You are browsing a read-only backup copy of Wikitech. The live site can be found at wikitech.wikimedia.org

SRE/LDAP/Groups: Difference between revisions

From Wikitech-static
< SRE‎ | LDAP
Jump to navigation Jump to search
imported>Marco Fossati
(use direct links, put docs aside)
imported>Legoktm
(→‎wmde group: ldap/wmde explicitly does not grant access to "mediawiki" group, there's a separate process for that)
 
(6 intermediate revisions by 4 users not shown)
Line 1: Line 1:
The [[LDAP]] server has many different groups which are used for access control. If you need to be added to one of these groups, file a Phabricator task in the [[phab:project/profile/1564/|LDAP-Access-Requests project]] (see [[phab:project/profile/1564/|the project description]] for more detailed instructions).
After you have created a [[mw:Developer account|Wikimedia Developer account]], you may need to join a group in our [[LDAP]] server for specific access.


Each Cloud VPS project has its own LDAP group, prefixed with <code>project-</code>. Additionally, the following exist:
To request access to one of these groups, [[phab:project/profile/1564/|'''Create an LDAP-Access-Requests task''']] in Phabricator.
* <code>wmf</code> - for WMF staff/contractors (documented below)
* <code>ops</code> - for operations people (see ops group in [https://gerrit.wikimedia.org/g/operations/puppet/+/refs/heads/production/manifests/site.pp puppet manifests/site.pp]) (documented below)
* <code>sre-admins</code> - for SREs who do not have full root privileges
* <code>nda</code> - for others who have signed NDAs for access to confidential data (documented below)
* <code>ldap_ops</code> - full write access to LDAP
* <code>wmde</code> - for Wikimedia Deutschland staff
* <code>grafana-admin</code> - All members of the wmf, ops and nda groups have the permission to edit custom dashboards in Grafana. As editing dashboards allows full access to the underlying metrics and given that we can't rule out any of those not containing PII data, this separate group allows editing them. Access needs an NDA with Legal (filed in Cobblestone).
* <code>tools.admin</code> Full admin access in tools
* <code>ciadmin</code> - The [http://ldap.toolforge.org/group/ciadmin <code>ciadmin</code>] group grants users the full admin access to for Jenkins and the ability to create and modify Jenkins jobs.
* <code>gerritadmin</code> - The [http://ldap.toolforge.org/group/gerritadmin <code>gerritadmin</code>] groups grant Administrator rights to Gerrit. Including access to the Database, ACL modifications, repositories management, or settings affecting all projects. https://gerrit.wikimedia.org/r/#/admin/groups/1,members . The <code>ldap_groups</code> Gerrit cache has to be flushed for the change to be taken in account (see [[Gerrit/Administration#Become_an_Administrator]]).
* <code>releng</code>- This is the group for all members of the [[mw:Wikimedia Release Engineering Team|Release Engineering Team]]. It will be (FIXME) used for access to the releases.wikimedia.org Jenkins installation.
* <code>archiva-deployers</code>- Members of this group have deployment rights in Archiva


For each of those, all members of a given group (or all groups of a given user) can be easily listed using [[toolforge:ldap/|the LDAP tool]].
To view current members of a group, use https://ldap.toolforge.org/.


These groups are privileged, but do not have human users as members, but only system/role accounts:
== Primary groups ==
* <code>sgeadmin</code> - various privileges around Grid Engine (only member is sgeadmin)
The following primary groups exist:
* <code>labsadminbots</code> (only member is novaadmin)
* <code>wmf</code>, for WMF staff/contractors (documented below).
* <code>mwdeploy</code> (used by mediawiki deployment, only member is mwdeploy)
* <code>ops</code>, for SRE staff (documented below, see also ops group in [[git:operations/puppet/+/refs/heads/production/manifests/site.pp|puppet manifests/site.pp]]).
* <code>l10nupdate</code> (used by l10n deployment, only member is l10nupdate)
* <code>sre-admins</code>, for SREs who do not have full root privileges.
* <code>vagrant</code> (system group for mediawiki-vagrant, only member is vagrant)
* <code>nda</code>, for researchers and volunteers who have signed NDAs for access to confidential data (documented below).
* <code>shinken</code> (system group for shinken monitoring, only member is shinken)
* <code>ldap_ops</code>, for write access to the LDAP server itself.
* <code>wmde</code>, for Wikimedia Deutschland staff.
* <code>grafana-admin</code>, for admin-level access to Grafana. Note that members of the "wmf", "ops" and "nda" groups already include permissions to edit dashboards in Grafana. When editing a dashboard, one has access to metrics that may expose PII data. Admin acess requires an NDA with Legal (filed in Cobblestone).
* <code>tools.admin</code>, for admin access in [[Help:Toolforge|Toolforge]].
* <code>ciadmin</code>, the [http://ldap.toolforge.org/group/ciadmin <code>ciadmin</code>] group grants users full admin access to Jenkins, and the ability to create and modify Jenkins jobs for ad-hoc debugging. Note that in general, you do not need ciadmin access to create or modify Jenkins jobs as we deploy these via the <code>integration/config</code> repository which anyone can write patches for.
* <code>gerritadmin</code> , for Administrator rights to Gerrit, this includes access to the Database, ACL modifications, repositories management, or settings affecting all projects. https://gerrit.wikimedia.org/r/#/admin/groups/1,members . The <code>ldap_groups</code> Gerrit cache has to be flushed for the change to be taken in account (see [[Gerrit/Administration#Become_an_Administrator]]).
* <code>releng</code>,  for members of the [[mw:Wikimedia Release Engineering Team|Release Engineering Team]]. It will be (FIXME) used for access to the releases.wikimedia.org Jenkins installation.
* <code>archiva-deployers</code>, deployment rights in Archiva
* <code>idptest-users</code> , for accessing services integrated against the staging IDP (currently only Puppetboard).
* <code>project-*</code>, these represent a [[Portal:Cloud VPS|Cloud VPS]] project where each project has its own LDAP group prefixed with <code>project-</code>. These should not be manually joined or altered.
 
These groups are privileged, but do not have human users as members, only system/role accounts:
* <code>sgeadmin</code>, various privileges around Grid Engine (only member is <code>sgeadmin</code>).
* <code>labsadminbots</code> (only member is <code>novaadmin</code>).
* <code>mwdeploy</code> (used by mediawiki deployment, only member is <code>mwdeploy</code>).
* <code>l10nupdate</code> (used by l10n deployment, only member is <code>l10nupdate</code>).
* <code>vagrant</code> (system group for mediawiki-vagrant, only member is <code>vagrant</code>).
* <code>shinken</code> (system group for shinken monitoring, only member is <code>shinken</code>).


== Specific groups ==
== Specific groups ==
Line 35: Line 40:
* [https://tendril.wikimedia.org/ Tendril]
* [https://tendril.wikimedia.org/ Tendril]
* [https://graphite.wikimedia.org/ Graphite]
* [https://graphite.wikimedia.org/ Graphite]
* [https://grafana.wikimedia.org/ Grafana] (open except admin functions)
* [https://grafana.wikimedia.org/ Grafana] (no login required except admin functions). ''Please be patient before you try to log in. The service periodically adds new group members''
* [https://icinga.wikimedia.org/icinga/ Icinga]
* [https://icinga.wikimedia.org/icinga/ Icinga]
* [https://piwik.wikimedia.org/ Piwik] login page
* [https://piwik.wikimedia.org/ Piwik], [[Analytics/Systems/Matomo|docs]]
* [https://integration.wikimedia.org/ci/configureSecurity/ Jenkins permissions] - building and cancelling jobs and things
* [https://integration.wikimedia.org/ci/ Jenkins] (access to restricted projects like [https://integration.wikimedia.org/ci/job/operations-puppet-catalog-compiler/], permissions to build and cancel jobs)
* [https://debmonitor.wikimedia.org/ DebMonitor (Debian packages tracker)]
* [https://debmonitor.wikimedia.org/ DebMonitor], Debian packages tracker
* [https://yarn.wikimedia.org/ Hadoop Yarn]
* [https://yarn.wikimedia.org/ Hadoop Yarn]
* [https://turnilo.wikimedia.org Turnilo], a tool for exploring internal data
* [https://turnilo.wikimedia.org Turnilo], a tool for exploring internal data
Line 62: Line 67:
** labs/tools/wikipedia-android-builds label-Verified = -1..+2 group ldap/wmf
** labs/tools/wikipedia-android-builds label-Verified = -1..+2 group ldap/wmf
** operations/debs label-Code-Review = -1..+1 group ldap/wmf
** operations/debs label-Code-Review = -1..+1 group ldap/wmf
** operations/software/kibana owner = group ldap/wmf
** operations/software/kibana submit = group ldap/wmf
** operations/software/kibana forgeCommitter = group ldap/wmf
** operations/software/kibana push = group ldap/wmf
** operations/software/kibana pushMerge = group ldap/wmf
** test/gerrit-ping owner = group ldap/wmf
** test/gerrit-ping owner = group ldap/wmf
** unicodejs owner = group ldap/wmf
** unicodejs owner = group ldap/wmf
Line 196: Line 196:
* Tendril
* Tendril
* Graphite
* Graphite
* Grafana
* Grafana (editing access)
* Icinga
* Icinga
* Piwik login page
* Piwik login page
Line 210: Line 210:


<code>'''wmde'''</code> '''grants access to:'''
<code>'''wmde'''</code> '''grants access to:'''
* Included in Gerrit groups [https://gerrit.wikimedia.org/r/#/admin/groups/32,members wikidata], [https://gerrit.wikimedia.org/r/#/admin/groups/1200,members tcb-team], [https://gerrit.wikimedia.org/r/#/admin/groups/11,members mediawiki].
* Included in Gerrit groups [https://gerrit.wikimedia.org/r/#/admin/groups/32,members wikidata] and [https://gerrit.wikimedia.org/r/#/admin/groups/1200,members tcb-team].


This group is intended for Wikimedia Deutschland staff.
This group is intended for Wikimedia Deutschland staff.

Latest revision as of 22:57, 21 July 2022

After you have created a Wikimedia Developer account, you may need to join a group in our LDAP server for specific access.

To request access to one of these groups, Create an LDAP-Access-Requests task in Phabricator.

To view current members of a group, use https://ldap.toolforge.org/.

Primary groups

The following primary groups exist:

  • wmf, for WMF staff/contractors (documented below).
  • ops, for SRE staff (documented below, see also ops group in puppet manifests/site.pp).
  • sre-admins, for SREs who do not have full root privileges.
  • nda, for researchers and volunteers who have signed NDAs for access to confidential data (documented below).
  • ldap_ops, for write access to the LDAP server itself.
  • wmde, for Wikimedia Deutschland staff.
  • grafana-admin, for admin-level access to Grafana. Note that members of the "wmf", "ops" and "nda" groups already include permissions to edit dashboards in Grafana. When editing a dashboard, one has access to metrics that may expose PII data. Admin acess requires an NDA with Legal (filed in Cobblestone).
  • tools.admin, for admin access in Toolforge.
  • ciadmin, the ciadmin group grants users full admin access to Jenkins, and the ability to create and modify Jenkins jobs for ad-hoc debugging. Note that in general, you do not need ciadmin access to create or modify Jenkins jobs as we deploy these via the integration/config repository which anyone can write patches for.
  • gerritadmin , for Administrator rights to Gerrit, this includes access to the Database, ACL modifications, repositories management, or settings affecting all projects. https://gerrit.wikimedia.org/r/#/admin/groups/1,members . The ldap_groups Gerrit cache has to be flushed for the change to be taken in account (see Gerrit/Administration#Become_an_Administrator).
  • releng, for members of the Release Engineering Team. It will be (FIXME) used for access to the releases.wikimedia.org Jenkins installation.
  • archiva-deployers, deployment rights in Archiva
  • idptest-users , for accessing services integrated against the staging IDP (currently only Puppetboard).
  • project-*, these represent a Cloud VPS project where each project has its own LDAP group prefixed with project-. These should not be manually joined or altered.

These groups are privileged, but do not have human users as members, only system/role accounts:

  • sgeadmin, various privileges around Grid Engine (only member is sgeadmin).
  • labsadminbots (only member is novaadmin).
  • mwdeploy (used by mediawiki deployment, only member is mwdeploy).
  • l10nupdate (used by l10n deployment, only member is l10nupdate).
  • vagrant (system group for mediawiki-vagrant, only member is vagrant).
  • shinken (system group for shinken monitoring, only member is shinken).

Specific groups

These lists do not count gerrit project ACL inheritance.

wmf group

Group members

wmf grants access to:

  • Logstash
  • Tendril
  • Graphite
  • Grafana (no login required except admin functions). Please be patient before you try to log in. The service periodically adds new group members
  • Icinga
  • Piwik, docs
  • Jenkins (access to restricted projects like [1], permissions to build and cancel jobs)
  • DebMonitor, Debian packages tracker
  • Hadoop Yarn
  • Turnilo, a tool for exploring internal data
  • LibreNMS, docs
  • Orchestrator, docs
  • Included in other Gerrit groups
    • Translatewiki.net
    • Analytics
    • wikidata-query-blazegraph
    • glam
    • mediawiki
    • qa
    • webplatform.org
  • Gerrit repository permissions
    • apps/android/commons owner = group ldap/wmf
    • avro-php forgeCommitter = group ldap/wmf
    • labs/invisible-unicorn owner = group ldap/wmf
    • labs/invisible-unicorn submit = group ldap/wmf
    • labs/invisible-unicorn rebase = group ldap/wmf
    • labs/tools/wikipedia-android-builds submit = group ldap/wmf
    • labs/tools/wikipedia-android-builds label-Code-Review = -2..+2 group ldap/wmf
    • labs/tools/wikipedia-android-builds label-Verified = -1..+2 group ldap/wmf
    • operations/debs label-Code-Review = -1..+1 group ldap/wmf
    • test/gerrit-ping owner = group ldap/wmf
    • unicodejs owner = group ldap/wmf
    • wikidata/gremlin owner = group ldap/wmf
    • wikidata/query/rdf owner = group ldap/wmf
    • wikimedia/lobbypop owner = group ldap/wmf
    • wikimedia/roadmap-updater owner = group ldap/wmf
    • wikimedia/slimapp pushSignedTag = group ldap/wmf
    • wikimedia/slimapp pushTag = group ldap/wmf
    • wikimedia/wikimania-scholarships owner = group ldap/wmf
    • wikimedia/wikimania-scholarships submit = group ldap/wmf

ops group

Group members

ops grants access to:

  • Logstash
  • Tendril
  • Graphite
  • Grafana
  • Icinga
  • Piwik login page
  • Netbox
  • Puppetboard (PuppetDB UI interface)
  • LibreNMS
  • Full sudo across all Cloud VPS instances (?)
  • Included in other Gerrit groups
    • mediawiki
    • wmf-deployment
    • labs-toollabs
    • opssoftware
  • Gerrit repository permissions
    • labs/private owner = group ldap/ops
    • labs/private read = group ldap/ops
    • labs/private create = group ldap/ops
    • labs/private push = group ldap/ops
    • labs/private pushTag = group ldap/ops
    • labs/private submit = group ldap/ops
    • labs/private pushMerge = group ldap/ops
    • mediawiki/skins/webplatform push = group ldap/ops
    • operations/apache-config owner = group ldap/ops
    • operations/apache-config submit = group ldap/ops
    • operations/debs owner = group ldap/ops
    • operations/debs create = group ldap/ops
    • operations/debs forgeCommitter = group ldap/ops
    • operations/debs submit = group ldap/ops
    • operations/debs push = +force group ldap/ops
    • operations/debs pushTag = group ldap/ops
    • operations/debs/StatsD owner = group ldap/ops
    • operations/debs/adminbot owner = group ldap/ops
    • operations/debs/debdeploy owner = group ldap/ops
    • operations/debs/etherpad-lite owner = group ldap/ops
    • operations/debs/git-deploy owner = group ldap/ops
    • operations/debs/ircecho owner = group ldap/ops
    • operations/debs/jenkins-debian-glue create = group ldap/ops
    • operations/debs/jenkins-debian-glue push = group ldap/ops
    • operations/debs/jenkins-debian-glue pushTag = group ldap/ops
    • operations/debs/jenkins-debian-glue pushSignedTag = group ldap/ops
    • operations/debs/linux owner = group ldap/ops
    • operations/debs/linux-meta owner = group ldap/ops
    • operations/debs/logstash-gelf owner = group ldap/ops
    • operations/debs/mariadb-server owner = group ldap/ops
    • operations/debs/mod_tile owner = group ldap/ops
    • operations/debs/mwbzutils owner = group ldap/ops
    • operations/debs/nginx owner = group ldap/ops
    • operations/debs/openssl owner = group ldap/ops
    • operations/debs/osm-mapnik-style owner = group ldap/ops
    • operations/debs/osm2pgsql owner = group ldap/ops
    • operations/debs/python-diamond owner = group ldap/ops
    • operations/debs/python-diamond push = +force group ldap/ops
    • operations/debs/python-diamond forgeCommitter = group ldap/ops
    • operations/debs/search-qa push = group ldap/ops
    • operations/debs/utfnormal owner = group ldap/ops
    • operations/debs/varnish owner = group ldap/ops
    • operations/debs/varnish push = +force group ldap/ops
    • operations/dns owner = group ldap/ops
    • operations/dns create = group ldap/ops
    • operations/dns forgeAuthor = group ldap/ops
    • operations/dns forgeCommitter = group ldap/ops
    • operations/dns push = group ldap/ops
    • operations/dns pushMerge = group ldap/ops
    • operations/dns pushTag = group ldap/ops
    • operations/dns submit = group ldap/ops
    • operations/dumps owner = group ldap/ops
    • operations/dumps create = group ldap/ops
    • operations/dumps submit = group ldap/ops
    • operations/dumps push = group ldap/ops
    • operations/dumps pushMerge = group ldap/ops
    • operations/dumps pushTag = group ldap/ops
    • operations/dumps/incremental owner = group ldap/ops
    • operations/dumps/test owner = group ldap/ops
    • operations/mediawiki-config owner = group ldap/ops
    • operations/mediawiki-config submit = group ldap/ops
    • operations/mediawiki-config create = group ldap/ops
    • operations/network-diagrams owner = group ldap/ops
    • operations/network-diagrams create = group ldap/ops
    • operations/network-diagrams push = group ldap/ops
    • operations/network-diagrams submit = group ldap/ops
    • operations/network-diagrams pushMerge = group ldap/ops
    • operations/network-diagrams pushTag = group ldap/ops
    • operations/puppet owner = group ldap/ops
    • operations/puppet submit = group ldap/ops
    • operations/puppet push = group ldap/ops
    • operations/puppet pushMerge = group ldap/ops
    • operations/puppet pushTag = group ldap/ops
    • operations/software label-Code-Review = -2..+2 group ldap/ops
    • operations/software label-Verified = -1..+2 group ldap/ops
    • operations/software/librenms forgeCommitter = group ldap/ops
    • operations/software/librenms push = +force group ldap/ops
    • operations/software/nginx owner = group ldap/ops
    • operations/software/nginx forgeAuthor = group ldap/ops
    • operations/software/nginx forgeCommitter = group ldap/ops
    • operations/software/nginx push = group ldap/ops
    • operations/software/otrs owner = group ldap/ops

sre-admins group

Group members Intended for SRE's without full root access sre-admins grants access to:

  • puppetboard
  • librenms
  • orchestrator

NDA group

Group members

nda grants access to:

This group is intended for volunteers who've signed the volunteer NDA.

wmde group

Group members

wmde grants access to:

This group is intended for Wikimedia Deutschland staff.

See also