Page MenuHomeMiraheze

[Elevation request] Expanded access for ssl-admins (dns)
Closed, DeclinedPublic

Description

Requested access: DNS access for ssl-admins

Rationale for access: In order for the MW team to automate SSL in a similar way to ImportDump (only one command for SRE) it's necessary to also automate DNS zone generation as many users opt to point their NS to us. If we wish to keep ssl-admins, they must have DNS access in case something goes wrong or simply because MirahezeSSLBot would need access to push to DNS (and therefore they would too).
Ssl-admins is already separated from mw-admins as it requires an extra level of trust, so it would not in my view be such a huge leap to also allow DNS access and it would make sense given the close connection with SSL requests.

Event Timeline

Reception123 lowered the priority of this task from Normal to Low.Dec 15 2022, 15:47

Switching to low given that SSL automation is also low priority.

I forgot to mention that of course by extension this access is also being requested for MirahezeSSLBot.

Is this request only for access to the GitHub repo?

That was the original intention but your question just made me realise that puppet would need to be ran on ns* right away and ssl-admins can't use salt to do that. (In theory they could wait for it to run of course but that defeats the purpose of one command that's easily ran)
Therefore, this would also have to include limited ns* access to run puppet there. Otherwise Universal Omega suggested the option of a new ssh user, that allows only puppet access that can be ran using the ssh key from puppet.

My concern is giving out access to non-root users to critical infrastructure like DNS.

Would you then prefer we try UO's salt idea before considering the ns part?

Salt is a nono because it has root on all the servers which would effectively mean having access to everything.

Salt is a nono because it has root on all the servers which would effectively mean having access to everything.

Yeah, obviously using salt as it is isn't an option. UO's idea was a modified version.

John claimed this task.

Boldly going to mark as declined due to concerns raised above.

Would this be different if access only concerned GitHub and only allowed ssl-admins to run puppet and nothing else on ns* (via salt)?