LDAP Groups

From Wikitech
Jump to: navigation, search

The LDAP server has many different groups which are used for access control.

Each labs project has its own LDAP group, prefixed with project-. Additionally, the following exist:

  • wmf - for WMF staff/contractors (documented below)
  • ops - for operations people (see ops group in puppet manifests/site.pp) (documented below)
  • nda - for others who have signed NDAs for access to confidential data (documented below)
  • ldap_ops - full write access to LDAP
  • wmde - for Wikimedia Deutschland staff
  • librenms-readers - LibreNMS is a network monitoring system. It can be access by all members of the ops group; this group can be used to grant access for other users. This needs an ops-access-request with meeting review.
  • grafana-admin - Grafana-admin allows editing custom dashboards and that steps allows full access to the underlying metrics. Since we can't rule out any of these not containing PII data, access to grafana-admin needs an NDA with Legal (filed in Cobblestone). All members of the wmf, ops and nda groups can access grafana-admin already. This group can be used to grant access to grafana-admin only.
  • tools.admin Full admin access in tools
  • ciadmin - The ciadmin group grants users the full admin access to for Jenkins and the ability to create and modify Jenkins jobs.
  • releng- This is the group for all members of the Release Engineering Team. It will be (FIXME) used for access to the releases.wikimedia.org Jenkins installation.

For each of those, all members of a given group (or all groups of a given user) can be easily listed using the LDAP tool.

These groups are privileged, but do not have human users as members, but only system/role accounts:

  • sgeadmin - various privileges around Grid Engine (the only member of the sgeadmin user)
  • labsadminbots (the only member is novaadmin)
  • mwdeploy (used by mediawiki deployment, only member is mwdeploy)
  • l10nupdate (used by l10n deployment, only member is l10nupdate)
  • vagrant (system group for mediawiki-vagrant, only member is vagrant)
  • shinken (system group for shinken monitoring, only member is shinken)

Specific groups

These lists do not count gerrit project ACL inheritance.

wmf grants access to:

  • Logstash
  • Tendril
  • Graphite
  • Grafana-admin
  • Icinga
  • Piwik login page
  • Jenkins administration
  • Hadoop Yarn
  • Druid's Pivot UI (Analytics)
  • Included in other Gerrit groups
    • Translatewiki.net
    • Analytics
    • wikidata-query-blazegraph
    • glam
    • mediawiki
    • qa
    • webplatform.org
  • Gerrit repository permissions
    • apps/android/commons owner = group ldap/wmf
    • avro-php forgeCommitter = group ldap/wmf
    • labs/invisible-unicorn owner = group ldap/wmf
    • labs/invisible-unicorn submit = group ldap/wmf
    • labs/invisible-unicorn rebase = group ldap/wmf
    • labs/tools/wikipedia-android-builds submit = group ldap/wmf
    • labs/tools/wikipedia-android-builds label-Code-Review = -2..+2 group ldap/wmf
    • labs/tools/wikipedia-android-builds label-Verified = -1..+2 group ldap/wmf
    • operations/debs label-Code-Review = -1..+1 group ldap/wmf
    • operations/software/kibana owner = group ldap/wmf
    • operations/software/kibana submit = group ldap/wmf
    • operations/software/kibana forgeCommitter = group ldap/wmf
    • operations/software/kibana push = group ldap/wmf
    • operations/software/kibana pushMerge = group ldap/wmf
    • test/gerrit-ping owner = group ldap/wmf
    • unicodejs owner = group ldap/wmf
    • wikidata/gremlin owner = group ldap/wmf
    • wikidata/query/rdf owner = group ldap/wmf
    • wikimedia/lobbypop owner = group ldap/wmf
    • wikimedia/roadmap-updater owner = group ldap/wmf
    • wikimedia/slimapp pushSignedTag = group ldap/wmf
    • wikimedia/slimapp pushTag = group ldap/wmf
    • wikimedia/wikimania-scholarships owner = group ldap/wmf
    • wikimedia/wikimania-scholarships submit = group ldap/wmf

ops grants access to:

  • Logstash
  • Tendril
  • Graphite
  • Grafana-admin
  • Icinga
  • Piwik login page
  • Servermon
  • LibreNMS
  • Full sudo across all labs instances (?)
  • Included in other Gerrit groups
    • mediawiki
    • wmf-deployment
    • labs-toollabs
    • opssoftware
    • Administrators
  • Gerrit repository permissions
    • labs/private owner = group ldap/ops
    • labs/private read = group ldap/ops
    • labs/private create = group ldap/ops
    • labs/private push = group ldap/ops
    • labs/private pushTag = group ldap/ops
    • labs/private submit = group ldap/ops
    • labs/private pushMerge = group ldap/ops
    • mediawiki/skins/webplatform push = group ldap/ops
    • operations/apache-config owner = group ldap/ops
    • operations/apache-config submit = group ldap/ops
    • operations/debs owner = group ldap/ops
    • operations/debs create = group ldap/ops
    • operations/debs forgeCommitter = group ldap/ops
    • operations/debs submit = group ldap/ops
    • operations/debs push = +force group ldap/ops
    • operations/debs pushTag = group ldap/ops
    • operations/debs/StatsD owner = group ldap/ops
    • operations/debs/adminbot owner = group ldap/ops
    • operations/debs/debdeploy owner = group ldap/ops
    • operations/debs/etherpad-lite owner = group ldap/ops
    • operations/debs/git-deploy owner = group ldap/ops
    • operations/debs/ircecho owner = group ldap/ops
    • operations/debs/jenkins-debian-glue create = group ldap/ops
    • operations/debs/jenkins-debian-glue push = group ldap/ops
    • operations/debs/jenkins-debian-glue pushTag = group ldap/ops
    • operations/debs/jenkins-debian-glue pushSignedTag = group ldap/ops
    • operations/debs/linux owner = group ldap/ops
    • operations/debs/linux-meta owner = group ldap/ops
    • operations/debs/logstash-gelf owner = group ldap/ops
    • operations/debs/mariadb-server owner = group ldap/ops
    • operations/debs/mod_tile owner = group ldap/ops
    • operations/debs/mwbzutils owner = group ldap/ops
    • operations/debs/nginx owner = group ldap/ops
    • operations/debs/openssl owner = group ldap/ops
    • operations/debs/osm-mapnik-style owner = group ldap/ops
    • operations/debs/osm2pgsql owner = group ldap/ops
    • operations/debs/python-diamond owner = group ldap/ops
    • operations/debs/python-diamond push = +force group ldap/ops
    • operations/debs/python-diamond forgeCommitter = group ldap/ops
    • operations/debs/search-qa push = group ldap/ops
    • operations/debs/utfnormal owner = group ldap/ops
    • operations/debs/varnish owner = group ldap/ops
    • operations/debs/varnish push = +force group ldap/ops
    • operations/dns owner = group ldap/ops
    • operations/dns create = group ldap/ops
    • operations/dns forgeAuthor = group ldap/ops
    • operations/dns forgeCommitter = group ldap/ops
    • operations/dns push = group ldap/ops
    • operations/dns pushMerge = group ldap/ops
    • operations/dns pushTag = group ldap/ops
    • operations/dns submit = group ldap/ops
    • operations/dumps owner = group ldap/ops
    • operations/dumps create = group ldap/ops
    • operations/dumps submit = group ldap/ops
    • operations/dumps push = group ldap/ops
    • operations/dumps pushMerge = group ldap/ops
    • operations/dumps pushTag = group ldap/ops
    • operations/dumps/incremental owner = group ldap/ops
    • operations/dumps/test owner = group ldap/ops
    • operations/mediawiki-config owner = group ldap/ops
    • operations/mediawiki-config submit = group ldap/ops
    • operations/mediawiki-config create = group ldap/ops
    • operations/network-diagrams owner = group ldap/ops
    • operations/network-diagrams create = group ldap/ops
    • operations/network-diagrams push = group ldap/ops
    • operations/network-diagrams submit = group ldap/ops
    • operations/network-diagrams pushMerge = group ldap/ops
    • operations/network-diagrams pushTag = group ldap/ops
    • operations/puppet owner = group ldap/ops
    • operations/puppet submit = group ldap/ops
    • operations/puppet push = group ldap/ops
    • operations/puppet pushMerge = group ldap/ops
    • operations/puppet pushTag = group ldap/ops
    • operations/software label-Code-Review = -2..+2 group ldap/ops
    • operations/software label-Verified = -1..+2 group ldap/ops
    • operations/software/librenms forgeCommitter = group ldap/ops
    • operations/software/librenms push = +force group ldap/ops
    • operations/software/nginx owner = group ldap/ops
    • operations/software/nginx forgeAuthor = group ldap/ops
    • operations/software/nginx forgeCommitter = group ldap/ops
    • operations/software/nginx push = group ldap/ops
    • operations/software/otrs owner = group ldap/ops

nda grants access to:

This group is intended for volunteers who've signed the volunteer NDA.

wmde grants access to:

This group is intended for Wikimedia Deutschland staff.