If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

set up a weekly report of non-IT and non-releng people with releng vpn access

VERIFIED FIXED

Status

Infrastructure & Operations
Infrastructure: Other
VERIFIED FIXED
5 years ago
4 years ago

People

(Reporter: bhearsum, Assigned: jabba)

Tracking

Details

(Reporter)

Description

5 years ago
A few us were talking on IRC about how it would be nice to be able to audit the list of people with RelEng network access from time to time. The overall list is very big (all of IT, all of RelEng, plus people with temporary access). Dustin suggested that we may be able to get a weekly report of the latter group of users, is this possible? If so, it should be sent to release@mozilla.com.

16:02 < bhearsum> in the blue sky world it would be nice to have a list of everyone with access minus releng+IT -- that would be the list that we want to audit from time 
                  to time
16:02 < arr> the infra team might be able to tell you how to get that
16:02 < arr> I'm not sure there's any differentiation between releng and not releng, though
16:03 < arr> it's just an LDAP bit
16:03 < dustin> cn=releng is a different group
16:03 < dustin> you could subtract them
16:03 < dustin> I bet one of the LDAP gurus could whip up a query for that
(Assignee)

Updated

5 years ago
Assignee: server-ops-infra → jdow
Possibly related, it would be a "good thing" to get a report anytime the set of releng folks changed. That usually means we need to get sudoer's access changed on a number of boxes.

I can handle change detection on my end, but need the raw data (either query or email).

Feel free to tell me to file a new bug. :)
(Assignee)

Comment 2

5 years ago
I set up a little script in openvpn::weeklyreport and applied this to vpn1.releng.scl3.mozilla.com. The script grabs a list of all members of cn=buildteam,ou=groups,dc=mozilla, compares it to a list of all valid LDAP users and e-mails it to relase@mozilla.com. I just put it in /etc/cron.weekly, which I believe will cause it to run sometime on Sunday morning every week.

I'm sending one mail now by hand, and you should expect one every Sunday (or whenever cron.weekly runs). If you don't see it, please let me know.

Regarding the request in comment 1, I believe you have access to this server and can look at the script to see the query, and how I'm using it. Ping me some morning if you want help with ldapsearch parameters or anything. As a member of the group you should be able to query ldap directly for the list of members in the group and subsequently write your own scripts to track the changes. It'd definitely have to be a regular "pull" query, as I don't have a way to fire off a hook in a "push" model when changes are made to LDAP.
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
(Assignee)

Comment 3

5 years ago
Also, the e-mail that was just sent said "Daily" in the subject. I changed it to "Weekly", so the ones from cron will say "Weekly Report of Releng Users"
c#0 (and my prefence) talk about excluding IT and Releng from the query.

Such that we'd get a list of people who are not "known ok" (releng and IT can be assumed, "known ok")

Having full list could still be useful once and a while though, maybe once a month for full list? (non-blocking)

But as it stands, with IT and Releng grouped in, doing quick audits of the people is hard, and even harder to find useful actionables if someone is on this for too long.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
OOO and enh request, if possible can we coerce the "From" to be something other than "root". Makes it easier for my filterings/skimming
(Assignee)

Comment 6

5 years ago
:atoll helped me write a filter to exclude people in cn=sysadmins, cn=releng and cn=relops.

The new script has been pushed.

:hwine brought to my attention that cron fired off the script this morning. I have't looked into how cron.weekly determines when to run. If you prefer a set time, please re-open with when you want it to run. If you are good with "jabba thinks Sunday, but maybe it'll happen on Thursdays going forward", then it's good.

(In reply to Justin Wood (:Callek) from comment #5)
> OOO and enh request, if possible can we coerce the "From" to be something
> other than "root". Makes it easier for my filterings/skimming

I'd just make a filter based on Subject for "Weekly Report of Releng VPN Users" coming from "root".
Status: REOPENED → RESOLVED
Last Resolved: 5 years ago5 years ago
Resolution: --- → FIXED
(Reporter)

Comment 7

5 years ago
I just got the latest report, hooray! Thanks again for this.
Status: RESOLVED → VERIFIED
Component: Server Operations: Infrastructure → Infrastructure: Other
Product: mozilla.org → Infrastructure & Operations

Updated

4 years ago
Blocks: 926937
You need to log in before you can comment on or make changes to this bug.