Jump to content

SRE/LDAP/Groups

From Wikitech
< SRE | LDAP
(Redirected from LDAP Groups)

After you have created a Wikimedia Developer account, you may need to join a group in our LDAP server for specific access.

To request access to one of these groups, Create an LDAP-Access-Requests task in Phabricator.

To view current members of a group, use https://ldap.toolforge.org/.

Primary groups

The following primary groups exist:

  • wmf, for WMF staff/contractors (documented below).
  • ops, for SRE staff (documented below, see also ops group in puppet manifests/site.pp).
  • ops-limited (formerly sre-admins), for SREs who do not have full root privileges.
  • nda, for researchers and volunteers who have signed NDAs for access to confidential data (documented below).
  • ldap_ops, for write access to the LDAP server itself.
  • wmde, for Wikimedia Deutschland staff.
  • grafana-admin, for admin-level access to Grafana. Note that members of the "wmf", "ops" and "nda" groups already include permissions to edit dashboards in Grafana. When editing a dashboard, one has access to metrics that may expose PII data. Admin acess requires an NDA with Legal (filed in Cobblestone).
  • tools.admin, for admin access in Toolforge.
  • ciadmin, the ciadmin group grants users full admin access to Jenkins, and the ability to create and modify Jenkins jobs for ad-hoc debugging. Note that in general, you do not need ciadmin access to create or modify Jenkins jobs as we deploy these via the integration/config repository which anyone can write patches for.
  • gerritadmin , for Administrator rights to Gerrit, this includes access to the Database, ACL modifications, repositories management, or settings affecting all projects. https://gerrit.wikimedia.org/r/#/admin/groups/1,members . The ldap_groups Gerrit cache has to be flushed for the change to be taken in account (see Gerrit/Administration#Become_an_Administrator).
  • releng, for members of the Release Engineering Team. It will be (FIXME) used for access to the releases.wikimedia.org Jenkins installation.
  • archiva-deployers, deployment rights in Archiva
  • superset-admins, for automatically assigning the Admin role in the Analytics Superset instances.
  • dns-admins, allows to merge DNS changes via the operations/git.dns repository
  • idptest-users , for accessing services integrated against the staging IDP (currently only Puppetboard)
  • project-*, these represent a Cloud VPS project where each project has its own LDAP group prefixed with project-. These should not be manually joined or altered.

These groups are privileged, but do not have human users as members, only system/role accounts:

  • sgeadmin, various privileges around Grid Engine (only member is sgeadmin).
  • labsadminbots (only member is novaadmin).
  • mwdeploy (used by mediawiki deployment, only member is mwdeploy).
  • vagrant (system group for mediawiki-vagrant, only member is vagrant).
  • shinken (system group for shinken monitoring, only member is shinken).

Specific groups

These lists do not count gerrit project ACL inheritance.

wmf group

Group members

wmf grants access to:

  • Logstash
  • Graphite
  • Grafana (no login required except admin functions). Please be patient before you try to log in. The service periodically adds new group members
  • Icinga
  • Piwik, docs
  • Jenkins (access to restricted projects like [1], permissions to build and cancel jobs)
  • DebMonitor, Debian packages tracker
  • Hadoop Yarn
  • Turnilo, a tool for exploring internal data
  • LibreNMS, docs
  • Orchestrator, docs
  • Included in other Gerrit groups
    • Translatewiki.net
    • Analytics
    • wikidata-query-blazegraph
    • glam
    • mediawiki
    • qa
    • webplatform.org
  • Gerrit repository permissions
    • apps/android/commons owner = group ldap/wmf
    • avro-php forgeCommitter = group ldap/wmf
    • labs/invisible-unicorn owner = group ldap/wmf
    • labs/invisible-unicorn submit = group ldap/wmf
    • labs/invisible-unicorn rebase = group ldap/wmf
    • labs/tools/wikipedia-android-builds submit = group ldap/wmf
    • labs/tools/wikipedia-android-builds label-Code-Review = -2..+2 group ldap/wmf
    • labs/tools/wikipedia-android-builds label-Verified = -1..+2 group ldap/wmf
    • operations/debs label-Code-Review = -1..+1 group ldap/wmf
    • test/gerrit-ping owner = group ldap/wmf
    • unicodejs owner = group ldap/wmf
    • wikidata/gremlin owner = group ldap/wmf
    • wikidata/query/rdf owner = group ldap/wmf
    • wikimedia/lobbypop owner = group ldap/wmf
    • wikimedia/roadmap-updater owner = group ldap/wmf
    • wikimedia/slimapp pushSignedTag = group ldap/wmf
    • wikimedia/slimapp pushTag = group ldap/wmf
    • wikimedia/wikimania-scholarships owner = group ldap/wmf
    • wikimedia/wikimania-scholarships submit = group ldap/wmf

ops group

Group members

ops grants access to:

  • Logstash
  • Graphite
  • Grafana
  • Icinga
  • Piwik login page
  • Netbox
  • Puppetboard (PuppetDB UI interface)
  • LibreNMS
  • Full sudo across all Cloud VPS instances (?)
  • Included in other Gerrit groups
    • mediawiki
    • wmf-deployment
    • labs-toollabs
    • opssoftware
  • Gerrit repository permissions
    • labs/private owner = group ldap/ops
    • labs/private read = group ldap/ops
    • labs/private create = group ldap/ops
    • labs/private push = group ldap/ops
    • labs/private pushTag = group ldap/ops
    • labs/private submit = group ldap/ops
    • labs/private pushMerge = group ldap/ops
    • mediawiki/skins/webplatform push = group ldap/ops
    • operations/apache-config owner = group ldap/ops
    • operations/apache-config submit = group ldap/ops
    • operations/debs owner = group ldap/ops
    • operations/debs create = group ldap/ops
    • operations/debs forgeCommitter = group ldap/ops
    • operations/debs submit = group ldap/ops
    • operations/debs push = +force group ldap/ops
    • operations/debs pushTag = group ldap/ops
    • operations/debs/StatsD owner = group ldap/ops
    • operations/debs/adminbot owner = group ldap/ops
    • operations/debs/debdeploy owner = group ldap/ops
    • operations/debs/etherpad-lite owner = group ldap/ops
    • operations/debs/git-deploy owner = group ldap/ops
    • operations/debs/ircecho owner = group ldap/ops
    • operations/debs/jenkins-debian-glue create = group ldap/ops
    • operations/debs/jenkins-debian-glue push = group ldap/ops
    • operations/debs/jenkins-debian-glue pushTag = group ldap/ops
    • operations/debs/jenkins-debian-glue pushSignedTag = group ldap/ops
    • operations/debs/linux owner = group ldap/ops
    • operations/debs/linux-meta owner = group ldap/ops
    • operations/debs/logstash-gelf owner = group ldap/ops
    • operations/debs/mariadb-server owner = group ldap/ops
    • operations/debs/mod_tile owner = group ldap/ops
    • operations/debs/mwbzutils owner = group ldap/ops
    • operations/debs/nginx owner = group ldap/ops
    • operations/debs/openssl owner = group ldap/ops
    • operations/debs/osm-mapnik-style owner = group ldap/ops
    • operations/debs/osm2pgsql owner = group ldap/ops
    • operations/debs/python-diamond owner = group ldap/ops
    • operations/debs/python-diamond push = +force group ldap/ops
    • operations/debs/python-diamond forgeCommitter = group ldap/ops
    • operations/debs/search-qa push = group ldap/ops
    • operations/debs/utfnormal owner = group ldap/ops
    • operations/debs/varnish owner = group ldap/ops
    • operations/debs/varnish push = +force group ldap/ops
    • operations/dns owner = group ldap/ops
    • operations/dns create = group ldap/ops
    • operations/dns forgeAuthor = group ldap/ops
    • operations/dns forgeCommitter = group ldap/ops
    • operations/dns push = group ldap/ops
    • operations/dns pushMerge = group ldap/ops
    • operations/dns pushTag = group ldap/ops
    • operations/dns submit = group ldap/ops
    • operations/dumps owner = group ldap/ops
    • operations/dumps create = group ldap/ops
    • operations/dumps submit = group ldap/ops
    • operations/dumps push = group ldap/ops
    • operations/dumps pushMerge = group ldap/ops
    • operations/dumps pushTag = group ldap/ops
    • operations/dumps/incremental owner = group ldap/ops
    • operations/dumps/test owner = group ldap/ops
    • operations/mediawiki-config owner = group ldap/ops
    • operations/mediawiki-config submit = group ldap/ops
    • operations/mediawiki-config create = group ldap/ops
    • operations/network-diagrams owner = group ldap/ops
    • operations/network-diagrams create = group ldap/ops
    • operations/network-diagrams push = group ldap/ops
    • operations/network-diagrams submit = group ldap/ops
    • operations/network-diagrams pushMerge = group ldap/ops
    • operations/network-diagrams pushTag = group ldap/ops
    • operations/puppet owner = group ldap/ops
    • operations/puppet submit = group ldap/ops
    • operations/puppet push = group ldap/ops
    • operations/puppet pushMerge = group ldap/ops
    • operations/puppet pushTag = group ldap/ops
    • operations/software label-Code-Review = -2..+2 group ldap/ops
    • operations/software label-Verified = -1..+2 group ldap/ops
    • operations/software/librenms forgeCommitter = group ldap/ops
    • operations/software/librenms push = +force group ldap/ops
    • operations/software/nginx owner = group ldap/ops
    • operations/software/nginx forgeAuthor = group ldap/ops
    • operations/software/nginx forgeCommitter = group ldap/ops
    • operations/software/nginx push = group ldap/ops
    • operations/software/otrs owner = group ldap/ops

ops-limited group

Group members Intended for SRE's without full root access

ops-limited grants access to:

  • puppetboard
  • librenms
  • orchestrator

NDA group

Group members

nda grants access to:

This group is intended for volunteers who've signed the volunteer NDA.

wmde group

Group members

wmde grants access to:

This group is intended for Wikimedia Deutschland staff.

See also