You are browsing a read-only backup copy of Wikitech. The live site can be found at wikitech.wikimedia.org
SRE/LDAP/Groups: Difference between revisions
Jump to navigation
Jump to search
imported>Majavah (→NDA group: fix link) |
imported>Jcrespo (-tendril (tendril service no longer exists)) |
||
| (13 intermediate revisions by 8 users not shown) | |||
| Line 1: | Line 1: | ||
After you have created a [[mw:Developer account|Wikimedia Developer account]], you may need to join a group in our [[LDAP]] server for specific access. | |||
To request access to one of these groups, [[phab:project/profile/1564/|'''Create an LDAP-Access-Requests task''']] in Phabricator. | |||
To view current members of a group, use https://ldap.toolforge.org/. | |||
These groups are privileged, but do not have human users as members, | == Primary groups == | ||
* <code>sgeadmin</code> | The following primary groups exist: | ||
* <code>labsadminbots</code> (only member is novaadmin) | * <code>wmf</code>, for WMF staff/contractors (documented below). | ||
* <code>mwdeploy</code> (used by mediawiki deployment, only member is mwdeploy) | * <code>ops</code>, for SRE staff (documented below, see also ops group in [[git:operations/puppet/+/refs/heads/production/manifests/site.pp|puppet manifests/site.pp]]). | ||
* <code>l10nupdate</code> (used by l10n deployment, only member is l10nupdate) | * <code>sre-admins</code>, for SREs who do not have full root privileges. | ||
* <code>vagrant</code> (system group for mediawiki-vagrant, only member is vagrant) | * <code>nda</code>, for researchers and volunteers who have signed NDAs for access to confidential data (documented below). | ||
* <code>shinken</code> (system group for shinken monitoring, only member is shinken) | * <code>ldap_ops</code>, for write access to the LDAP server itself. | ||
* <code>wmde</code>, for Wikimedia Deutschland staff. | |||
* <code>grafana-admin</code>, for admin-level access to Grafana. Note that members of the "wmf", "ops" and "nda" groups already include permissions to edit dashboards in Grafana. When editing a dashboard, one has access to metrics that may expose PII data. Admin acess requires an NDA with Legal (filed in Cobblestone). | |||
* <code>tools.admin</code>, for admin access in [[Help:Toolforge|Toolforge]]. | |||
* <code>ciadmin</code>, the [http://ldap.toolforge.org/group/ciadmin <code>ciadmin</code>] group grants users full admin access to Jenkins, and the ability to create and modify Jenkins jobs for ad-hoc debugging. Note that in general, you do not need ciadmin access to create or modify Jenkins jobs as we deploy these via the <code>integration/config</code> repository which anyone can write patches for. | |||
* <code>gerritadmin</code> , for Administrator rights to Gerrit, this includes access to the Database, ACL modifications, repositories management, or settings affecting all projects. https://gerrit.wikimedia.org/r/#/admin/groups/1,members . The <code>ldap_groups</code> Gerrit cache has to be flushed for the change to be taken in account (see [[Gerrit/Administration#Become_an_Administrator]]). | |||
* <code>releng</code>, for members of the [[mw:Wikimedia Release Engineering Team|Release Engineering Team]]. It will be (FIXME) used for access to the releases.wikimedia.org Jenkins installation. | |||
* <code>archiva-deployers</code>, deployment rights in Archiva | |||
* <code>idptest-users</code> , for accessing services integrated against the staging IDP (currently only Puppetboard). | |||
* <code>project-*</code>, these represent a [[Portal:Cloud VPS|Cloud VPS]] project where each project has its own LDAP group prefixed with <code>project-</code>. These should not be manually joined or altered. | |||
These groups are privileged, but do not have human users as members, only system/role accounts: | |||
* <code>sgeadmin</code>, various privileges around Grid Engine (only member is <code>sgeadmin</code>). | |||
* <code>labsadminbots</code> (only member is <code>novaadmin</code>). | |||
* <code>mwdeploy</code> (used by mediawiki deployment, only member is <code>mwdeploy</code>). | |||
* <code>l10nupdate</code> (used by l10n deployment, only member is <code>l10nupdate</code>). | |||
* <code>vagrant</code> (system group for mediawiki-vagrant, only member is <code>vagrant</code>). | |||
* <code>shinken</code> (system group for shinken monitoring, only member is <code>shinken</code>). | |||
== Specific groups == | == Specific groups == | ||
| Line 34: | Line 38: | ||
<code>'''wmf'''</code> '''grants access to:''' | <code>'''wmf'''</code> '''grants access to:''' | ||
* [https://logstash.wikimedia.org Logstash] | * [https://logstash.wikimedia.org Logstash] | ||
* [https://graphite.wikimedia.org/ Graphite] | * [https://graphite.wikimedia.org/ Graphite] | ||
* [https://grafana.wikimedia.org/ Grafana] ( | * [https://grafana.wikimedia.org/ Grafana] (no login required except admin functions). ''Please be patient before you try to log in. The service periodically adds new group members'' | ||
* [https://icinga.wikimedia.org/icinga/ Icinga] | * [https://icinga.wikimedia.org/icinga/ Icinga] | ||
* [https://piwik.wikimedia.org/ Piwik] | * [https://piwik.wikimedia.org/ Piwik], [[Analytics/Systems/Matomo|docs]] | ||
* [https://integration.wikimedia.org/ci | * [https://integration.wikimedia.org/ci/ Jenkins] (access to restricted projects like [https://integration.wikimedia.org/ci/job/operations-puppet-catalog-compiler/], permissions to build and cancel jobs) | ||
* [https://debmonitor.wikimedia.org/ DebMonitor | * [https://debmonitor.wikimedia.org/ DebMonitor], Debian packages tracker | ||
* [https://yarn.wikimedia.org/ Hadoop Yarn] | * [https://yarn.wikimedia.org/ Hadoop Yarn] | ||
* [https://turnilo.wikimedia.org Turnilo], a tool for exploring internal data | * [https://turnilo.wikimedia.org Turnilo], a tool for exploring internal data | ||
* [https://librenms.wikimedia.org/ LibreNMS], [[LibreNMS|docs]] | |||
* [https://orchestrator.wikimedia.org/ Orchestrator], [[Orchestrator|docs]] | |||
* Included in other Gerrit groups | * Included in other Gerrit groups | ||
** Translatewiki.net | ** Translatewiki.net | ||
| Line 61: | Line 66: | ||
** labs/tools/wikipedia-android-builds label-Verified = -1..+2 group ldap/wmf | ** labs/tools/wikipedia-android-builds label-Verified = -1..+2 group ldap/wmf | ||
** operations/debs label-Code-Review = -1..+1 group ldap/wmf | ** operations/debs label-Code-Review = -1..+1 group ldap/wmf | ||
** test/gerrit-ping owner = group ldap/wmf | ** test/gerrit-ping owner = group ldap/wmf | ||
** unicodejs owner = group ldap/wmf | ** unicodejs owner = group ldap/wmf | ||
| Line 82: | Line 82: | ||
<code>'''ops'''</code> '''grants access to:''' | <code>'''ops'''</code> '''grants access to:''' | ||
* Logstash | * Logstash | ||
* Graphite | * Graphite | ||
* Grafana | * Grafana | ||
| Line 193: | Line 192: | ||
'''<code>nda</code> grants access to:''' | '''<code>nda</code> grants access to:''' | ||
* Logstash | * Logstash | ||
* Graphite | * Graphite | ||
* Grafana | * Grafana (editing access) | ||
* Icinga | * Icinga | ||
* Piwik login page | * Piwik login page | ||
| Line 201: | Line 199: | ||
* [[Yarn.wikimedia.org|Hadoop Yarn]] | * [[Yarn.wikimedia.org|Hadoop Yarn]] | ||
*[https://turnilo.wikimedia.org Turnilo], a tool for exploring internal data | *[https://turnilo.wikimedia.org Turnilo], a tool for exploring internal data | ||
* [[LibreNMS]] | |||
* [[Orchestrator]] | |||
This group is intended for volunteers who've signed the [[volunteer NDA]]. | This group is intended for volunteers who've signed the [[volunteer NDA]]. | ||
| Line 207: | Line 207: | ||
<code>'''wmde'''</code> '''grants access to:''' | <code>'''wmde'''</code> '''grants access to:''' | ||
* Included in Gerrit groups [https://gerrit.wikimedia.org/r/#/admin/groups/32,members wikidata] | * Included in Gerrit groups [https://gerrit.wikimedia.org/r/#/admin/groups/32,members wikidata] and [https://gerrit.wikimedia.org/r/#/admin/groups/1200,members tcb-team]. | ||
This group is intended for Wikimedia Deutschland staff. | This group is intended for Wikimedia Deutschland staff. | ||
== See also == | == See also == | ||
* | * [[toolforge:ldap]] Group membership viewer | ||
[[Category:Operations]] | [[Category:Operations]] | ||
__FORCETOC__ | |||
Latest revision as of 10:50, 10 May 2023
After you have created a Wikimedia Developer account, you may need to join a group in our LDAP server for specific access.
To request access to one of these groups, Create an LDAP-Access-Requests task in Phabricator.
To view current members of a group, use https://ldap.toolforge.org/.
Primary groups
The following primary groups exist:
wmf, for WMF staff/contractors (documented below).ops, for SRE staff (documented below, see also ops group in puppet manifests/site.pp).sre-admins, for SREs who do not have full root privileges.nda, for researchers and volunteers who have signed NDAs for access to confidential data (documented below).ldap_ops, for write access to the LDAP server itself.wmde, for Wikimedia Deutschland staff.grafana-admin, for admin-level access to Grafana. Note that members of the "wmf", "ops" and "nda" groups already include permissions to edit dashboards in Grafana. When editing a dashboard, one has access to metrics that may expose PII data. Admin acess requires an NDA with Legal (filed in Cobblestone).tools.admin, for admin access in Toolforge.ciadmin, theciadmingroup grants users full admin access to Jenkins, and the ability to create and modify Jenkins jobs for ad-hoc debugging. Note that in general, you do not need ciadmin access to create or modify Jenkins jobs as we deploy these via theintegration/configrepository which anyone can write patches for.gerritadmin, for Administrator rights to Gerrit, this includes access to the Database, ACL modifications, repositories management, or settings affecting all projects. https://gerrit.wikimedia.org/r/#/admin/groups/1,members . Theldap_groupsGerrit cache has to be flushed for the change to be taken in account (see Gerrit/Administration#Become_an_Administrator).releng, for members of the Release Engineering Team. It will be (FIXME) used for access to the releases.wikimedia.org Jenkins installation.archiva-deployers, deployment rights in Archivaidptest-users, for accessing services integrated against the staging IDP (currently only Puppetboard).project-*, these represent a Cloud VPS project where each project has its own LDAP group prefixed withproject-. These should not be manually joined or altered.
These groups are privileged, but do not have human users as members, only system/role accounts:
sgeadmin, various privileges around Grid Engine (only member issgeadmin).labsadminbots(only member isnovaadmin).mwdeploy(used by mediawiki deployment, only member ismwdeploy).l10nupdate(used by l10n deployment, only member isl10nupdate).vagrant(system group for mediawiki-vagrant, only member isvagrant).shinken(system group for shinken monitoring, only member isshinken).
Specific groups
These lists do not count gerrit project ACL inheritance.
wmf group
wmf grants access to:
- Logstash
- Graphite
- Grafana (no login required except admin functions). Please be patient before you try to log in. The service periodically adds new group members
- Icinga
- Piwik, docs
- Jenkins (access to restricted projects like [1], permissions to build and cancel jobs)
- DebMonitor, Debian packages tracker
- Hadoop Yarn
- Turnilo, a tool for exploring internal data
- LibreNMS, docs
- Orchestrator, docs
- Included in other Gerrit groups
- Translatewiki.net
- Analytics
- wikidata-query-blazegraph
- glam
- mediawiki
- qa
- webplatform.org
- Gerrit repository permissions
- apps/android/commons owner = group ldap/wmf
- avro-php forgeCommitter = group ldap/wmf
- labs/invisible-unicorn owner = group ldap/wmf
- labs/invisible-unicorn submit = group ldap/wmf
- labs/invisible-unicorn rebase = group ldap/wmf
- labs/tools/wikipedia-android-builds submit = group ldap/wmf
- labs/tools/wikipedia-android-builds label-Code-Review = -2..+2 group ldap/wmf
- labs/tools/wikipedia-android-builds label-Verified = -1..+2 group ldap/wmf
- operations/debs label-Code-Review = -1..+1 group ldap/wmf
- test/gerrit-ping owner = group ldap/wmf
- unicodejs owner = group ldap/wmf
- wikidata/gremlin owner = group ldap/wmf
- wikidata/query/rdf owner = group ldap/wmf
- wikimedia/lobbypop owner = group ldap/wmf
- wikimedia/roadmap-updater owner = group ldap/wmf
- wikimedia/slimapp pushSignedTag = group ldap/wmf
- wikimedia/slimapp pushTag = group ldap/wmf
- wikimedia/wikimania-scholarships owner = group ldap/wmf
- wikimedia/wikimania-scholarships submit = group ldap/wmf
ops group
ops grants access to:
- Logstash
- Graphite
- Grafana
- Icinga
- Piwik login page
- Netbox
- Puppetboard (PuppetDB UI interface)
- LibreNMS
- Full sudo across all Cloud VPS instances (?)
- Included in other Gerrit groups
- mediawiki
- wmf-deployment
- labs-toollabs
- opssoftware
- Gerrit repository permissions
- labs/private owner = group ldap/ops
- labs/private read = group ldap/ops
- labs/private create = group ldap/ops
- labs/private push = group ldap/ops
- labs/private pushTag = group ldap/ops
- labs/private submit = group ldap/ops
- labs/private pushMerge = group ldap/ops
- mediawiki/skins/webplatform push = group ldap/ops
- operations/apache-config owner = group ldap/ops
- operations/apache-config submit = group ldap/ops
- operations/debs owner = group ldap/ops
- operations/debs create = group ldap/ops
- operations/debs forgeCommitter = group ldap/ops
- operations/debs submit = group ldap/ops
- operations/debs push = +force group ldap/ops
- operations/debs pushTag = group ldap/ops
- operations/debs/StatsD owner = group ldap/ops
- operations/debs/adminbot owner = group ldap/ops
- operations/debs/debdeploy owner = group ldap/ops
- operations/debs/etherpad-lite owner = group ldap/ops
- operations/debs/git-deploy owner = group ldap/ops
- operations/debs/ircecho owner = group ldap/ops
- operations/debs/jenkins-debian-glue create = group ldap/ops
- operations/debs/jenkins-debian-glue push = group ldap/ops
- operations/debs/jenkins-debian-glue pushTag = group ldap/ops
- operations/debs/jenkins-debian-glue pushSignedTag = group ldap/ops
- operations/debs/linux owner = group ldap/ops
- operations/debs/linux-meta owner = group ldap/ops
- operations/debs/logstash-gelf owner = group ldap/ops
- operations/debs/mariadb-server owner = group ldap/ops
- operations/debs/mod_tile owner = group ldap/ops
- operations/debs/mwbzutils owner = group ldap/ops
- operations/debs/nginx owner = group ldap/ops
- operations/debs/openssl owner = group ldap/ops
- operations/debs/osm-mapnik-style owner = group ldap/ops
- operations/debs/osm2pgsql owner = group ldap/ops
- operations/debs/python-diamond owner = group ldap/ops
- operations/debs/python-diamond push = +force group ldap/ops
- operations/debs/python-diamond forgeCommitter = group ldap/ops
- operations/debs/search-qa push = group ldap/ops
- operations/debs/utfnormal owner = group ldap/ops
- operations/debs/varnish owner = group ldap/ops
- operations/debs/varnish push = +force group ldap/ops
- operations/dns owner = group ldap/ops
- operations/dns create = group ldap/ops
- operations/dns forgeAuthor = group ldap/ops
- operations/dns forgeCommitter = group ldap/ops
- operations/dns push = group ldap/ops
- operations/dns pushMerge = group ldap/ops
- operations/dns pushTag = group ldap/ops
- operations/dns submit = group ldap/ops
- operations/dumps owner = group ldap/ops
- operations/dumps create = group ldap/ops
- operations/dumps submit = group ldap/ops
- operations/dumps push = group ldap/ops
- operations/dumps pushMerge = group ldap/ops
- operations/dumps pushTag = group ldap/ops
- operations/dumps/incremental owner = group ldap/ops
- operations/dumps/test owner = group ldap/ops
- operations/mediawiki-config owner = group ldap/ops
- operations/mediawiki-config submit = group ldap/ops
- operations/mediawiki-config create = group ldap/ops
- operations/network-diagrams owner = group ldap/ops
- operations/network-diagrams create = group ldap/ops
- operations/network-diagrams push = group ldap/ops
- operations/network-diagrams submit = group ldap/ops
- operations/network-diagrams pushMerge = group ldap/ops
- operations/network-diagrams pushTag = group ldap/ops
- operations/puppet owner = group ldap/ops
- operations/puppet submit = group ldap/ops
- operations/puppet push = group ldap/ops
- operations/puppet pushMerge = group ldap/ops
- operations/puppet pushTag = group ldap/ops
- operations/software label-Code-Review = -2..+2 group ldap/ops
- operations/software label-Verified = -1..+2 group ldap/ops
- operations/software/librenms forgeCommitter = group ldap/ops
- operations/software/librenms push = +force group ldap/ops
- operations/software/nginx owner = group ldap/ops
- operations/software/nginx forgeAuthor = group ldap/ops
- operations/software/nginx forgeCommitter = group ldap/ops
- operations/software/nginx push = group ldap/ops
- operations/software/otrs owner = group ldap/ops
sre-admins group
Group members
Intended for SRE's without full root access
sre-admins grants access to:
- puppetboard
- librenms
- orchestrator
NDA group
nda grants access to:
- Logstash
- Graphite
- Grafana (editing access)
- Icinga
- Piwik login page
- DebMonitor
- Hadoop Yarn
- Turnilo, a tool for exploring internal data
- LibreNMS
- Orchestrator
This group is intended for volunteers who've signed the volunteer NDA.
wmde group
wmde grants access to:
This group is intended for Wikimedia Deutschland staff.
See also
- toolforge:ldap Group membership viewer