Jump to content

SRE/LDAP/Groups

From Wikitech
< SRE | LDAP
(Redirected from LDAP group)

After you have created a Wikimedia Developer account, you may need to join a group in our LDAP server for specific access.

To request access to one of these groups please see SRE/LDAP/Groups/Request_access

To view current members of a group, use https://ldap.toolforge.org/.

Not to be confused with production access, which has its own groups which are defined in modules/admin/data/data.yaml. In general, LDAP groups are for accessing web tools and getting auto-added to certain Gerrit groups, and production access is for SSHing into production servers.

Primary groups

The following primary groups exist:

  • wmf, for WMF staff/contractors (documented below).
  • ops, for SRE staff (documented below, see also ops group in puppet manifests/site.pp).
  • ops-limited (formerly sre-admins), for SREs who do not have full root privileges.
  • nda, for researchers and volunteers who have signed NDAs for access to confidential data (documented below).
  • ldap_ops, for write access to the LDAP server itself.
  • wmde, for Wikimedia Deutschland staff.
  • logstash-access, for access to Logstash only, which is being split from the "wmf" and "nda" groups in phab:T376790.
  • grafana-admin, for admin-level access to Grafana. Note that members of the "wmf", "ops" and "nda" groups already include permissions to edit dashboards in Grafana. When editing a dashboard, one has access to metrics that may expose PII data. Admin access requires an NDA with Legal (filed in Cobblestone).
  • tools.admin, for admin access in Toolforge.
  • ciadmin, the ciadmin group grants users full admin access to Jenkins, and the ability to create and modify Jenkins jobs for ad-hoc debugging. Note that in general, you do not need ciadmin access to create or modify Jenkins jobs as we deploy these via the integration/config repository which anyone can write patches for.
  • gerritadmin , for Administrator rights to Gerrit, this includes access to the Database, ACL modifications, repositories management, or settings affecting all projects. https://gerrit.wikimedia.org/r/#/admin/groups/1,members . The ldap_groups Gerrit cache has to be flushed for the change to be taken in account (see Gerrit/Administration#Become_an_Administrator).
  • releng, for members of the Release Engineering Team. It will be (FIXME) used for access to the releases.wikimedia.org Jenkins installation.
  • archiva-deployers, deployment rights in Archiva
  • superset-admins, for automatically assigning the Admin role in the Analytics Superset instances.
  • dns-admins, allows to merge DNS changes via the operations/git.dns repository
  • idptest-users , for accessing services integrated against the staging IDP (currently only Puppetboard)
  • project-*, these represent a Cloud VPS project where each project has its own LDAP group prefixed with project-. These should not be manually joined or altered.
  • airflow-analytics-ops, allows access to the Data Engineering Airflow instance
  • airflow-wmde-ops, allows access to the Wikimedia Deutschland Airflow instance
  • airflow-research-ops, allows access to the Research Airflow instance
  • airflow-search-ops, allows access to the Search Airflow instance
  • bitu-account-managers, allows to block/unblock users in Bitu
  • spiderpig-access, allows to SpiderPig, the web interface for Scap
  • netbox-readonly-access, provides read-only access to Netbox. Volunteers with a signed NDA can request this permission via https://idm.wikimedia.org/permissions/.

These groups are privileged, but do not have human users as members, only system/role accounts:

  • sgeadmin, various privileges around Grid Engine (only member is sgeadmin).
  • labsadminbots (only member is novaadmin).
  • mwdeploy (used by mediawiki deployment, only member is mwdeploy).
  • vagrant (system group for mediawiki-vagrant, only member is vagrant).
  • shinken (system group for shinken monitoring, only member is shinken).

Specific groups

These lists do not count gerrit project ACL inheritance.

nda group

This group is intended for volunteers or researchers who have signed an NDA.

Group members

nda grants access to:

Tool Website Summary Notes
Airflow https://airflow.wikimedia.org/ List of jobs scheduled, running, and completed in the analytics cluster. There's 9 different subdomains you can visit. Each one corresponds to a team that owns that Airflow instance.
Alertmanager https://alerts.wikimedia.org Alerts dashboard that consolidates alerts from multiple different sources.
config-master https://config-master.wikimedia.org/nda/ Varnish IP blocklist
DataHub https://datahub.wikimedia.org/ Catalogue of datasets, dashboards, charts, and pipelines.
DebMonitor https://debmonitor.wikimedia.org/ Debian packages tracker.
Experimentation Lab (xLab, mpic) https://mpic.wikimedia.org/ A/B testing
Grafana https://grafana-rw.wikimedia.org/ Our new real-time graph renderer. Anyone can view https://grafana.wikimedia.org/. This grants access to edit (grafana-rw). Please be patient before you try to log in. The service periodically adds new group members.
Graphite https://graphite.wikimedia.org/ Our old real-time graph renderer. Is currently deprecated in favor of Grafana.
Hadoop Yarn https://yarn.wikimedia.org/ List of jobs scheduled, running, and completed in the analytics cluster.
Icinga https://icinga.wikimedia.org/ Automated testing of our site that sends up alarms when it fails.
Jaeger https://trace.wikimedia.org/ Distributed tracing (analyzing how services interact with each other)
Klaxon https://klaxon.wikimedia.org/ A tool to summon / wake up SREs in the event of a major site outage or security incident. Anyone can view. This grants access to send a page.
LibreNMS https://librenms.wikimedia.org/ List of networking equipment.
Orchestrator https://orchestrator.wikimedia.org/ List of database servers.
Piwik (Matomo) https://piwik.wikimedia.org/ Website visit statistics for our microsites (roughly 10,000 requests per day or less) Disable ad blocker. You'll be redirected to a second login screen. The credentials for the second login screen are username design, password design.
Superset https://superset.wikimedia.org/ An SQL query tool for some of our private databases. This restricted one is different than the public one at https://superset.wmcloud.org/
Thanos https://thanos.wikimedia.org/ Run queries of Prometheus data (monitoring and alerting software) for exploration purposes. Start typing to see some of the data it can query. Also has a bucket storage viewer at https://thanos.wikimedia.org/bucket/, and an alert and rule viewer at https://thanos.wikimedia.org/rule/alerts
Turnilo https://turnilo.wikimedia.org/ Website visit statistics for wikis and big websites. For example, distinct visitors per wiki in the last month. Gets its data from Druid.

wmf group

Group members

wmf grants access to:

  • All the tools in the nda group (see above)
  • Jenkins, docs. Access to restricted projects like [1], permissions to build and cancel jobs.
  • Netbox, docs.
  • Included in other Gerrit groups
    • Translatewiki.net
    • Analytics
    • wikidata-query-blazegraph
    • glam
    • mediawiki
    • qa
    • webplatform.org
  • Gerrit repository permissions
    • apps/android/commons owner = group ldap/wmf
    • avro-php forgeCommitter = group ldap/wmf
    • labs/invisible-unicorn owner = group ldap/wmf
    • labs/invisible-unicorn submit = group ldap/wmf
    • labs/invisible-unicorn rebase = group ldap/wmf
    • labs/tools/wikipedia-android-builds submit = group ldap/wmf
    • labs/tools/wikipedia-android-builds label-Code-Review = -2..+2 group ldap/wmf
    • labs/tools/wikipedia-android-builds label-Verified = -1..+2 group ldap/wmf
    • operations/debs label-Code-Review = -1..+1 group ldap/wmf
    • test/gerrit-ping owner = group ldap/wmf
    • unicodejs owner = group ldap/wmf
    • wikidata/gremlin owner = group ldap/wmf
    • wikidata/query/rdf owner = group ldap/wmf
    • wikimedia/lobbypop owner = group ldap/wmf
    • wikimedia/roadmap-updater owner = group ldap/wmf
    • wikimedia/slimapp pushSignedTag = group ldap/wmf
    • wikimedia/slimapp pushTag = group ldap/wmf
    • wikimedia/wikimania-scholarships owner = group ldap/wmf
    • wikimedia/wikimania-scholarships submit = group ldap/wmf

ops group

Group members

ops grants access to:

  • Logstash
  • Graphite
  • Grafana
  • Icinga
  • Piwik login page
  • Netbox
  • Puppetboard (PuppetDB UI interface)
  • LibreNMS
  • Klaxon
  • Full sudo across all Cloud VPS instances (?)
  • Included in other Gerrit groups
    • mediawiki
    • wmf-deployment
    • labs-toollabs
    • opssoftware
  • Gerrit repository permissions
    • labs/private owner = group ldap/ops
    • labs/private read = group ldap/ops
    • labs/private create = group ldap/ops
    • labs/private push = group ldap/ops
    • labs/private pushTag = group ldap/ops
    • labs/private submit = group ldap/ops
    • labs/private pushMerge = group ldap/ops
    • mediawiki/skins/webplatform push = group ldap/ops
    • operations/apache-config owner = group ldap/ops
    • operations/apache-config submit = group ldap/ops
    • operations/debs owner = group ldap/ops
    • operations/debs create = group ldap/ops
    • operations/debs forgeCommitter = group ldap/ops
    • operations/debs submit = group ldap/ops
    • operations/debs push = +force group ldap/ops
    • operations/debs pushTag = group ldap/ops
    • operations/debs/StatsD owner = group ldap/ops
    • operations/debs/adminbot owner = group ldap/ops
    • operations/debs/debdeploy owner = group ldap/ops
    • operations/debs/etherpad-lite owner = group ldap/ops
    • operations/debs/git-deploy owner = group ldap/ops
    • operations/debs/ircecho owner = group ldap/ops
    • operations/debs/jenkins-debian-glue create = group ldap/ops
    • operations/debs/jenkins-debian-glue push = group ldap/ops
    • operations/debs/jenkins-debian-glue pushTag = group ldap/ops
    • operations/debs/jenkins-debian-glue pushSignedTag = group ldap/ops
    • operations/debs/linux owner = group ldap/ops
    • operations/debs/linux-meta owner = group ldap/ops
    • operations/debs/logstash-gelf owner = group ldap/ops
    • operations/debs/mariadb-server owner = group ldap/ops
    • operations/debs/mod_tile owner = group ldap/ops
    • operations/debs/mwbzutils owner = group ldap/ops
    • operations/debs/nginx owner = group ldap/ops
    • operations/debs/openssl owner = group ldap/ops
    • operations/debs/osm-mapnik-style owner = group ldap/ops
    • operations/debs/osm2pgsql owner = group ldap/ops
    • operations/debs/python-diamond owner = group ldap/ops
    • operations/debs/python-diamond push = +force group ldap/ops
    • operations/debs/python-diamond forgeCommitter = group ldap/ops
    • operations/debs/search-qa push = group ldap/ops
    • operations/debs/utfnormal owner = group ldap/ops
    • operations/debs/varnish owner = group ldap/ops
    • operations/debs/varnish push = +force group ldap/ops
    • operations/dns owner = group ldap/ops
    • operations/dns create = group ldap/ops
    • operations/dns forgeAuthor = group ldap/ops
    • operations/dns forgeCommitter = group ldap/ops
    • operations/dns push = group ldap/ops
    • operations/dns pushMerge = group ldap/ops
    • operations/dns pushTag = group ldap/ops
    • operations/dns submit = group ldap/ops
    • operations/dumps owner = group ldap/ops
    • operations/dumps create = group ldap/ops
    • operations/dumps submit = group ldap/ops
    • operations/dumps push = group ldap/ops
    • operations/dumps pushMerge = group ldap/ops
    • operations/dumps pushTag = group ldap/ops
    • operations/dumps/incremental owner = group ldap/ops
    • operations/dumps/test owner = group ldap/ops
    • operations/mediawiki-config owner = group ldap/ops
    • operations/mediawiki-config submit = group ldap/ops
    • operations/mediawiki-config create = group ldap/ops
    • operations/network-diagrams owner = group ldap/ops
    • operations/network-diagrams create = group ldap/ops
    • operations/network-diagrams push = group ldap/ops
    • operations/network-diagrams submit = group ldap/ops
    • operations/network-diagrams pushMerge = group ldap/ops
    • operations/network-diagrams pushTag = group ldap/ops
    • operations/puppet owner = group ldap/ops
    • operations/puppet submit = group ldap/ops
    • operations/puppet push = group ldap/ops
    • operations/puppet pushMerge = group ldap/ops
    • operations/puppet pushTag = group ldap/ops
    • operations/software label-Code-Review = -2..+2 group ldap/ops
    • operations/software label-Verified = -1..+2 group ldap/ops
    • operations/software/librenms forgeCommitter = group ldap/ops
    • operations/software/librenms push = +force group ldap/ops
    • operations/software/nginx owner = group ldap/ops
    • operations/software/nginx forgeAuthor = group ldap/ops
    • operations/software/nginx forgeCommitter = group ldap/ops
    • operations/software/nginx push = group ldap/ops
    • operations/software/otrs owner = group ldap/ops

ops-limited group

Group members Intended for SRE's without full root access

ops-limited grants access to:

  • puppetboard
  • librenms
  • orchestrator

wmde group

Group members

wmde grants access to:

This group is intended for Wikimedia Deutschland staff.

See also

Retrieved from "https://wikitech.wikimedia.org/w/index.php?title=SRE/LDAP/Groups&oldid=2345535"