LDAP Groups

From Wikitech
Jump to: navigation, search

The LDAP server has many different groups which are used for access control.

Each labs project has its own LDAP group, prefixed with project-. Additionally, the following exist:

  • wmf - for WMF staff/contractors (documented below)
  • ops - for operations people (see ops group in puppet manifests/site.pp) (documented below)
  • nda - for others who have signed NDAs for access to confidential data (documented below)
  • ldap_ops - full write access to LDAP
  • wmde - for Wikimedia Deutschland staff
  • librenms-readers - LibreNMS is a network monitoring system. It can be access by all members of the ops group; this group can be used to grant access for other users. This needs an ops-access-request with meeting review.
  • grafana-admin - Grafana-admin allows editing custom dashboards and that steps allows full access to the underlying metrics. Since we can't rule out any of these not containing PII data, access to grafana-admin needs an NDA with Legal (filed in Cobblestone). All members of the wmf, ops and nda groups can access grafana-admin already. This group can be used to grant access to grafana-admin only.
  • tools.admin Full admin access in tools
  • ciadmin - The ciadmin group grants users the full admin access to for Jenkins and the ability to create and modify Jenkins jobs.

For each of those, all members of a given group (or all groups of a given user) can be easily listed using the LDAP tool.

These groups are privileged, but do not have human users as members, but only system/role accounts:

  • sgeadmin - various privileges around Grid Engine (the only member of the sgeadmin user)
  • labsadminbots (the only member is novaadmin)
  • mwdeploy (used by mediawiki deployment, only member is mwdeploy)
  • l10nupdate (used by l10n deployment, only member is l10nupdate)
  • vagrant (system group for mediawiki-vagrant, only member is vagrant)
  • shinken (system group for shinken monitoring, only member is shinken)

Specific groups

These lists do not count gerrit project ACL inheritance.

wmf grants access to:

  • Logstash
  • Tendril
  • Graphite
  • Grafana-admin
  • Icinga
  • Piwik login page
  • Xhgui
  • Jenkins administration
  • Hadoop Yarn
  • Druid's Pivot UI (Analytics)
  • Included in other Gerrit groups
    • Translatewiki.net
    • Analytics
    • wikidata-query-blazegraph
    • glam
    • mediawiki
    • qa
    • webplatform.org
  • Gerrit repository permissions
    • apps/android/commons owner = group ldap/wmf
    • avro-php forgeCommitter = group ldap/wmf
    • labs/invisible-unicorn owner = group ldap/wmf
    • labs/invisible-unicorn submit = group ldap/wmf
    • labs/invisible-unicorn rebase = group ldap/wmf
    • labs/tools/wikipedia-android-builds submit = group ldap/wmf
    • labs/tools/wikipedia-android-builds label-Code-Review = -2..+2 group ldap/wmf
    • labs/tools/wikipedia-android-builds label-Verified = -1..+2 group ldap/wmf
    • operations/debs label-Code-Review = -1..+1 group ldap/wmf
    • operations/software/kibana owner = group ldap/wmf
    • operations/software/kibana submit = group ldap/wmf
    • operations/software/kibana forgeCommitter = group ldap/wmf
    • operations/software/kibana push = group ldap/wmf
    • operations/software/kibana pushMerge = group ldap/wmf
    • test/gerrit-ping owner = group ldap/wmf
    • unicodejs owner = group ldap/wmf
    • wikidata/gremlin owner = group ldap/wmf
    • wikidata/query/rdf owner = group ldap/wmf
    • wikimedia/lobbypop owner = group ldap/wmf
    • wikimedia/roadmap-updater owner = group ldap/wmf
    • wikimedia/slimapp pushSignedTag = group ldap/wmf
    • wikimedia/slimapp pushTag = group ldap/wmf
    • wikimedia/wikimania-scholarships owner = group ldap/wmf
    • wikimedia/wikimania-scholarships submit = group ldap/wmf

ops grants access to:

  • Logstash
  • Tendril
  • Graphite
  • Grafana-admin
  • Icinga
  • Piwik login page
  • Xhgui
  • Servermon
  • LibreNMS
  • Full sudo across all labs instances (?)
  • Included in other Gerrit groups
    • mediawiki
    • wmf-deployment
    • labs-toollabs
    • opssoftware
    • Administrators
  • Gerrit repository permissions
    • labs/private owner = group ldap/ops
    • labs/private read = group ldap/ops
    • labs/private create = group ldap/ops
    • labs/private push = group ldap/ops
    • labs/private pushTag = group ldap/ops
    • labs/private submit = group ldap/ops
    • labs/private pushMerge = group ldap/ops
    • mediawiki/skins/webplatform push = group ldap/ops
    • operations/apache-config owner = group ldap/ops
    • operations/apache-config submit = group ldap/ops
    • operations/debs owner = group ldap/ops
    • operations/debs create = group ldap/ops
    • operations/debs forgeCommitter = group ldap/ops
    • operations/debs submit = group ldap/ops
    • operations/debs push = +force group ldap/ops
    • operations/debs pushTag = group ldap/ops
    • operations/debs/StatsD owner = group ldap/ops
    • operations/debs/adminbot owner = group ldap/ops
    • operations/debs/debdeploy owner = group ldap/ops
    • operations/debs/etherpad-lite owner = group ldap/ops
    • operations/debs/git-deploy owner = group ldap/ops
    • operations/debs/ircecho owner = group ldap/ops
    • operations/debs/jenkins-debian-glue create = group ldap/ops
    • operations/debs/jenkins-debian-glue push = group ldap/ops
    • operations/debs/jenkins-debian-glue pushTag = group ldap/ops
    • operations/debs/jenkins-debian-glue pushSignedTag = group ldap/ops
    • operations/debs/linux owner = group ldap/ops
    • operations/debs/linux-meta owner = group ldap/ops
    • operations/debs/logstash-gelf owner = group ldap/ops
    • operations/debs/mariadb-server owner = group ldap/ops
    • operations/debs/mod_tile owner = group ldap/ops
    • operations/debs/mwbzutils owner = group ldap/ops
    • operations/debs/nginx owner = group ldap/ops
    • operations/debs/openssl owner = group ldap/ops
    • operations/debs/osm-mapnik-style owner = group ldap/ops
    • operations/debs/osm2pgsql owner = group ldap/ops
    • operations/debs/python-diamond owner = group ldap/ops
    • operations/debs/python-diamond push = +force group ldap/ops
    • operations/debs/python-diamond forgeCommitter = group ldap/ops
    • operations/debs/search-qa push = group ldap/ops
    • operations/debs/utfnormal owner = group ldap/ops
    • operations/debs/varnish owner = group ldap/ops
    • operations/debs/varnish push = +force group ldap/ops
    • operations/dns owner = group ldap/ops
    • operations/dns create = group ldap/ops
    • operations/dns forgeAuthor = group ldap/ops
    • operations/dns forgeCommitter = group ldap/ops
    • operations/dns push = group ldap/ops
    • operations/dns pushMerge = group ldap/ops
    • operations/dns pushTag = group ldap/ops
    • operations/dns submit = group ldap/ops
    • operations/dumps owner = group ldap/ops
    • operations/dumps create = group ldap/ops
    • operations/dumps submit = group ldap/ops
    • operations/dumps push = group ldap/ops
    • operations/dumps pushMerge = group ldap/ops
    • operations/dumps pushTag = group ldap/ops
    • operations/dumps/incremental owner = group ldap/ops
    • operations/dumps/test owner = group ldap/ops
    • operations/mediawiki-config owner = group ldap/ops
    • operations/mediawiki-config submit = group ldap/ops
    • operations/mediawiki-config create = group ldap/ops
    • operations/network-diagrams owner = group ldap/ops
    • operations/network-diagrams create = group ldap/ops
    • operations/network-diagrams push = group ldap/ops
    • operations/network-diagrams submit = group ldap/ops
    • operations/network-diagrams pushMerge = group ldap/ops
    • operations/network-diagrams pushTag = group ldap/ops
    • operations/puppet owner = group ldap/ops
    • operations/puppet submit = group ldap/ops
    • operations/puppet push = group ldap/ops
    • operations/puppet pushMerge = group ldap/ops
    • operations/puppet pushTag = group ldap/ops
    • operations/software label-Code-Review = -2..+2 group ldap/ops
    • operations/software label-Verified = -1..+2 group ldap/ops
    • operations/software/librenms forgeCommitter = group ldap/ops
    • operations/software/librenms push = +force group ldap/ops
    • operations/software/nginx owner = group ldap/ops
    • operations/software/nginx forgeAuthor = group ldap/ops
    • operations/software/nginx forgeCommitter = group ldap/ops
    • operations/software/nginx push = group ldap/ops
    • operations/software/otrs owner = group ldap/ops

nda grants access to:

This group is intended for volunteers who've signed the volunteer NDA.

wmde grants access to:

This group is intended for Wikimedia Deutschland staff.