SRE/LDAP/Groups
After you have created a Wikimedia Developer account, you may need to join a group in our LDAP server for specific access.
To request access to one of these groups, Create an LDAP-Access-Requests task in Phabricator.
To view current members of a group, use https://ldap.toolforge.org/.
Primary groups
The following primary groups exist:
wmf
, for WMF staff/contractors (documented below).ops
, for SRE staff (documented below, see also ops group in puppet manifests/site.pp).ops-limited
(formerlysre-admins
), for SREs who do not have full root privileges.nda
, for researchers and volunteers who have signed NDAs for access to confidential data (documented below).ldap_ops
, for write access to the LDAP server itself.wmde
, for Wikimedia Deutschland staff.grafana-admin
, for admin-level access to Grafana. Note that members of the "wmf", "ops" and "nda" groups already include permissions to edit dashboards in Grafana. When editing a dashboard, one has access to metrics that may expose PII data. Admin acess requires an NDA with Legal (filed in Cobblestone).tools.admin
, for admin access in Toolforge.ciadmin
, theciadmin
group grants users full admin access to Jenkins, and the ability to create and modify Jenkins jobs for ad-hoc debugging. Note that in general, you do not need ciadmin access to create or modify Jenkins jobs as we deploy these via theintegration/config
repository which anyone can write patches for.gerritadmin
, for Administrator rights to Gerrit, this includes access to the Database, ACL modifications, repositories management, or settings affecting all projects. https://gerrit.wikimedia.org/r/#/admin/groups/1,members . Theldap_groups
Gerrit cache has to be flushed for the change to be taken in account (see Gerrit/Administration#Become_an_Administrator).releng
, for members of the Release Engineering Team. It will be (FIXME) used for access to the releases.wikimedia.org Jenkins installation.archiva-deployers
, deployment rights in Archivasuperset-admins
, for automatically assigning theAdmin
role in the Analytics Superset instances.dns-admins
, allows to merge DNS changes via the operations/git.dns repositoryidptest-users
, for accessing services integrated against the staging IDP (currently only Puppetboard)project-*
, these represent a Cloud VPS project where each project has its own LDAP group prefixed withproject-
. These should not be manually joined or altered.
These groups are privileged, but do not have human users as members, only system/role accounts:
sgeadmin
, various privileges around Grid Engine (only member issgeadmin
).labsadminbots
(only member isnovaadmin
).mwdeploy
(used by mediawiki deployment, only member ismwdeploy
).vagrant
(system group for mediawiki-vagrant, only member isvagrant
).shinken
(system group for shinken monitoring, only member isshinken
).
Specific groups
These lists do not count gerrit project ACL inheritance.
wmf group
wmf
grants access to:
- Logstash
- Graphite
- Grafana (no login required except admin functions). Please be patient before you try to log in. The service periodically adds new group members
- Icinga
- Piwik, docs
- Jenkins (access to restricted projects like [1], permissions to build and cancel jobs)
- DebMonitor, Debian packages tracker
- Hadoop Yarn
- Turnilo, a tool for exploring internal data
- LibreNMS, docs
- Orchestrator, docs
- Included in other Gerrit groups
- Translatewiki.net
- Analytics
- wikidata-query-blazegraph
- glam
- mediawiki
- qa
- webplatform.org
- Gerrit repository permissions
- apps/android/commons owner = group ldap/wmf
- avro-php forgeCommitter = group ldap/wmf
- labs/invisible-unicorn owner = group ldap/wmf
- labs/invisible-unicorn submit = group ldap/wmf
- labs/invisible-unicorn rebase = group ldap/wmf
- labs/tools/wikipedia-android-builds submit = group ldap/wmf
- labs/tools/wikipedia-android-builds label-Code-Review = -2..+2 group ldap/wmf
- labs/tools/wikipedia-android-builds label-Verified = -1..+2 group ldap/wmf
- operations/debs label-Code-Review = -1..+1 group ldap/wmf
- test/gerrit-ping owner = group ldap/wmf
- unicodejs owner = group ldap/wmf
- wikidata/gremlin owner = group ldap/wmf
- wikidata/query/rdf owner = group ldap/wmf
- wikimedia/lobbypop owner = group ldap/wmf
- wikimedia/roadmap-updater owner = group ldap/wmf
- wikimedia/slimapp pushSignedTag = group ldap/wmf
- wikimedia/slimapp pushTag = group ldap/wmf
- wikimedia/wikimania-scholarships owner = group ldap/wmf
- wikimedia/wikimania-scholarships submit = group ldap/wmf
ops group
ops
grants access to:
- Logstash
- Graphite
- Grafana
- Icinga
- Piwik login page
- Netbox
- Puppetboard (PuppetDB UI interface)
- LibreNMS
- Full sudo across all Cloud VPS instances (?)
- Included in other Gerrit groups
- mediawiki
- wmf-deployment
- labs-toollabs
- opssoftware
- Gerrit repository permissions
- labs/private owner = group ldap/ops
- labs/private read = group ldap/ops
- labs/private create = group ldap/ops
- labs/private push = group ldap/ops
- labs/private pushTag = group ldap/ops
- labs/private submit = group ldap/ops
- labs/private pushMerge = group ldap/ops
- mediawiki/skins/webplatform push = group ldap/ops
- operations/apache-config owner = group ldap/ops
- operations/apache-config submit = group ldap/ops
- operations/debs owner = group ldap/ops
- operations/debs create = group ldap/ops
- operations/debs forgeCommitter = group ldap/ops
- operations/debs submit = group ldap/ops
- operations/debs push = +force group ldap/ops
- operations/debs pushTag = group ldap/ops
- operations/debs/StatsD owner = group ldap/ops
- operations/debs/adminbot owner = group ldap/ops
- operations/debs/debdeploy owner = group ldap/ops
- operations/debs/etherpad-lite owner = group ldap/ops
- operations/debs/git-deploy owner = group ldap/ops
- operations/debs/ircecho owner = group ldap/ops
- operations/debs/jenkins-debian-glue create = group ldap/ops
- operations/debs/jenkins-debian-glue push = group ldap/ops
- operations/debs/jenkins-debian-glue pushTag = group ldap/ops
- operations/debs/jenkins-debian-glue pushSignedTag = group ldap/ops
- operations/debs/linux owner = group ldap/ops
- operations/debs/linux-meta owner = group ldap/ops
- operations/debs/logstash-gelf owner = group ldap/ops
- operations/debs/mariadb-server owner = group ldap/ops
- operations/debs/mod_tile owner = group ldap/ops
- operations/debs/mwbzutils owner = group ldap/ops
- operations/debs/nginx owner = group ldap/ops
- operations/debs/openssl owner = group ldap/ops
- operations/debs/osm-mapnik-style owner = group ldap/ops
- operations/debs/osm2pgsql owner = group ldap/ops
- operations/debs/python-diamond owner = group ldap/ops
- operations/debs/python-diamond push = +force group ldap/ops
- operations/debs/python-diamond forgeCommitter = group ldap/ops
- operations/debs/search-qa push = group ldap/ops
- operations/debs/utfnormal owner = group ldap/ops
- operations/debs/varnish owner = group ldap/ops
- operations/debs/varnish push = +force group ldap/ops
- operations/dns owner = group ldap/ops
- operations/dns create = group ldap/ops
- operations/dns forgeAuthor = group ldap/ops
- operations/dns forgeCommitter = group ldap/ops
- operations/dns push = group ldap/ops
- operations/dns pushMerge = group ldap/ops
- operations/dns pushTag = group ldap/ops
- operations/dns submit = group ldap/ops
- operations/dumps owner = group ldap/ops
- operations/dumps create = group ldap/ops
- operations/dumps submit = group ldap/ops
- operations/dumps push = group ldap/ops
- operations/dumps pushMerge = group ldap/ops
- operations/dumps pushTag = group ldap/ops
- operations/dumps/incremental owner = group ldap/ops
- operations/dumps/test owner = group ldap/ops
- operations/mediawiki-config owner = group ldap/ops
- operations/mediawiki-config submit = group ldap/ops
- operations/mediawiki-config create = group ldap/ops
- operations/network-diagrams owner = group ldap/ops
- operations/network-diagrams create = group ldap/ops
- operations/network-diagrams push = group ldap/ops
- operations/network-diagrams submit = group ldap/ops
- operations/network-diagrams pushMerge = group ldap/ops
- operations/network-diagrams pushTag = group ldap/ops
- operations/puppet owner = group ldap/ops
- operations/puppet submit = group ldap/ops
- operations/puppet push = group ldap/ops
- operations/puppet pushMerge = group ldap/ops
- operations/puppet pushTag = group ldap/ops
- operations/software label-Code-Review = -2..+2 group ldap/ops
- operations/software label-Verified = -1..+2 group ldap/ops
- operations/software/librenms forgeCommitter = group ldap/ops
- operations/software/librenms push = +force group ldap/ops
- operations/software/nginx owner = group ldap/ops
- operations/software/nginx forgeAuthor = group ldap/ops
- operations/software/nginx forgeCommitter = group ldap/ops
- operations/software/nginx push = group ldap/ops
- operations/software/otrs owner = group ldap/ops
ops-limited group
Group members Intended for SRE's without full root access
ops-limited
grants access to:
- puppetboard
- librenms
- orchestrator
NDA group
nda
grants access to:
- Logstash
- Graphite
- Grafana (editing access)
- Icinga
- Piwik login page
- DebMonitor
- Hadoop Yarn
- Turnilo, a tool for exploring internal data
- LibreNMS
- Orchestrator
This group is intended for volunteers who've signed the volunteer NDA.
wmde group
wmde
grants access to:
This group is intended for Wikimedia Deutschland staff.
See also
- toolforge:ldap Group membership viewer