Jump to content

SRE Offboarding

From Wikitech

This page only details SRE-specificic steps, the offboarding for non-SRE users is listed at https://office.wikimedia.org/wiki/SRE/Offboarding_from_production

Phabricator ticket

[] update LDAP permissions based on NDA status
[] update Phabricator permissions based on NDA status 
[] update [https://github.com/orgs/wikimedia/people github] access based on NDA status
[] Check HBase/Hadoop permissions and inform the SRE analytics team
[] update user in [[https://github.com/wikimedia/puppet/blob/production/modules/admin/data/data.yaml | modules/admin/data/data.yaml]]
[] run the logout cookbook
Additional task for SRE team members
[] Review access to internal IRC channels
[] Remove from ops mailing lists (ops and ops-private)
[] Remove from private Exim aliases
[] Remove VictorOps user
[] Remove Icinga user
[] Remove from pwstore
[] Review access to network devices (and potentially remove access)
[] Remove Kerberos principal (if present)

Review access to internal IRC channels

We need to ensure users are removed from private IRC chat channels. If you are not aware of the private channels, or their associated ops, please contact a member of the SRE security team. Specifically:

  • Review the ircservserv-config repo.
  • Remove from SRE private team channels, e.g. #wikimedia-sre-private.
  • Check with the user's team members to ensure they are removed from any team private rooms, e.g. #wikimedia-sre-traffic-private.

Remove from ops mailing lists (ops and ops-private)

First, you can check which lists a user is on with the following command on the mailman server (lists1001.wikimedia.org at time of writing):

$ sudo mailman findmember user@example.org

To remove a user from all our mailing lists, run the following command:

$ sudo mailman delmembers --fromall --member user@example.org

More information can be found on the Mailman page.

Remove from Exim aliases from private.git

Remove the user from all alias files under the following directory:

/srv/git/private/modules/privateexim/files/

New users will probably only have one entry for root@wikimedia.org. However, users who have been around for some time may appear in multiple locations.

Remove VictorOps user

Make sure the user has been deleted from https://portal.victorops.com/dash/wikimedia#/users.

Remove Icinga user

Create a patch to the Puppet repository to remove all instances of the user from modules/icinga/files/cgi.cfg. Note the username shown here is the LDAP (Wikitech wiki) username, which is not necessarily the same as the shell account.

Remove from pwstore

For this you will need to contact Jesse, Moritz, Riccardo or Simon and ask them to perform this task. Check the Pwstore page for more information.

Remove from Google group for private groups

Email Mark or Moritz and ask them to remove the user from the sre@wikimedia.org Google group.

Review access to network devices (and potentially remove access)

Please review whether the user had access to network devices at https://github.com/wikimedia/operations-homer-public/blob/master/config/common.yaml

If so, open a Phabricator task asking for network access to be removed and tag it with "netops"

Also see the main page: Data_Engineering/Systems/Kerberos/Administration#Delete_a_principal_for_a_real_user