Closed Bug 1132491 Opened 9 years ago Closed 9 years ago

please give FxOS QA access to aus4 admin interfaces

Categories

(Infrastructure & Operations :: Corporate VPN: ACL requests, task)

Product:
Infrastructure & Operations
Component:
Corporate VPN: ACL requests
Platform:
x86_64
Linux
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: bhearsum, Assigned: dparsons)

References

Details

Please give npark@mozilla.com, bbajaj@mozilla.com, and jlorenzo@mozilla.com access to https://aus4-admin-dev.allizom.org, https://aus4-admin.allizom.org, and https://aus4-admin.mozilla.org.

In addition to the VPN ACL I think there's a vpn group they need to be in to be accepted by the HTTP auth (bug 1066352) might have a clue about that.
Can we get ETA on this?  We just had a smoketest failure, (although it didn't quite require OTA disable this time) I remembered that we were waiting on this one.  Thanks!
Hi Ben, pinging you in case you have a comment for Comment 1.
Flags: needinfo?(bhearsum)
(In reply to No-Jun Park [:njpark] from comment #2)
> Hi Ben, pinging you in case you have a comment for Comment 1.

Sorry, I don't have any control over this one. It's waiting on WebOps.
Flags: needinfo?(bhearsum)
These are all public IP addresses. You need them to be accessible via VPN?
Assignee: vpn-acl → dparsons
(In reply to Dan Parsons [:lerxst] from comment #4)
> These are all public IP addresses. You need them to be accessible via VPN?

Not all of them are public (aus4-admin.mozilla.org is private), but no - we're not looking for change in that. There is at least one LDAP group that these people need to be a part of to be accepted by the HTTP auth that these are protected by. I think they also need to have VPN ACLs added for aus4-admin.mozilla.org so that the VPN allows them to route to it.
Added npark, bbajaj, and jlorenzo to group balrog. This should (I think) give them the HTTP auth access you need. Regarding the one private address in this ACL request, 10.8.81.74, the only group it's in is vpn_releng. Is this group appropriate for these users, or should there be a separate group made? (The latter, I'm guessing).
(In reply to Dan Parsons [:lerxst] from comment #6)
> Added npark, bbajaj, and jlorenzo to group balrog. This should (I think)
> give them the HTTP auth access you need. Regarding the one private address
> in this ACL request, 10.8.81.74, the only group it's in is vpn_releng. Is
> this group appropriate for these users, or should there be a separate group
> made? (The latter, I'm guessing).

vpn_releng sounds too wide (though I don't know what it implies). There might already be an existing group for users like this. Eg: jlal@mozilla.com and rwood@mozilla.com have similar access as far as RelEng+balrog access goes.
I just looked over both jlal and rwood and neither have access to 10.8.81.74.
(In reply to Dan Parsons [:lerxst] from comment #8)
> I just looked over both jlal and rwood and neither have access to 10.8.81.74.

Hilarious. I guess they've never used the access we gave them.
So.. is there a vpn connection file that we can download (or vpn server info)?  Seems like the standard mozilla vpn server isn't the one.
https://mana.mozilla.org/wiki/pages/viewpage.action?pageId=30769829

Is there anything else that needs to be done here?
(In reply to Dan Parsons [:lerxst] from comment #11)
> https://mana.mozilla.org/wiki/pages/viewpage.action?pageId=30769829
> 
> Is there anything else that needs to be done here?

We can close for now and re-open if there's still an issue, if you prefer. No-Jun, I'm in the office on Thursday - I can give you a hand with the VPN and testing your access then.
Sounds great. Feel free to reach out if there are any issues.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
(In reply to Ben Hearsum [:bhearsum] from comment #12)
> (In reply to Dan Parsons [:lerxst] from comment #11)
> > https://mana.mozilla.org/wiki/pages/viewpage.action?pageId=30769829
> > 
> > Is there anything else that needs to be done here?
> 
> We can close for now and re-open if there's still an issue, if you prefer.
> No-Jun, I'm in the office on Thursday - I can give you a hand with the VPN
> and testing your access then.

Awesome, see you thursday, Thanks!
Hmm, after I connect to the VPN, ( I chose revoke & regenerate) I get:
https://aus4-admin-dev.allizom.org => I can connect without issue
https://aus4-admin.allizom.org => Forbidden
https://aus4-admin.mozilla.org => Not found.
We can go over which settings need to be tweaked tomorrow then.
It appears to me that No-Jun is still missing a VPN ACL. As far as I can tell he's able to get on the VPN without issue, but he gets connection refused when attempting to open a connection to https://aus4-admin.mozilla.org. Eg, not even prompted for credentials:
$ curl -IL https://aus4-admin.mozilla.org
curl: (7) Failed to connect to aus4-admin.mozilla.org port 443: Connection refused

Both him and I are in the office today, so if we could try to sort this out so we can verify it, it would be great.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
It works for you and not for him because you're in the vpn_releng group and he isn't. You say putting him in vpn_releng is too wide. Should I make a special group just for this one IP? If so, what would be an appropriate name?
(In reply to Dan Parsons [:lerxst] from comment #17)
> It works for you and not for him because you're in the vpn_releng group and
> he isn't. You say putting him in vpn_releng is too wide. Should I make a
> special group just for this one IP? If so, what would be an appropriate name?

Okay, we definitely need a new group then. Let's call it "aus4_admins", I guess.
Done! Created group vpn_aus4_admins and put npark@mozilla.com in it. Please re-open if there are issues.
Status: REOPENED → RESOLVED
Closed: 9 years ago9 years ago
Resolution: --- → FIXED
(In reply to Dan Parsons [:lerxst] from comment #19)
> Done! Created group vpn_aus4_admins and put npark@mozilla.com in it. Please
> re-open if there are issues.

He's in! \o/. Can we get the other folks from comment #0 added, too?
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
jlorenzo emailed me today that he can't access the  aus4-admin.mozilla.org:443 site. so if we can get the same access to bhavana and jlorenzo, we're good here. :)
I assume you mean bbajaj rather than bhavana (as per comment 0)?

Added vpn_aus4_admins to bbajaj and jlorenzo's accounts.
Status: REOPENED → RESOLVED
Closed: 9 years ago9 years ago
Resolution: --- → FIXED
Verified for me.
You need to log in before you can comment on or make changes to this bug.