Jump to content

Fundraising/techops/procedures/users-new user checklist

From Wikitech

New User Procedure / Checklist

When adding a new user to the fundraising / fr-tech ecosystem, we have a set of places where we need to create accounts and access.

Prerequisites

Before we can take any action to add a user, we need to verify that they are authorized to have such access. This requires confirmation from their manager and approval from the C level that access is approved.

[ ] user_verification

   Requires: user request
   [ ] access_rights: letter to C level (currently Lisa) verifying grant of access
   [ ] account name/contact info: verify on https://collab.wikimedia.org/wiki/Fundraising#Contact_List
   [ ] (if not advancement) add to okta notify list: create ITS ticket for adding to fr-tech okta notification list

Accounts and Services

[ ] client_ssl_cert

   Requires: user_verification
   [ ] cert_setup: generate cert on frpm1001 using ssl_user_admin
   [ ] account_setup: sms the user the password for the key
   [ ] follow_on: assist with certificate installation

[ ] civicrm

   Requires: client_ssl_cert
   [ ] account_setup: Create user account. This will notify the user via email to update their password.
   [ ] follow_on: Verify user can log in to https://civicrm.wikimedia.org

[ ] superset

   Requires: client_ssl_cert
   [ ] account_setup: Create user account. Notify the user of their account name and password.
   [ ] follow_on: Verify user can log in to https://analytics.frdev.wikimedia.org
   [ ] archive_access: Add to google drive archive group. https://drive.google.com/drive/folders/0ADWGPlZtksGdUk9PVA

[ ] user account

   Requires: user_verification
   [ ] Add the user to the users.yaml and group_members.yaml files as appropriate.
   [ ] Push out puppet changes.

[ ] yubikey

   Requires: useraccount and ITS request to send out yubikey to user
   [ ] physical: Make a request to ITS to have a key sent to the user
   [ ] account_setup: Get public side and add to puppet-private/manifests/passwords/yubico.pp
   [ ] follow_on: Make sure user can use yubikey for ssh access

[ ] ssh

   Requires: useraccount and yubikey
   [ ] key_setup: Send template/docs for generating keypair and ~/.ssh/config file
   [ ] account_setup: Get public side and add to puppet-private/secrets/ssh/default/$username
   [ ] follow_on: Verify user can ssh using correct creds and passphrases when needed.

[ ] mysql

   Requires: useraccount, yubikey, ssh
   [ ] account_setup
       [ ] Create user block in ~/puppet-private/secrets/mysql_grants/fundraising_qa
       [ ] Ensure user is in correct blocks for select rights on dbs.
           - Generally use another user in same group as a guide
       [ ] Run the grant script to get the grants.
       [ ] Copy/paste to execute the grants on appropriate dbs.
       [ ] Create the user a ~/.my.cnf file with the original password from account creation.
   [ ] follow_on: Verify user can ssh to the required host and log in to mysql.

[ ] jupyter

   Requires: useraccount, yubikey, ssh
   [ ] account_setup
       [ ] Add user port mapping in hieradata/hostname/fran1001.yaml
       [ ] Add user password hash in manifests/passwords/jupyter.pp
       [ ] Provide user with necessary ssh port forwarding config and password
   [ ] follow_on: Verify user can log in to fran1001 and connect to instance

[ ] Repository reviewer

   [ ] Add to the necessary fundraising repos to be notified as a reviewer: https://www.mediawiki.org/wiki/Git/Reviewers