SRE/LDAP/Groups

After you have created a Wikimedia Developer account, you may need to join a group in our LDAP server for specific access.

To request access to one of these groups, Create an LDAP-Access-Requests task in Phabricator.

To view current members of a group, use https://ldap.toolforge.org/.

Primary groups

The following primary groups exist:

wmf, for WMF staff/contractors (documented below).
ops, for SRE staff (documented below, see also ops group in puppet manifests/site.pp).
ops-limited (formerly sre-admins), for SREs who do not have full root privileges.
nda, for researchers and volunteers who have signed NDAs for access to confidential data (documented below).
ldap_ops, for write access to the LDAP server itself.
wmde, for Wikimedia Deutschland staff.
grafana-admin, for admin-level access to Grafana. Note that members of the "wmf", "ops" and "nda" groups already include permissions to edit dashboards in Grafana. When editing a dashboard, one has access to metrics that may expose PII data. Admin acess requires an NDA with Legal (filed in Cobblestone).
tools.admin, for admin access in Toolforge.
ciadmin, the ciadmin group grants users full admin access to Jenkins, and the ability to create and modify Jenkins jobs for ad-hoc debugging. Note that in general, you do not need ciadmin access to create or modify Jenkins jobs as we deploy these via the integration/config repository which anyone can write patches for.
gerritadmin , for Administrator rights to Gerrit, this includes access to the Database, ACL modifications, repositories management, or settings affecting all projects. https://gerrit.wikimedia.org/r/#/admin/groups/1,members . The ldap_groups Gerrit cache has to be flushed for the change to be taken in account (see Gerrit/Administration#Become_an_Administrator).
releng, for members of the Release Engineering Team. It will be (FIXME) used for access to the releases.wikimedia.org Jenkins installation.
archiva-deployers, deployment rights in Archiva
superset-admins, for automatically assigning the Admin role in the Analytics Superset instances.
dns-admins, allows to merge DNS changes via the operations/git.dns repository
idptest-users , for accessing services integrated against the staging IDP (currently only Puppetboard)
project-*, these represent a Cloud VPS project where each project has its own LDAP group prefixed with project-. These should not be manually joined or altered.
airflow-analytics-ops, allows access to the Data Engineering Airflow instance
airflow-wmde-ops, allows access to the Wikimedia Deutschland Airflow instance
airflow-research-ops, allows access to the Research Airflow instance

These groups are privileged, but do not have human users as members, only system/role accounts:

sgeadmin, various privileges around Grid Engine (only member is sgeadmin).
labsadminbots (only member is novaadmin).
mwdeploy (used by mediawiki deployment, only member is mwdeploy).
vagrant (system group for mediawiki-vagrant, only member is vagrant).
shinken (system group for shinken monitoring, only member is shinken).

Specific groups

These lists do not count gerrit project ACL inheritance.

wmf group

Group members

wmf grants access to:

Logstash
Graphite
Grafana (no login required except admin functions). Please be patient before you try to log in. The service periodically adds new group members
Icinga
Piwik, docs
Jenkins (access to restricted projects like [1], permissions to build and cancel jobs)
DebMonitor, Debian packages tracker
Hadoop Yarn
Turnilo, a tool for exploring internal data
LibreNMS, docs
Orchestrator, docs
Included in other Gerrit groups
- Translatewiki.net
- Analytics
- wikidata-query-blazegraph
- glam
- mediawiki
- qa
- webplatform.org
Gerrit repository permissions
- apps/android/commons owner = group ldap/wmf
- avro-php forgeCommitter = group ldap/wmf
- labs/invisible-unicorn owner = group ldap/wmf
- labs/invisible-unicorn submit = group ldap/wmf
- labs/invisible-unicorn rebase = group ldap/wmf
- labs/tools/wikipedia-android-builds submit = group ldap/wmf
- labs/tools/wikipedia-android-builds label-Code-Review = -2..+2 group ldap/wmf
- labs/tools/wikipedia-android-builds label-Verified = -1..+2 group ldap/wmf
- operations/debs label-Code-Review = -1..+1 group ldap/wmf
- test/gerrit-ping owner = group ldap/wmf
- unicodejs owner = group ldap/wmf
- wikidata/gremlin owner = group ldap/wmf
- wikidata/query/rdf owner = group ldap/wmf
- wikimedia/lobbypop owner = group ldap/wmf
- wikimedia/roadmap-updater owner = group ldap/wmf
- wikimedia/slimapp pushSignedTag = group ldap/wmf
- wikimedia/slimapp pushTag = group ldap/wmf
- wikimedia/wikimania-scholarships owner = group ldap/wmf
- wikimedia/wikimania-scholarships submit = group ldap/wmf

ops group

Group members

ops grants access to:

Logstash
Graphite
Grafana
Icinga
Piwik login page
Netbox
Puppetboard (PuppetDB UI interface)
LibreNMS
Full sudo across all Cloud VPS instances (?)
Included in other Gerrit groups
- mediawiki
- wmf-deployment
- labs-toollabs
- opssoftware
Gerrit repository permissions
- labs/private owner = group ldap/ops
- labs/private read = group ldap/ops
- labs/private create = group ldap/ops
- labs/private push = group ldap/ops
- labs/private pushTag = group ldap/ops
- labs/private submit = group ldap/ops
- labs/private pushMerge = group ldap/ops
- mediawiki/skins/webplatform push = group ldap/ops
- operations/apache-config owner = group ldap/ops
- operations/apache-config submit = group ldap/ops
- operations/debs owner = group ldap/ops
- operations/debs create = group ldap/ops
- operations/debs forgeCommitter = group ldap/ops
- operations/debs submit = group ldap/ops
- operations/debs push = +force group ldap/ops
- operations/debs pushTag = group ldap/ops
- operations/debs/StatsD owner = group ldap/ops
- operations/debs/adminbot owner = group ldap/ops
- operations/debs/debdeploy owner = group ldap/ops
- operations/debs/etherpad-lite owner = group ldap/ops
- operations/debs/git-deploy owner = group ldap/ops
- operations/debs/ircecho owner = group ldap/ops
- operations/debs/jenkins-debian-glue create = group ldap/ops
- operations/debs/jenkins-debian-glue push = group ldap/ops
- operations/debs/jenkins-debian-glue pushTag = group ldap/ops
- operations/debs/jenkins-debian-glue pushSignedTag = group ldap/ops
- operations/debs/linux owner = group ldap/ops
- operations/debs/linux-meta owner = group ldap/ops
- operations/debs/logstash-gelf owner = group ldap/ops
- operations/debs/mariadb-server owner = group ldap/ops
- operations/debs/mod_tile owner = group ldap/ops
- operations/debs/mwbzutils owner = group ldap/ops
- operations/debs/nginx owner = group ldap/ops
- operations/debs/openssl owner = group ldap/ops
- operations/debs/osm-mapnik-style owner = group ldap/ops
- operations/debs/osm2pgsql owner = group ldap/ops
- operations/debs/python-diamond owner = group ldap/ops
- operations/debs/python-diamond push = +force group ldap/ops
- operations/debs/python-diamond forgeCommitter = group ldap/ops
- operations/debs/search-qa push = group ldap/ops
- operations/debs/utfnormal owner = group ldap/ops
- operations/debs/varnish owner = group ldap/ops
- operations/debs/varnish push = +force group ldap/ops
- operations/dns owner = group ldap/ops
- operations/dns create = group ldap/ops
- operations/dns forgeAuthor = group ldap/ops
- operations/dns forgeCommitter = group ldap/ops
- operations/dns push = group ldap/ops
- operations/dns pushMerge = group ldap/ops
- operations/dns pushTag = group ldap/ops
- operations/dns submit = group ldap/ops
- operations/dumps owner = group ldap/ops
- operations/dumps create = group ldap/ops
- operations/dumps submit = group ldap/ops
- operations/dumps push = group ldap/ops
- operations/dumps pushMerge = group ldap/ops
- operations/dumps pushTag = group ldap/ops
- operations/dumps/incremental owner = group ldap/ops
- operations/dumps/test owner = group ldap/ops
- operations/mediawiki-config owner = group ldap/ops
- operations/mediawiki-config submit = group ldap/ops
- operations/mediawiki-config create = group ldap/ops
- operations/network-diagrams owner = group ldap/ops
- operations/network-diagrams create = group ldap/ops
- operations/network-diagrams push = group ldap/ops
- operations/network-diagrams submit = group ldap/ops
- operations/network-diagrams pushMerge = group ldap/ops
- operations/network-diagrams pushTag = group ldap/ops
- operations/puppet owner = group ldap/ops
- operations/puppet submit = group ldap/ops
- operations/puppet push = group ldap/ops
- operations/puppet pushMerge = group ldap/ops
- operations/puppet pushTag = group ldap/ops
- operations/software label-Code-Review = -2..+2 group ldap/ops
- operations/software label-Verified = -1..+2 group ldap/ops
- operations/software/librenms forgeCommitter = group ldap/ops
- operations/software/librenms push = +force group ldap/ops
- operations/software/nginx owner = group ldap/ops
- operations/software/nginx forgeAuthor = group ldap/ops
- operations/software/nginx forgeCommitter = group ldap/ops
- operations/software/nginx push = group ldap/ops
- operations/software/otrs owner = group ldap/ops

ops-limited group

Group members Intended for SRE's without full root access

ops-limited grants access to:

puppetboard
librenms
orchestrator

NDA group

Group members

nda grants access to:

Logstash
Graphite
Grafana (editing access)
Icinga
Piwik login page
DebMonitor
Hadoop Yarn
Turnilo, a tool for exploring internal data
LibreNMS
Orchestrator

This group is intended for volunteers who've signed the volunteer NDA.

wmde group

Group members

wmde grants access to:

Included in Gerrit groups wikidata and tcb-team.

This group is intended for Wikimedia Deutschland staff.

Primary groups

Specific groups

wmf group

ops group

ops-limited group

NDA group

wmde group

See also