please give FxOS QA access to aus4 admin interfaces

RESOLVED FIXED

Status

Infrastructure & Operations
Mozilla VPN: ACL requests
RESOLVED FIXED
3 years ago
3 years ago

People

(Reporter: bhearsum, Assigned: lerxst)

Tracking

Details

(Reporter)

Description

3 years ago
Please give npark@mozilla.com, bbajaj@mozilla.com, and jlorenzo@mozilla.com access to https://aus4-admin-dev.allizom.org, https://aus4-admin.allizom.org, and https://aus4-admin.mozilla.org.

In addition to the VPN ACL I think there's a vpn group they need to be in to be accepted by the HTTP auth (bug 1066352) might have a clue about that.
Can we get ETA on this?  We just had a smoketest failure, (although it didn't quite require OTA disable this time) I remembered that we were waiting on this one.  Thanks!
Hi Ben, pinging you in case you have a comment for Comment 1.
Flags: needinfo?(bhearsum)
(Reporter)

Comment 3

3 years ago
(In reply to No-Jun Park [:njpark] from comment #2)
> Hi Ben, pinging you in case you have a comment for Comment 1.

Sorry, I don't have any control over this one. It's waiting on WebOps.
Flags: needinfo?(bhearsum)
(Assignee)

Comment 4

3 years ago
These are all public IP addresses. You need them to be accessible via VPN?
Assignee: vpn-acl → dparsons
(Reporter)

Comment 5

3 years ago
(In reply to Dan Parsons [:lerxst] from comment #4)
> These are all public IP addresses. You need them to be accessible via VPN?

Not all of them are public (aus4-admin.mozilla.org is private), but no - we're not looking for change in that. There is at least one LDAP group that these people need to be a part of to be accepted by the HTTP auth that these are protected by. I think they also need to have VPN ACLs added for aus4-admin.mozilla.org so that the VPN allows them to route to it.
(Assignee)

Comment 6

3 years ago
Added npark, bbajaj, and jlorenzo to group balrog. This should (I think) give them the HTTP auth access you need. Regarding the one private address in this ACL request, 10.8.81.74, the only group it's in is vpn_releng. Is this group appropriate for these users, or should there be a separate group made? (The latter, I'm guessing).
(Reporter)

Comment 7

3 years ago
(In reply to Dan Parsons [:lerxst] from comment #6)
> Added npark, bbajaj, and jlorenzo to group balrog. This should (I think)
> give them the HTTP auth access you need. Regarding the one private address
> in this ACL request, 10.8.81.74, the only group it's in is vpn_releng. Is
> this group appropriate for these users, or should there be a separate group
> made? (The latter, I'm guessing).

vpn_releng sounds too wide (though I don't know what it implies). There might already be an existing group for users like this. Eg: jlal@mozilla.com and rwood@mozilla.com have similar access as far as RelEng+balrog access goes.
(Assignee)

Comment 8

3 years ago
I just looked over both jlal and rwood and neither have access to 10.8.81.74.
(Reporter)

Comment 9

3 years ago
(In reply to Dan Parsons [:lerxst] from comment #8)
> I just looked over both jlal and rwood and neither have access to 10.8.81.74.

Hilarious. I guess they've never used the access we gave them.
So.. is there a vpn connection file that we can download (or vpn server info)?  Seems like the standard mozilla vpn server isn't the one.
(Assignee)

Comment 11

3 years ago
https://mana.mozilla.org/wiki/pages/viewpage.action?pageId=30769829

Is there anything else that needs to be done here?
(Reporter)

Comment 12

3 years ago
(In reply to Dan Parsons [:lerxst] from comment #11)
> https://mana.mozilla.org/wiki/pages/viewpage.action?pageId=30769829
> 
> Is there anything else that needs to be done here?

We can close for now and re-open if there's still an issue, if you prefer. No-Jun, I'm in the office on Thursday - I can give you a hand with the VPN and testing your access then.
(Assignee)

Comment 13

3 years ago
Sounds great. Feel free to reach out if there are any issues.
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → FIXED
(In reply to Ben Hearsum [:bhearsum] from comment #12)
> (In reply to Dan Parsons [:lerxst] from comment #11)
> > https://mana.mozilla.org/wiki/pages/viewpage.action?pageId=30769829
> > 
> > Is there anything else that needs to be done here?
> 
> We can close for now and re-open if there's still an issue, if you prefer.
> No-Jun, I'm in the office on Thursday - I can give you a hand with the VPN
> and testing your access then.

Awesome, see you thursday, Thanks!
Hmm, after I connect to the VPN, ( I chose revoke & regenerate) I get:
https://aus4-admin-dev.allizom.org => I can connect without issue
https://aus4-admin.allizom.org => Forbidden
https://aus4-admin.mozilla.org => Not found.
We can go over which settings need to be tweaked tomorrow then.
(Reporter)

Comment 16

3 years ago
It appears to me that No-Jun is still missing a VPN ACL. As far as I can tell he's able to get on the VPN without issue, but he gets connection refused when attempting to open a connection to https://aus4-admin.mozilla.org. Eg, not even prompted for credentials:
$ curl -IL https://aus4-admin.mozilla.org
curl: (7) Failed to connect to aus4-admin.mozilla.org port 443: Connection refused

Both him and I are in the office today, so if we could try to sort this out so we can verify it, it would be great.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
(Assignee)

Comment 17

3 years ago
It works for you and not for him because you're in the vpn_releng group and he isn't. You say putting him in vpn_releng is too wide. Should I make a special group just for this one IP? If so, what would be an appropriate name?
(Reporter)

Comment 18

3 years ago
(In reply to Dan Parsons [:lerxst] from comment #17)
> It works for you and not for him because you're in the vpn_releng group and
> he isn't. You say putting him in vpn_releng is too wide. Should I make a
> special group just for this one IP? If so, what would be an appropriate name?

Okay, we definitely need a new group then. Let's call it "aus4_admins", I guess.
(Assignee)

Comment 19

3 years ago
Done! Created group vpn_aus4_admins and put npark@mozilla.com in it. Please re-open if there are issues.
Status: REOPENED → RESOLVED
Last Resolved: 3 years ago3 years ago
Resolution: --- → FIXED
(Reporter)

Comment 20

3 years ago
(In reply to Dan Parsons [:lerxst] from comment #19)
> Done! Created group vpn_aus4_admins and put npark@mozilla.com in it. Please
> re-open if there are issues.

He's in! \o/. Can we get the other folks from comment #0 added, too?
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
jlorenzo emailed me today that he can't access the  aus4-admin.mozilla.org:443 site. so if we can get the same access to bhavana and jlorenzo, we're good here. :)
Duplicate of this bug: 1138878
I assume you mean bbajaj rather than bhavana (as per comment 0)?

Added vpn_aus4_admins to bbajaj and jlorenzo's accounts.
Status: REOPENED → RESOLVED
Last Resolved: 3 years ago3 years ago
Resolution: --- → FIXED
Verified for me.
You need to log in before you can comment on or make changes to this bug.