           'ALL = NOPASSWD: /usr/sbin/service recommendation_api *',
           'ALL = (recommendation_api) NOPASSWD: ALL',
           'ALL = NOPASSWD: /usr/sbin/service trendingedits *',
           'ALL = NOPASSWD: /usr/sbin/service zotero *',
           'ALL = NOPASSWD: /usr/bin/firejail --join=*']

As you can see, one of your two requests is sudo, and will require a operations meeting approval. As such, there isn't any process to expedite past this ops meeting review, without having the Ops director sign off (@mark).

@Tgr: Can you please detail what exact group you need for access to scb/confirm its sc-admins? Please also read, understand, and sign the L3. We require that for all requests, even existing users who have not yet signed it. Once we have the additional group, this still needs to wait for ops meeting on Monday.

I'm assigning this to you for your input on the above (additonal group name plus L3 signature. Please assign back to me when complete and I'll ensure this is listed on the ops meeting next Monday.

RobH assigned this task to Tgr.Sep 14 2017, 3:30 PM
RobH updated the task description. (Show Details)
RobH moved this task from Untriaged to user confirm on the SRE-Access-Requests board.
RobH updated the task description. (Show Details)Sep 14 2017, 3:33 PM
In T175882#3608038, @dr0ptp4kt wrote:

I approve of the access request being fulfilled. I'm in support of expediting if possible.

CC @bearND and @Mholloway for visibility.

We cannot expedite requests without @mark specifically overriding this process. In particular on granting a user sudo rights, sorry!

dr0ptp4kt added a comment.Sep 14 2017, 3:36 PM

We cannot expedite requests without @mark specifically overriding this process. In particular on granting a user sudo rights, sorry!

Understood. Thanks, @RobH !

RobH updated the task description. (Show Details)EditedSep 14 2017, 4:52 PM

I chatted with @Tgr via IRC, and he is aware this will have to wait until Monday & he needs to sign the L3.

It seems that he only needs pdfrender-admin, not anything else. I'll link a patchset shortly.

gerritbot subscribed.Sep 14 2017, 4:57 PM

Change 378060 had a related patch set uploaded (by RobH; owner: RobH):
[operations/puppet@production] add tgr to pdfrender-admin sudo group

https://gerrit.wikimedia.org/r/378060

gerritbot added a project: Patch-For-Review.Sep 14 2017, 4:57 PM
RobH updated the task description. (Show Details)Sep 14 2017, 4:57 PM
RobH updated the task description. (Show Details)Sep 14 2017, 5:05 PM
Tgr added a comment.Sep 16 2017, 9:35 PM

Thanks, Rob!

I'm assigning this to you for your input on the above (additonal group name plus L3 signature. Please assign back to me when complete and I'll ensure this is listed on the ops meeting next Monday.

Just acknowledging that I saw this and am waiting for T175941: Reset Phabricator 2FA for Tgr.

Tgr reassigned this task from Tgr to RobH.Sep 17 2017, 4:39 AM

Signed.

In T175882#3608405, @RobH wrote:

It seems that he only needs pdfrender-admin, not anything else. I'll link a patchset shortly.

Yes, that already includes access to the scb nodes. Sorry for the confusing title.

RobH updated the task description. (Show Details)Sep 18 2017, 2:34 PM
GWicke added a comment.Sep 18 2017, 3:23 PM

I strongly support @Tgr's access request as well.

RobH added a comment.Sep 18 2017, 3:48 PM

Noted that you've signed L3 and all that is needed id pfdrender-admin. I've prepared the patchset (linked in task description) and it is listed for discussion on our ops meeting today.

gerritbot added a comment.Sep 18 2017, 4:56 PM

Change 378060 merged by RobH:
[operations/puppet@production] add tgr to pdfrender-admin sudo group

https://gerrit.wikimedia.org/r/378060

RobH closed this task as Resolved.Sep 18 2017, 4:56 PM
RobH removed RobH as the assignee of this task.
RobH triaged this task as Medium priority.
RobH removed a project: Patch-For-Review.
RobH updated the task description. (Show Details)

@Tgr: your access was approved in the ops meeting and has been merged live. the affected hosts will call in within the next 30 minutes and get the updates.

Please reopen this task if you have any issues with your new access.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits