/
data.yaml
4535 lines (4530 loc) · 209 KB
/
data.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
groups:
absent:
description: meta group for absented users with previous cluster shell access, it removes the account from /etc/passwd on all production hosts running puppet
members: [ananthrk, avar, bsitu, cmcmahon, csalvia, diederik, edenhill, erik, gage,
handrade, howief, jdouglas, jgonera, jsahleen, mah, maryana, mglaser,
mwalker, nimishg, rainman, ssmith, swalling, sumanah, werdna, rmoen,
johnflewis, marc, jkrauska, akumar, mnoushad, spage, tnegrin, msyed, kleduc,
manybubbles, haithams, jzerebecki, ashwinpp, robla, asherman, dbarratt,
laner, declerambaul, srijan, junikowski, krenair, jhobs, vbaranetsky,
yurik, bsimmers, bcohn, hjiang, tomasz, csteipp, zareen, jgirault, ellery,
psinger, midom, tparscal, dworley, moushira, lpintscher, gpaumier,
nschaaf, zhousquared, gwicke, dpatrick, samwalton9, samtar, akrausetud, jgonsior,
yuvipanda, shrlak, madhuvishy, groovier, khorn, ironholds, katie, chedasaurus,
cy534, pnorman, mpany, deskana, arnad, nithum, banyek, imarlier, mkroetzsch,
mtizzoni, panisson, paolotti, ciro, dartar, melodykramer, gtirloni, tbayer, pirroh,
bawolff, dkg, juliaglen, cwdent, hpham, atgomez, dfoy, alaasarhan, onimisionipe,
tieu, flemmerich, jsamra, anomie, jmorgan, thargrove, joewalsh, rodolfovalentim,
drossi, fsalutari, demon, lulu, jkumalah, nathante, shiladsen, leila, rush, niedzielski]
absent_ldap:
description: meta group for absented users which had privileged LDAP access in the past, an automatic check verifies it has been really removed from the LDAP (but removal has to be handled separatelly)
members: [adavenport, siddharth11, albe, audiohazel, tbolliger, jmatazzoni, pbj, nirzar,
marble, mmarble, raz-shuty, jeroendedauw, nharateh, pdrouin, tschumann, jaufrecht,
bitpogo, petarpetkovic, ha78na, sebastianbergmann, spriebsch, theseer, kuz, cgauthier]
wikidev:
gid: 500
description: container group for primary user groups.
members: []
all-users:
description: Global group that includes all users
gid: 600
members: [] # members get populated automagically
privileges: [] # NO privileges to this group!
ops:
gid: 700
description: include everywhere ops folks
members: &ops_members [filippo, jgreen, bblack, andrew, faidon, oblivian,
akosiaris, mark, ariel, cmjohnson, otto, robh, tstarling,
ori, jmm, jynus, ema, elukey, gehel, volans, marostegui,
ayounsi, herron, aborrero, bstorm, vgutierrez, jiji, cwhite,
crusnov, cdanis, fsero, jbond, jeh, dzahn, phamhi, sukhe, pt1979,
rzl, hnowlan, jayme, kormat, wkandek, ryankemper, lmata, klausman, lsobanski,
razzi, dcaro]
privileges: ['ALL = (ALL) NOPASSWD: ALL']
ops-adm-group:
# No gid for this group on purpose, it's a system provided one
description: Use the standard system provided staff group to provide ops with privileges that would allow easier administrative tasks
members: *ops_members
posix_name: adm
parsoid-roots:
gid: 701
description: RT 5934
members: [catrope]
privileges: ['ALL = (ALL) NOPASSWD: ALL']
parsoid-admin:
gid: 702
description: RT 5934
members: [ssastry, cscott, arlolra, eevans, ppchelko, mobrovac]
privileges: ['ALL = NOPASSWD: /usr/sbin/service parsoid *',
'ALL = NOPASSWD: /usr/sbin/service parsoid-rt-client restart',
'ALL = (mwdeploy) NOPASSWD: /usr/bin/scap pull']
gerrit-root:
gid: 703
description: manage gerrit server
# qchris is T252194
members: &gerrit_root_members [twentyafterfour, hashar, thcipriani, qchris]
privileges: ['ALL = (ALL) NOPASSWD: ALL']
gerrit-admin:
gid: 704
description: assist in managing gerrit server
# qchris is RT 6720
# Rest is the Release Engineering team
members: [qchris, dduvall, zfilipin, brennen]
deployment:
gid: 705
description: replaces 'mortals' for software deployment
members: [bd808, brion, cscott, ebernhardson,
gilles, gjg, halfak, hashar, hoo,
kartik, krinkle, marktraceur, milimetric, mlitn,
andyrussg, nikerabbit, reedy, ssastry, phedenskog,
tgr, ejegg, twentyafterfour, legoktm, catrope,
mobrovac, nuria, thcipriani, joal, eevans,
mforns, dcausse, bsitzmann, mholloway-shell, dduvall,
ladsgroup, zfilipin, addshore, niharika29, ppchelko,
pmiazga, jdrewniak, sbisson, jforrester, mbsantos,
aaron, liw, sbassett, tarrow, lucaswerkmeister-wmde,
jhuneidi, wmde-fisch, mvolz, brennen, cparle,
urbanecm, awight, jakob, accraze, andrew-wmde,
kevinbazira, mstyles, zpapierski, clarakosi, dpifke,
phuedx, samwilson, dmaza, tchanders,
wikigit, arlolra, daniel, bpirkle, cicalese, dancy, chrisalbon,
jdl, holger, annet, jgiannelos]
privileges: ['ALL = (www-data,mwdeploy,l10nupdate) NOPASSWD: ALL',
'ALL = NOPASSWD: /usr/sbin/apache2ctl',
'ALL = NOPASSWD: /etc/init.d/apache2',
'ALL = NOPASSWD: /usr/bin/renice',
'ALL = NOPASSWD: /usr/local/sbin/fix-staging-perms',
# The restart script must run as a login shell (sudo -i) in order to be fed etcd
# tokens as environment vars. Sudo seemingly implements this by rewriting the
# command before checking sudoers -- but it disallows any arguments that don't
# exactly match what is below, so this is safe.
'ALL = NOPASSWD: /bin/bash -c /usr/local/sbin/restart-php7.2-fpm']
restricted: # Is a subset of the deployment group
gid: 706
description: access to mwmaint hosts, mwlog hosts (private data) and bastion hosts
restricted folks use sudo to access www-data resources
members: [bearloga, tjones, cparle, pearley, ktsouroupidou,
ezachte, jamesur, jdlrobson, sguebo, zxane,
santhosh, amire80, foks, chelsyx, karen,
kharlan, abi, nikkin, bmansurov, musikanimal, nahidunlimited]
privileges: ['ALL = (www-data) NOPASSWD: ALL']
cassandra-test-roots:
gid: 708
description: users with root on cassandra hosts
members: [eevans, mobrovac, ssastry]
privileges: ['ALL = (ALL) NOPASSWD: ALL']
elasticsearch-roots:
gid: 709
description: manage elasticsearch nodes
members: [ebernhardson, dcausse, mstyles, zpapierski]
privileges: ['ALL = (ALL) NOPASSWD: ALL']
dataset-admins:
gid: 710
description: does work on dataset hosts
members: []
releasers-mediawiki:
gid: 711
description: people who upload mediawiki releases
members: [catrope, hashar, legoktm, reedy, thcipriani, twentyafterfour, brennen,
jforrester]
privileges: ['ALL = (jenkins) NOPASSWD: ALL',
'ALL = NOPASSWD: /usr/sbin/service jenkins *']
releasers-mobile:
gid: 712
description: people who upload mobile app releases
members: [brion, bsitzmann, dbrant, mholloway-shell, cooltey, sharvaniharan]
releasers-parsoid:
gid: 802
description: people who upload parsoid releases (T150672)
members: [ssastry, arlolra, cscott]
releasers-wikidiff2:
gid: 804
description: people who upload wikidiff2 releases (T202473)
members: [legoktm, wmde-fisch, thiemowmde]
releasers-blubber:
gid: 808
description: people who upload blubber releases
members: [dduvall, jhuneidi, liw, thcipriani]
cloudelastic-roots:
gid: 809
description: manage cloudelastic nodes
members: [ebernhardson, dcausse, bd808, mstyles, zpapierski, nskaggs]
privileges: ['ALL = (ALL) NOPASSWD: ALL']
udp2log-users:
gid: 713
description: general user tasks for udp2log (RT 5391)
members: [milimetric, andyrussg]
researchers:
gid: 714
description: Access statistics hosts and also provides
access to research mysql credentials.
If a user is added to this group it should not
need to be in analytics-users or analytics-privatedata-users.
In case of doubt, please ask to the Analytics team.
More info https://wikitech.wikimedia.org/wiki/Analytics/Data_access#Access_Groups
members: [catrope, dduvall, mattflaschen, cooltey, marktraceur,
jhernandez, daisy, etonkovidova, legoktm, risler,
sbisson, matmarex, nikerabbit, dstrine, jdittrich, debt,
mlitn, sharvaniharan, kharlan]
ldap-admins:
gid: 715
description: ldap admins
members: [reedy, foks]
privileges: ['ALL = NOPASSWD: /usr/local/sbin/add-ldap-user',
'ALL = NOPASSWD: /usr/local/sbin/delete-ldap-user',
'ALL = NOPASSWD: /usr/local/sbin/modify-ldap-user',
'ALL = NOPASSWD: /usr/local/sbin/add-labs-user',
'ALL = NOPASSWD: /usr/local/sbin/modify-ldap-group',
'ALL = (www-data) NOPASSWD: ALL']
contint-users:
gid: 718
description: users with accounts on jenkins hosts
members: []
contint-admins:
gid: 719
description: users with some sudo permissions on the CI masters (Jenkins, Zuul).
members: [bd808, cscott, dduvall, krinkle, reedy, marktraceur,
twentyafterfour, zfilipin, thcipriani, legoktm, gjg,
hashar, addshore, liw, jhuneidi, brennen,
jforrester, dancy]
privileges: ['ALL = (jenkins) NOPASSWD: ALL',
'ALL = (jenkins-slave) NOPASSWD: ALL',
'ALL = (gerritslave) NOPASSWD: ALL',
'ALL = (doc-uploader) NOPASSWD: ALL',
'ALL = (zuul) NOPASSWD: ALL',
'ALL = NOPASSWD: /etc/init.d/jenkins',
'ALL = NOPASSWD: /usr/sbin/service jenkins start',
'ALL = NOPASSWD: /usr/sbin/service jenkins stop',
'ALL = NOPASSWD: /usr/sbin/service jenkins restart',
'ALL = NOPASSWD: /usr/sbin/service jenkins status',
'ALL = NOPASSWD: /usr/sbin/service zuul reload',
'ALL = NOPASSWD: /usr/sbin/service zuul restart',
'ALL = NOPASSWD: /usr/sbin/service zuul start',
'ALL = NOPASSWD: /usr/sbin/service zuul stop',
'ALL = NOPASSWD: /usr/sbin/service zuul status',
'ALL = NOPASSWD: /usr/sbin/service zuul-merger reload',
'ALL = NOPASSWD: /usr/sbin/service zuul-merger restart',
'ALL = NOPASSWD: /usr/sbin/service zuul-merger start',
'ALL = NOPASSWD: /usr/sbin/service zuul-merger stop',
'ALL = NOPASSWD: /usr/sbin/service zuul-merger status',
'ALL = NOPASSWD: /bin/journalctl*',
'ALL = NOPASSWD: /usr/local/sbin/puppet-run']
contint-roots:
gid: 720
description: users who have full root on jenkins servers
members: &contint_roots_members [hashar, thcipriani, brennen, jforrester]
privileges: ['ALL = (ALL) NOPASSWD: ALL']
logstash-roots:
gid: 722
description: users with root access on logstash nodes (rt 6366, 6896)
members: [reedy]
privileges: ['ALL = (ALL) NOPASSWD: ALL']
statistics-web-users:
gid: 724
description: access for stats.wikimedia.org (Deprecated)
members: []
statistics-privatedata-users:
gid: 725
description: Access to stat boxes that host private data, including
sampled webrequest logs. This group should not be used just to
grant someone Hadoop access. (Deprecated)
members: []
statistics-users:
gid: 726
description: Access statistics number crunching hosts. NO PRIVS. (Deprecated)
members: []
statistics-admins:
posix_name: stats
description: access files created by stats user cron jobs (Deprecated)
members: []
privileges: []
oit:
gid: 727
description: office it folk
members: []
privileges: ['ALL = (syslog) NOPASSWD: ALL']
analytics-users:
gid: 7080
description: Gives generic client access to the Analytics cluster
via stat100x.
If a user is added to this group it should not
need to be in researchers or analytics-privatedata-users.
In case of doubt, please ask to the Analytics team.
More info https://wikitech.wikimedia.org/wiki/Analytics/Data_access#Access_Groups
members: [debt, jdittrich, kharlan, brion, mhurd, santhosh]
analytics-privatedata-users:
gid: 731
description: Gives access to the Analytics (Hadoop) cluster as well as private data within.
This will grant shell access on Hadoop client nodes and on
Hadoop NameNodes. Some files in HDFS have sensitive data in them.
Those files are group readable by the analytics-privatedata-users group.
A kerberos account is only needed if the user will access Hadoop data
via tools on stat100x hosts. The user in fact might only want/need
to access data indirectly via Superset (via Presto) or query Wiki db replicas.
In case of doubt, please ask to the Analytics team.
More info https://wikitech.wikimedia.org/wiki/Analytics/Data_access#Access_Groups
members: &analytics_privatedata_users [milimetric, aude, jforrester,
halfak, dr0ptp4kt, bearloga, elukey, ppchelko, mneisler,
nuria, otto, jgreen, sguebo, zxane,
bsitzmann, dbrant, nettrom, leizi, jmm,
ezachte, mforns, reedy, west1, phuedx, awight,
joal, akosiaris, jkatz, tonina, pearley, ktsouroupidou,
andyrussg, hoo, daniel, krinkle, tgr,
ebernhardson, addshore, jminor, neilpquinn-wmf,
dcausse, bd808, tjones, mobrovac, jdrewniak, ejegg, jdcc, ori,
bmansurov, amire80, kartik, pcoombe, foks, kemayo,
jdlrobson, chelsyx, ovasileva, filippo, pmiazga, faidon,
piccardi, fdans, eevans, ladsgroup, musikanimal,
kaldari, goransm, ema, dsaez, rho, mirrys, slaporte, jk,
ayounsi, mepps, mmiller, seddon, gilles, tstarling, karen,
cicalese, gbirke, isaacj, sbassett, jdl, gsingers,
niharika29, ryanmax, afandian2, jgleeson, toddleroux, srishakatux, dsharpe, eyener,
esanders, sukhe, jfishback, iflorez, mayakpwiki, conniecc1, abi, mgerlach, dedcode,
kevinbazira, keepit-ssh, jiji, cohi, mstyles, accraze, snowick,
aarora, zpapierski, knissen, jiawang, mholloway-shell, tarrow,
itamar, phedenskog, aaron, dpifke, aklapper, jmads, andrew-wmde, daniram,
dcipoletti, chrisalbon, wikigit, nahidunlimited, swagoel,
agaduran, edtadros, dvrandecic, razzi, cparle, klausman, lexnasser, sbisson, fab]
privileges: ['ALL = (analytics-privatedata) NOPASSWD: ALL']
system_members: [analytics-search, analytics, analytics-privatedata, analytics-product]
analytics-admins:
gid: 732
description: Admin access to analytics cluster.
This will grant shell access on all Analytics Cluster nodes, as well
as the ability to sudo to certain Analytics Cluster system users.
This group should contain members of the Analytics team.
members: &analytics_admins_members [joal, nuria, mforns, milimetric, fdans]
privileges: ['ALL = (hdfs) NOPASSWD: ALL',
'ALL = (analytics) NOPASSWD: ALL',
'ALL = NOPASSWD: /bin/journalctl *',
'ALL = NOPASSWD: /bin/systemctl start *',
'ALL = NOPASSWD: /bin/systemctl restart *',
'ALL = NOPASSWD: /bin/systemctl stop *',
'ALL = NOPASSWD: /bin/systemctl status *',
'ALL = NOPASSWD: /bin/systemctl reset-failed *']
eventlogging-admins:
gid: 733
description: Login access for EventLogging deployment and investigation
members: [*analytics_admins_members, legoktm]
eventlogging-roots:
gid: 739
description: Full root on EventLogging servers. (Deprecated)
members: []
privileges: []
snapshot-admins:
gid: 743
description: People who can sudo into the dumpsgen user on snapshot hosts.
members: [hoo]
privileges: ['ALL = (dumpsgen) NOPASSWD: ALL']
restbase-roots:
gid: 744
description: people who have full root on restbase nodes
members: [eevans, mobrovac, ppchelko]
privileges: ['ALL = (ALL) NOPASSWD: ALL']
phabricator-admin:
gid: 746
description: Users who can do sane CLI admin things
* Remove repositories
* Manage repositories, phd service, and workers
* Reset authentication of users
* Delete users (e.g. unverified accounts due to wrong email address)
* Delete files (e.g. copyright violations)
* Convert projects to subprojects or milestones of another project
* Silence notifications for maniphest bulk jobs
* Disable Herald rules
members: [aklapper, gjg]
privileges: ['ALL = NOPASSWD: /srv/phab/phabricator/bin/cache purge --caches user',
'ALL = NOPASSWD: /srv/phab/phabricator/bin/herald',
'ALL = NOPASSWD: /srv/phab/phabricator/bin/move_project',
'ALL = NOPASSWD: /srv/phab/phabricator/bin/remove',
'ALL = NOPASSWD: /srv/phab/phabricator/bin/repository',
'ALL = NOPASSWD: /srv/phab/phabricator/bin/phd',
'ALL = NOPASSWD: /srv/phab/phabricator/bin/policy',
'ALL = NOPASSWD: /srv/phab/phabricator/bin/worker',
'ALL = NOPASSWD: /srv/phab/phabricator/bin/bulk make-silent --id *',
'ALL = NOPASSWD: /srv/phab/phabricator/bin/auth strip --all-types --user *']
phabricator-bulk-manager:
gid: 819
description: Users who can manage bulk jobs on phabricator
* Move tasks in batches (T251349)
* Configure a bulk job to execute silently.
members: [mbinder]
privileges: ['ALL = NOPASSWD: /srv/phab/phabricator/bin/bulk make-silent --id *']
phabricator-roots:
gid: 748
description: people who have full root on phabricator
members: [twentyafterfour, thcipriani]
privileges: ['ALL = (ALL) NOPASSWD: ALL']
htmldumps-admin:
gid: 749
description: users who maintain HTML/ZIM dumps
members: [mobrovac, eevans]
graphoid-admin:
gid: 750
description: group of graphoid admins
members: [mobrovac]
privileges: ['ALL = NOPASSWD: /usr/sbin/service graphoid *',
'ALL = (graphoid) NOPASSWD: ALL']
traceback-roots:
gid: 751
description: people who have full root on traceback hosts
members: []
privileges: ['ALL = (ALL) NOPASSWD: ALL']
maps-admins:
gid: 753
description: admin for maps clusters
members: [eevans, sbisson, catrope, mholloway-shell, mbsantos, jgiannelos]
# TODO: Revisit this when moving into production
privileges: ['ALL = NOPASSWD: /usr/sbin/service cassandra *',
'ALL = NOPASSWD: /bin/systemctl mask cassandra.service',
'ALL = NOPASSWD: /bin/systemctl unmask cassandra.service',
'ALL = NOPASSWD: /bin/systemctl mask postgresql.service',
'ALL = NOPASSWD: /bin/systemctl unmask postgresql.service',
'ALL = NOPASSWD: /bin/systemctl mask redis-server.service',
'ALL = NOPASSWD: /bin/systemctl unmask redis-server.service',
'ALL = NOPASSWD: /usr/sbin/service redis-server *',
'ALL = NOPASSWD: /usr/sbin/service postgresql *',
'ALL = (postgres) NOPASSWD: ALL',
'ALL = (osmupdater) NOPASSWD: ALL',
'ALL = (cassandra) NOPASSWD: ALL',]
maps-roots:
gid: 752
description: Root level access for Maps/OSM servers
members: []
privileges: ['ALL = (ALL) NOPASSWD: ALL']
kartotherian-admin:
description: Group of kartotherian admins
gid: 754
members: [sbisson, catrope, mholloway-shell, mbsantos, jgiannelos]
privileges: ['ALL = NOPASSWD: /usr/sbin/service kartotherian *',
'ALL = NOPASSWD: /bin/systemctl mask kartotherian.service',
'ALL = NOPASSWD: /bin/systemctl unmask kartotherian.service',
'ALL = (kartotherian) NOPASSWD: ALL',
'ALL = NOPASSWD: /bin/journalctl *']
wdqs-admins:
gid: 755
description: Admins for the WikiData Query Service project
members: [smalyshev, hoo, ebernhardson, dcausse, mstyles, zpapierski, addshore]
privileges: ['ALL = NOPASSWD: /usr/sbin/service wdqs-blazegraph *',
'ALL = NOPASSWD: /usr/sbin/service wdqs-categories *',
'ALL = NOPASSWD: /usr/sbin/service wdqs-updater *',
'ALL = NOPASSWD: /usr/sbin/service nginx *',
'ALL = NOPASSWD: /bin/systemctl reload nginx',
'ALL = NOPASSWD: /bin/systemctl restart nginx',
'ALL = NOPASSWD: /bin/systemctl start nginx',
'ALL = NOPASSWD: /bin/systemctl stop nginx',
'ALL = NOPASSWD: /bin/systemctl enable wdqs-updater',
'ALL = NOPASSWD: /bin/systemctl disable wdqs-updater',
'ALL = NOPASSWD: /bin/systemctl mask wdqs-updater',
'ALL = NOPASSWD: /bin/systemctl unmask wdqs-updater',
'ALL = (blazegraph) NOPASSWD: ALL',
'ALL = NOPASSWD: /bin/journalctl *',
'ALL = NOPASSWD: /usr/local/bin/depool',
'ALL = NOPASSWD: /usr/local/bin/pool',
'ALL = NOPASSWD: /bin/cat /var/log/nginx*',
'ALL = NOPASSWD: /usr/bin/jstack *']
wdqs-roots:
gid: 806
description: Root level access for WikiData Query Service project
members: [smalyshev, hoo, ebernhardson, dcausse, mstyles, zpapierski, addshore]
privileges: ['ALL = (ALL) NOPASSWD: ALL']
mailman-admins:
gid: 757
description: Admins for mailman
members: []
privileges: ['ALL = (list) NOPASSWD: ALL',
'ALL = NOPASSWD: /usr/sbin/service mailman *',
'ALL = NOPASSWD: /bin/journalctl *']
tilerator-admin:
description: Group of tilerator admins
gid: 758
members: [sbisson, catrope, mholloway-shell, mbsantos, jgiannelos]
privileges: ['ALL = NOPASSWD: /usr/sbin/service tilerator *',
'ALL = NOPASSWD: /bin/systemctl mask tilerator.service',
'ALL = NOPASSWD: /bin/systemctl unmask tilerator.service',
'ALL = (tilerator) NOPASSWD: ALL',
'ALL = NOPASSWD: /usr/sbin/service tileratorui *',
'ALL = NOPASSWD: /bin/systemctl mask tileratorui.service',
'ALL = NOPASSWD: /bin/systemctl unmask tileratorui.service',
'ALL = (tileratorui) NOPASSWD: ALL',
'ALL = NOPASSWD: /bin/journalctl *']
mw-log-readers:
gid: 760
description: users who can login on mwlog hosts and read mediawiki logs
members: [tjones, matanya, holger]
apertium-admins:
description: Group of apertium admins
gid: 761
members: [kartik]
privileges: ['ALL = NOPASSWD: /usr/sbin/service apertium-apy *',
'ALL = (apertium) NOPASSWD: ALL']
deploy-service:
gid: 763
description: Service deploy users
members: [bd808, eevans, mobrovac, ppchelko, twentyafterfour, thcipriani, dduvall,
bsitzmann, mholloway-shell, kartik, halfak, ladsgroup, smalyshev, hoo, tgr,
ssastry, cscott, arlolra, jdlrobson, jforrester, bmansurov,
pmiazga, phuedx, mbsantos, mvolz, santhosh, nikerabbit, accraze,
kevinbazira, clarakosi, chrisalbon, jgiannelos]
privileges: []
deploy-aqs:
gid: 786
description: Deployers for the Analytics Query Service
members: [*analytics_admins_members]
privileges: [
'ALL = NOPASSWD: /usr/sbin/service restbase *',
'ALL = (restbase) NOPASSWD: ALL']
deploy-design:
gid: 815
description: Deployers for content on design.wikimedia.org
members: [volker-e, ladsgroup, jdrewniak, twentyafterfour]
privileges: []
aqs-admins:
description: Group of admins for the Analytics Query Service
gid: 764
members: [joal, milimetric, eevans, mobrovac]
privileges: ['ALL = NOPASSWD: /usr/sbin/service cassandra *',
'ALL = NOPASSWD: /usr/sbin/service cassandra-[a-z] *',
'ALL = (cassandra) NOPASSWD: ALL',
'ALL = NOPASSWD: /usr/sbin/service restbase *',
'ALL = (restbase) NOPASSWD: ALL',
'ALL = NOPASSWD: /bin/journalctl *']
datacenter-ops:
gid: 765
description: Group of datacenter ops engineers, managed by Willy Pao T229124#5393773
members: [wpao, jclark]
privileges: ['ALL = NOPASSWD: /usr/local/bin/install_console *',
'ALL = NOPASSWD: /usr/sbin/megacli *',
'ALL = NOPASSWD: /usr/sbin/hpssacli *',
'ALL = NOPASSWD: /usr/bin/puppet cert *',
'ALL = NOPASSWD: /usr/bin/puppet agent -t -v',
'ALL = NOPASSWD: /bin/journalctl *',
'ALL = (syslog) NOPASSWD: ALL']
perf-team:
gid: 796
description: performance team members with access to 'webperf' and 'xhgui' servers
members: [krinkle, gilles, phedenskog, aaron, dpifke]
privileges: ['ALL = (ALL) NOPASSWD: ALL']
perf-roots:
gid: 766
description: users who have root on memcached, varnish, application servers, thumbor and xhgui servers
members: [krinkle, gilles, phedenskog, aaron]
privileges: ['ALL = (ALL) NOPASSWD: ALL']
aqs-users:
description: Group of users for the Analytics Query Service (Deprecated)
gid: 767
members: []
pentesters:
description: Group of users running penetration tests
gid: 768
members: []
privileges: []
restbase-admins:
gid: 769
description: group of restbase admins
members: []
privileges: ['ALL = NOPASSWD: /usr/sbin/service cassandra *',
'ALL = (cassandra) NOPASSWD: ALL',
'ALL = NOPASSWD: /usr/sbin/service restbase *',
'ALL = (restbase) NOPASSWD: ALL',
'ALL = NOPASSWD: /bin/journalctl *']
piwik-roots:
gid: 770
description: users who have root on analytics piwik servers (Deprecated)
members: []
privileges: []
analytics-search-users:
gid: 771
description: Group of users for managing search related analytics jobs
members: [ebernhardson, dcausse, gehel, bearloga, chelsyx, mstyles, zpapierski, tjones]
privileges: ['ALL = (analytics-search) NOPASSWD: ALL']
system_members: [analytics-search]
parsoid-test-roots:
gid: 772
description: T125166 T125435
members: [ssastry, sbailey, arlolra, cscott]
privileges: ['ALL = (ALL) NOPASSWD: ALL']
parsoid-test-admins:
gid: 773
description: parsing team members for parsoid regression testing adminstration
members: []
privileges: ['ALL = NOPASSWD: /usr/sbin/service parsoid *',
'ALL = NOPASSWD: /usr/sbin/service parsoid-rt *',
'ALL = NOPASSWD: /usr/sbin/service parsoid-rt-client *',
'ALL = NOPASSWD: /usr/sbin/service parsoid-vd *',
'ALL = NOPASSWD: /usr/sbin/service parsoid-vd-client *',
'ALL = NOPASSWD: /usr/sbin/service diffservice *',
'ALL = NOPASSWD: /bin/journalctl *']
labtest-roots:
gid: 776
description: allows full sudo on labtest cluster, T131166
members: [bd808, nskaggs]
privileges: ['ALL = (ALL) NOPASSWD: ALL']
swift-roots:
gid: 777
description: users who have root on swift servers
members: [gilles]
privileges: ['ALL = (ALL) NOPASSWD: ALL']
deploy-phabricator:
gid: 778
description: Group of phabricator deployers
members: [twentyafterfour, thcipriani]
sc-admins:
description: General service cluster admins - sc(a|b)
gid: 779
members: [eevans, mobrovac, ppchelko]
privileges: ['ALL = NOPASSWD: /usr/bin/puppet agent *',
'ALL = (proton) NOPASSWD: ALL',
'ALL = NOPASSWD: /usr/sbin/service recommendation_api *',
'ALL = (recommendation_api) NOPASSWD: ALL',
'ALL = NOPASSWD: /usr/bin/firejail --join=*']
notebook-roots:
description: root access on experimental notebook servers (Deprecated)
gid: 780
members: []
privileges: []
labnet-users:
description: unprivileged access on labnet servers
gid: 781
members: [thcipriani, hashar, dduvall, twentyafterfour, zfilipin, legoktm, liw]
ores-admin:
description: ORES admins
gid: 782
members: [halfak, accraze, kevinbazira, chrisalbon, ladsgroup]
privileges: ['ALL = NOPASSWD: /usr/sbin/service uwsgi-ores *',
'ALL = NOPASSWD: /usr/sbin/service celery-ores-worker *',
'ALL = NOPASSWD: /usr/bin/lsof *']
analytics-wmde-users:
description: Group of WMDE analytics users
gid: 784
members: [addshore, goransm, ladsgroup, lucaswerkmeister-wmde, conniecc1, tarrow, itamar,
awight, wmde-fisch]
privileges: ['ALL = (analytics-wmde) NOPASSWD: ALL']
eventbus-admins:
gid: 785
description: admins for the eventbus clusters - unsed after T232122
members: []
fr-tech-admins:
gid: 787
description: fundraising tech admins
members: &fr_tech_admins [dwisehaupt]
privileges: ['ALL = NOPASSWD: /usr/bin/cat /srv/private/modules/secret/secrets/nagios/contacts.cfg']
gitpuppet:
gid: 998
description: Private repo users
members: *ops_members
druid-admins:
gid: 788
description: admins for the Analytics Druid cluster
members: [*analytics_admins_members]
privileges: ['ALL = NOPASSWD: /bin/systemctl start druid-*.service',
'ALL = NOPASSWD: /bin/systemctl stop druid-*.service',
'ALL = NOPASSWD: /bin/systemctl restart druid-*.service',
'ALL = NOPASSWD: /bin/systemctl mask druid-*.service',
'ALL = NOPASSWD: /bin/systemctl unmask druid-*.service',
'ALL = NOPASSWD: /bin/systemctl start zookeeper.service',
'ALL = NOPASSWD: /bin/systemctl stop zookeeper.service',
'ALL = NOPASSWD: /bin/systemctl restart zookeeper.service',
'ALL = NOPASSWD: /bin/systemctl mask zookeeper.service',
'ALL = NOPASSWD: /bin/systemctl unmask zookeeper.service']
wmcs-roots:
description: root for cloud services infrastructure
gid: 792
members: [bd808, nskaggs]
privileges: ['ALL = (ALL) NOPASSWD: ALL']
wmcs-admin:
description: admin for cloud services infrastructure (labsdb only atm)
gid: 793
members: [bd808, nskaggs]
privileges: ['ALL = (ALL) NOPASSWD: /usr/local/bin/secure-cookbook wmcs.*',
'ALL = (ALL) NOPASSWD: /usr/local/sbin/maintain-views',
'ALL = (ALL) NOPASSWD: /usr/local/sbin/maintain-meta_p',
'ALL = (ALL) NOPASSWD: /usr/local/sbin/maintain-replica-indexes']
recommendation-admin:
description: Group of recommendation-api admins
gid: 794
members: [ppchelko, eevans, mobrovac, bmansurov]
privileges: ['ALL = NOPASSWD: /usr/sbin/service recommendation_api *',
'ALL = (recommendation_api) NOPASSWD: ALL']
mediawiki-testers:
description: People who can strace and tcpdump on canary appservers for testing mediawiki
gid: 797
members: []
privileges: []
varnish-log-readers:
description: People who can read Varnish logs for debugging
gid: 798
members: [hoo]
privileges: ['ALL = (varnish) NOPASSWD: /usr/bin/varnishncsa *',
'ALL = (varnish) NOPASSWD: /usr/bin/varnishlog *']
maintenance-log-readers:
description: People who can read syslog and dmesg on mediawiki maintenance servers
gid: 799
members: [hoo]
privileges: ['ALL = NOPASSWD: /bin/journalctl *',
'ALL = NOPASSWD: /bin/dmesg *',
'ALL = (syslog) NOPASSWD: ALL']
graphite-admins:
description: Group to enable access to Graphite servers, restart services, and run all commands as the _graphite user
gid: 800
members: [addshore]
privileges: ['ALL = NOPASSWD: /usr/sbin/service coal *',
'ALL = NOPASSWD: /bin/journalctl *',
'ALL = (_graphite) NOPASSWD: ALL']
snapshot-users:
gid: 801
description: People who have shell access to snapshot hosts and bastions only.
members: [springle]
wdqs-test-roots:
gid: 803
description: users with root on WDQS test cluster
members: [smalyshev]
privileges: ['ALL = (ALL) NOPASSWD: ALL']
sitemaps-admins:
gid: 805
description: People who upload files to sitemaps.wikimedia.org
members: [krinkle, gilles, phedenskog, aaron]
contint-docker:
# Generally speaking, avoiding direct docker access is the most prudent course of action, but if
# needed the docker group does have elevated privileges allowing users to interact with docker
# Allow this for CI users. There is no gid on purpose, to allow reusing the package provided one
posix_name: docker # Use posix_name to avoid potential conflicts with other uses of the docker group
description: Allow releng team to be in the docker group for contint. No gid on purpose
members: [*ops_members, dduvall, gjg, hashar, thcipriani, twentyafterfour, zfilipin, legoktm, addshore, reedy, liw, jhuneidi, krinkle, brennen, jforrester, dancy]
system_members: [jenkins-slave]
builder-docker:
# There is no gid on purpose, same as above
posix_name: docker # Use posix_name to avoid potential conflicts with other uses of the docker group
description: Allow ops team to be in the docker group for builder. No gid on purpose
members: *ops_members
gpu-testers:
description: People with access to Analytics hosts with GPUs.
gid: 810
members: &gpu_testers_members [santhosh]
gpu-users:
description: Use the standard system provided render group to allow Analytics users to access the GPU on the host.
members: [*gpu_testers_members, *analytics_admins_members, *ops_members, *analytics_privatedata_users]
posix_name: render
privileges: ['ALL = NOPASSWD: /usr/sbin/radeontop']
sessionstore-roots:
gid: 811
description: people who have full root on session storage cluster nodes
members: [eevans, mobrovac, ppchelko]
privileges: ['ALL = (ALL) NOPASSWD: ALL']
analytics-deployers:
gid: 812
description: People able to deploy to analytics misc nodes.
members: [*analytics_admins_members, gilles]
secteam-users:
gid: 813
description: members of wikimedia security
members: [reedy, dsharpe, sbassett]
gerrit-deployers:
gid: 814
description: deploy gerrit
members: *gerrit_root_members
airflow-search-admins:
gid: 816
description: administrators of the Apache Airflow service
members: [ebernhardson, dcausse, bearloga, chelsyx, mstyles, zpapierski, tjones]
privileges: ['ALL = NOPASSWD: /usr/sbin/service airflow-webserver *',
'ALL = NOPASSWD: /usr/sbin/service airflow-scheduler *',
'ALL = NOPASSWD: /usr/sbin/service airflow-kerberos *',
'ALL = NOPASSWD: /bin/systemctl start airflow-scheduler',
'ALL = NOPASSWD: /bin/systemctl restart airflow-scheduler',
'ALL = NOPASSWD: /bin/systemctl stop airflow-scheduler',
'ALL = NOPASSWD: /bin/systemctl start airflow-webserver',
'ALL = NOPASSWD: /bin/systemctl stop airflow-webserver',
'ALL = NOPASSWD: /bin/systemctl restart airflow-webserver',
'ALL = NOPASSWD: /bin/systemctl stop airflow-kerberos',
'ALL = NOPASSWD: /bin/systemctl restart airflow-kerberos',
'ALL = NOPASSWD: /bin/journalctl *']
dns-admins:
gid: 817
description: People allowed to merge DNS changes
members: [*fr_tech_admins]
privileges:
- 'ALL = NOPASSWD: /usr/local/sbin/authdns-update'
zuul-deployers:
gid: 818
description: 'deploy Zuul'
members: *contint_roots_members
analytics-product-users:
gid: 820
description: Group of users for managing WMF Product Analytics-related jobs
members: [bearloga, neilpquinn-wmf, nettrom, mneisler, conniecc1, mayakpwiki, snowick, jiawang, jdl]
privileges: ['ALL = (analytics-product) NOPASSWD: ALL']
system_members: [analytics-product]
reprepro:
gid: 901
system: true
members: []
# Placeholder to reserve the uid/gid, to be uncommented
# once T123918 is complete
# swift:
# gid: 902
# system: true
# members: []
users:
reprepro:
ensure: present
system: true
uid: 901
gid: 901
home_dir: '/var/lib/reprepro'
shell: '/bin/sh'
# Placeholder to reserve the uid/gid, to be uncommented
# once T123918 is complete
# swift:
# ensure: present
# system: true
# uid: 902
# gid: 902
# home_dir: '/var/lib/swift'
# shell: '/bin/false'
rush:
ensure: absent
gid: 500
name: rush
realname: Chase Pettet
ssh_keys: []
uid: 4610
krb: absent
dzahn:
ensure: present
gid: 500
name: dzahn
realname: Daniel Zahn
ssh_keys: [ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHKBourcpbDepSoYOiGL3KmyiL2NDWWL9c3ro/91Jt2q mutante@seaotter]
uid: 2075
email: dzahn@wikimedia.org
jzerebecki:
ensure: absent
gid: 500
name: jzerebecki
realname: Jan Zerebecki
ssh_keys: []
uid: 2844
faidon:
ensure: present
gid: 500
name: faidon
realname: Faidon Liambotis
ssh_keys:
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC/m5mZhy2bpvmBNzaLLhlqhjLuuGd5vNGgAtRKmvfa+nbHi7upm8d/e1RoSGVueXSVdjcVYfqqfNnJQ9GIC9flhgVhTwz1zezCEWREqMQ3XuauqAr+Tb/031BtgLCHfTmUjdsDKTigwTMPOnRG+DNo+ZHyxfpTCP5Oy6TChcK6+Om247eiXEhHZNL8Sk0idSy2mSJxavzs25F/lsGjsl4YyVV3jNqgVqoz3Evl1VO0E3xlbOOeWeJnROq+g2JJqZfoCtdAYidtg8oJ6yBKJHoxynqI6EhBJtnwulIXGTZmdY2cMJwT2YpkqljQFBwtWIy/T+WNkZnLuJXT4DRlBb1F faidon@wmf
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILQTaNd90xP89/vr7K+Jn5PwRI8WDaXny5QF1RzWZNGm faidon@wmf
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCez+fPcVq6AWpfJpUjmb1mElkALHk8HsxpPIfGK4+fGdgjd21YUqXYQlgF3ulNqUSilRxEPsI59I/XVRbS1Tcg3r9zQ7EWw+DY5/l7vZ68O/W4VsTQ08dnpbVGiG0RG6PN2zi9Mxysi6/VLoHoddS0/VMl1B1iQVuTBQcc/27pmPvriJ/YeYRr5hrJFNC6Y0XVjIivuQ+uz0AFhN2a6ecm8ftbnh6BvTvA6PofiNr2AbByKHfzHiH52Byc5GEJEzppddnpLxhWSpdTd0VyiytdO1dEK6qqVSKOs7pZoL+TdqfT/PJfj+iesn3dKIrHDO0Ql7xshoI1v/7KJW9jGE21 faidon-yubi@wmf
uid: 2186
email: fliambotis@wikimedia.org
springle:
ensure: present
gid: 500
name: springle
realname: Sean Pringle
ssh_keys:
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCZwhGWhhv+9QdjhhShbLdSZSV349oFxPH73CfvI0jRsQFXsQIlPQaSeKcFqw+kjhUoxvfgCw3YWoExHTT6jxHUxrOswI6ZVPeicHNBQ4kiRRY4uKE0xpqbdnkbLRSNWyru8zG1aB/uxpkhsQhwnUZ9fpGtDkXzX1In8NZ7X9jMQB6yrHFxqK/549WELGnpscL79lX7uKM2Ri/+v61th7kuDyn6VjsIMSLdt46dKoW9WgQ2UgkjEh67HOZd1FYt4V+OaQcNr2JtHj7nSI6YsXx9TQnBrQVqWQXk63AFNxw4uD7xFVByc4FIqefIYjHqHANRWpRmaNOcj6LaBTqXZUBSmtYRiLkXUhqhr1Tf1NiE75UjGKhknucpywXTYI02HaTdEcdxfN4C9guI+ojxwUKrIMEk9Wz3qcYzyN0QZmCL/6EcRxjEUzYDpEt0tMBRsRqE5Qp0TLPuDsK5trY1rtdzy/HckqmSik9N1p2WQ941SWs2EEiFji1jiCM4N8gwy1r6mf9xo5LWRVY/LtNYbCf/2EfW3mjreP9MaOGI+vedcS8I4sd6O3VP8WPpXZtoBU1+EKLhEHvfp/E9qYYr6iWIltCFySi67fWlv83cUNezJ6uMrDR++g8ANkFJKEWSHJzdVyrtf2fiwNNyIPrkEawHAcKHsZsVGdzkP9Xr8eBb7Q== sean@laptop
uid: 3391
email: sean.pringle@gmail.com
robh:
ensure: present
gid: 500
name: robh
realname: Rob Halsell
ssh_keys:
- ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAoDAuzkYEIeGVC10zh3i6WnyJjhWK/JpQbSFlWfb5t02kGPvmi8m+fdCPhvqiOpOCcQqTL1Knia6AeRNMx+dj3qxctsas/RnJtIUbACK5gH6aKg0OMmcG9LNiVLN5knx1UMHhQ7Ma6KSiDLeqsID009j7+Fj8qgGup7lKOQs7WYRpaXlAyR0hdKeyxcXWh+GPQEZAhl0DHrjFgdDcc5n2K8GBRESfdfCKm0SomHYGWPsTIpWrY13se0kUJzWXIafzr0U/czEdVDuSuil6P65d9cU7vypcUC3i5d2L4QiO4MBVNcXluFuFNZ8UY/QAlixz/5x/ARbgjcMvXwJQWjhh+w== rob@laptop
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCToz4UdLA8A2/faeEyeeiW3rU1VT54aj3r856dfI+Rd0u8DsaZ6B8cVBQwNo36mbdMsc+c+uql68wjRxl7lnpmvbS3bL1fCrBRBvK7mYC4dzso3y4UjaS+irz9NIwB9Byk23eVhVQ7wll/zuBHQHnWITWjZSLFbrV4JKLBekxR1i7s9EJFZj0V2oP17E91JUVUFu4FcFbMH1KCV9xhSGXbOp9y3H4zaH/DL42dboDtQ2wA3zsf1KG2TTXlSN34Cz9OMDsP4NB4Wd6C3LlYpwShI24wfZnsojZP+a845ZRD5DHbOtp/owtUn6urw1iOJn1fxdwTB6Uk21TUymGDH2W5 rob@yubikey
uid: 2007
email: rhalsell@wikimedia.org
marc:
ensure: absent
gid: 500
name: marc
realname: Marc-Andre Pelletier
ssh_keys: []
uid: 2138
mark:
ensure: present
gid: 500
name: mark
realname: Mark Bergsma
ssh_keys:
- ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAorTmQ0qlrxB3RL+GULLzex3k1Pg/c6tgLbKsl1A7Qo0B5XI4eNgfWwaAXUrKyQW3/9gwDH3YJ2eoOue0/BGhKX6voOTnNPeGE9ZbrufpPLT6DXDEbvpmXQd/qw8s0GxdftleHYl28av0nTZgKY+1/Oc+ZHNUN5YxmdGehWBvTXs= Mark\s main public key
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCGYwDexjSlyf1dMsVMr9VrEwnsEW90p3Ywgz/1Zl1EmYIrwLztKZ6V2bR6FbMx072YT6eEkg3m6dHxck5Q2Tx8QvUuUMoHzg18e/ZzsVZkG/cqtwrEXTRpg7O35xcdg0rYAbyyB0qo2z5gZWakZPd+h9hwfj2CUQ29aGRv83fsu2Ua5rbavU8OwAfndxJaBHDUqHsS/Mc+M3h6LF6XjhT9ELh0k7ZyPNhYTJ0N1VI4ROoxWI4/WRsclsSZtnWi7tYWP6WjhptezRGdbo2H/EMNffmISq5/n/1lkcAWGTIY3bppmBGe+f7CDcg8VN0i56Xe9+U7smlnqBSc17HZ8035 mark@neo
uid: 531
email: mbergsma@wikimedia.org
jgreen:
ensure: present
gid: 500
name: jgreen
realname: Jeff Green
ssh_keys:
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCtlXCYUGn23LVRlgDM9T1onBsTuD20QEbVAplIakTAE55hN1ko1kY09Qb01l4VoAqDPapx0ROYd1on9oYYwSOGgSHKIOrB0OGg+3KX66Pjlr5ohpii20WSHS/NEI1gT76nQX7RN7tHq5/3ciNmCeQZ81YsDwCbmr7DRB5XiHUCaaCp/GIb6GXTliqtSL5oC+Rrzw4cqMeG/M7yExohVetjEK/AMOjgzMZEBHjZczvZiNpijHQ4WAIzl2KzuRDcqLKnOi48Wp+ANaKZmQngJdu8pAI51vqFIEhEwNpQrrUi1JXY2gXmYudRrvg/BvXgPJUDMmm9TOHNnBwwX8xafUgD jgreen@wertyukio.trouser.org
uid: 2074
email: jgreen@wikimedia.org
gage:
ensure: absent
gid: 500
name: gage
realname: Jeff Gage
ssh_keys: []
uid: 4177
filippo:
ensure: present
gid: 500
name: filippo
realname: Filippo Giunchedi
ssh_keys:
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDt7HkyaZeIe7L8CuWE1+N47+wDT/4cUmEcrPA1xgdA4By/jesf+1oOTvusbIyXFuCssvspgGmwwNMD+PzNF3xAEo+Yn2aqH4OBhRiF0U8jeaJL1EhzKnT8KKG4fOzzerbKFlE5K9LnYhMXp2i6MoAN9xB3Z350dBwqhspf0OKqZ8AGbsc9RdcEr2pBT7RPRlcKXRTrd47keV+PUazpDVSr2MCdmErknROpcBh5IS27DrKHpma3UcNUGIeMsvsV6nyt8Tz2+EMGkd+P+whij0YzlKDkqB2ppoD+gCPAki277wobiocea79fvPm1/Na+tpXJT7gU+YErld4VRvUclyR/ fgiunchedi@wikimedia.org
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCVav0QFad9LUk3phhorWVaEhcqmdz2ZD4UkqaVoXC69JXZALTkfWtevfIUH6zJ5T4kth4fVEDQnOkE0bvZrNOAXH4NgD9R/cB038tuOlPz/3qAmuvLu6ffNnZFU3RlCCxyyHg3L9TcqLbbm87D6YT36159nUkszjP9c4D9IamdKWSCpYpy3B7gczhH2JSR5DN36cWE1ljjUO8sgrakHVLIU4zaElZhpUWy0j/oecUUKvCblWWtmzehsOfpO4Gm1ht/2R71lCB4rwscgWSiFvxy1DGAkjjc+faa+89Vm1mQBkKicKt+7eHrRsbnJZir8Z51n1q2a06hFYSwsPHpuTSB fgiunchedi-neo1
uid: 4849
email: fgiunchedi@wikimedia.org
bblack:
ensure: present
gid: 500
name: bblack
realname: Brandon Black
ssh_keys:
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDKODQ/AENdGWaAzpp8S7bLVRf0w3mtPSb7X+Y9e7YUoM1KVsRTzAcnJ7PTPtKyo3dF2LoXdT4tWGSbx6NDb3K8Omv1eaohGeLw01UyrUdGP4Vqm8F1IDARWL7bd0AWcy3+VY3fwv2Z1LzRCn9tHGOe+EFEpRj+ZxvpQqaN3aS8I2wrHGdDavCv33hF2/evRl95rpIzDiy7ArPUoPOlO85b9hJ8XObROb+C5W/3dtduuiBHLv8TBgVHMZhJTRhnyc8JyqLf3GfH9SM1LLletnkf2jDa3pplGQam1yRSZXhb9XwQOyZlWP7WqNkC+o6pslcfNV9/XlgFVGQe+O4j48Ij bb@y51
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCyDp6u2QtsxQTTrIaaeSdE2Svz8gRIdBWTfDTAI9kb2Q8VXkJnHPh5fpfYk4S9jp1lBmKD10ndL4ztfQnZa64jsLaOOEzB+DaXXXmDXQ5KjhHHb8dY/4azBnTBjs+J/KWzj3f11jzyRorTCDOUkL7T2Ww5iny3Wtxwec8HJrlGTjsap7yQa0KQHmukE+QjZw7FAB0DIAB7xKM97biD3DkMAwEFL/EiryitiuDIkv3qmq7fduMTUo5Rc1dpFHO8+l21rxuItJK1f2Vs4ciYLB3Jf8WO+dUWlcRYj8NiOOFsaUV/l9LnZ8Y3WlTOp4zGF6wBjPeNVSrx4xP8XHe8M8DV bb@y52
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDpQie9jaL1ErQG+3dOjWbCtY+SzzCbg4vMhYYBNAYEUzZxYypjEOP71ml0eyuR/Y7u7BP5XyX7NusmsPbHiNEcssN0UMBIuTftQWhiUB5I9KfiEI6pA1ImsfRzGNwaC+2XXqJwfwmb2h6+Uwzl79MyDsnjihdVUQ0780ZY5Ln8810oDBytuEScWUVgLz9ehhaFIqZ32/61AqXIJAU6J+mz+KJ+RmHOnj3o0FcGXNyv6VKPh+KmNJFN23PYz2bdImS65rBjNyGiTXYJ/MlJTsCDx58ceYTwHKFmwsxilLzNdiVye3ZL9zEjDR7DEmJElZuGnBuI/rpRfgF9D3g0xZal bb@y53
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCPwFMvPEqUCks63fD+0UjgPjoIfkqoECOiJ3Cl1PJMwLADldAMZEPBhwjyJT11sKP4bvCqcVb/HVooED1zmQmF1urSycopkMj02FMIXZRSfvOWA2evTHNPeNR+/7dvSGgRqYggI5r+8d7gRB1YNedRoHq9d+1lWv5TpZ+TKr1ns0DekiFHXP4JCRC2U8/QxAriMcRywrbQ9Wpib5UCDKjlg7YmP29K9g7XdTkczyQCCOFSqEk2qRw4/lm1IACZXh9PBxy0CW2LuiNkkij5TBWMc+KDBqWwpETfIGFdSE0yzX9nCH9IsADj9MyaIMxS+Vtc96zS9ZR2HaFMaWIGFB2h bb@neo-3
uid: 3015
email: bblack@wikimedia.org
akosiaris:
ensure: present
gid: 500
name: akosiaris
realname: Alexandros Kosiaris
ssh_keys:
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC5IbCL8F2mKMLVL2yp3RP+1rs5v6R4iveIctHQA6kccymfoUa5y9FLT9+hx9ljXZDjrUN3rPeagbZDrGQj6UlI32YZVKRwAeaLkp85HpbzaL/2GKM9UlSq6Qztnuxp/cQGQtDrSK9rwPHk1kqxhXQDeu0+mzqgKMsTqZshG2pH+T27rpZMcUyyF0nX14yoqPHdxvetYfjhAo0WIuwmMcyDcv/Au4AaDgOoKqbYVNY/I5gRYxEotRuJeNg9NLFlUDmntA5mXthotK4uWimfDV8rI1695n2Idvf/iNtZiO6tnIFfs7nrv3C0vFZO+MMbrU0cz/Abbhq4zaQH7zqrP0GfaR4AJu+0SgOjDbmAhOgwgYOxpdhChIABjVJTP3chKgJ1y1JeUxyUaIayddp/Kyye7z0kFJw0+D8YROAPWkkJvpV6c0/U88LMjupG2kcVlxqPrUCJiL4e8viyZQxxJOJhS/Zdf56AO8Xh8WAxX0RZGLbA2GYln1euu+8zZuvfYuZa+IRPihlY9b1fkyYP4Y7WtVNkvtFuwqKzwI2qyRGPH9W6PI0yva1BYNf/jg2qdFiboH44cBzc0MoFoqjzD7RHJpPQJQFeEiZsrQjDvm18MMCONJTPHYJaA5YwxClRXH8scWx+H0MjDwC9KmhMPm+Rb0iXPh7KePhP1jAxN+Ldew== akosiaris
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCcPEzGxYs0G/5v71Xr1pLI3uadQwF6c3/l/ekfnLPhNq+A1IPCOdnxmhfcWD5mVgDXaqsbLKSzV2DFDCnJ3VW8S7mC8s9bh3zoRRwG0ccLz4WrGsold9w5Ox+cK9iRZ0czSX4JbdFr0ECDFcJjbkcQdvdXhr3wISE+YDGEgP2QII+pn/Ike0gA455SM4Q+HuniWJzhDGUmMJ42cP6UTin1w8nKTynr4mm/ScgJxL+uQzJYYydmTYkjYCt6keuJf/02k/IvL00z1sd+jt2cEzxX9TcUJtvTtd6UXi5gOvYVBuMWWPaDP6QHqB6YyBVSPPq4z8TEQebDfSxXPMjGjk8X yubikey4_n2
uid: 3194
email: akosiaris@wikimedia.org
ariel:
ensure: present
gid: 500
name: ariel
realname: Ariel T. Glenn
ssh_keys:
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCu28GiEBr28g/13mYO+IbqmXNcq3wqwpLC9E5d02ueQg5WiEe4TKfs15Gtnsl3k2HYQ3wtu8fDiKdKI7oUVz1O/6h0MkroPVOgVVs9s9FthoDj7uQaAHNU01w7FT3BANOzRNFNc6o9CZZhqx8ojloozYOsIVSh9Llyz3lVBEmBufm3Nk4q0Yf97oNts6bg6Bq51upwqpaCO9VjrFjoqpuapJuJx4j0DZFIvKS62uq3wrBhrrdBKI42wk8ECBytyPWOJ3MZRgoV00E3KJf/G+DuWGWz5KvgLYoXZzRqVXi4rAMkBbth9SGGhwgS4hE1RX9pses0d7rD5OcOQJCrc/HB ariel@neo
uid: 543
email: aglenn@wikimedia.org
otto:
ensure: present
gid: 500
name: otto
realname: Andrew Otto
ssh_keys:
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCyYwXitC3hSK+Gwfq3y0PlGlQMRHaqsTtJcDbgoxuE0kzEEKwSVpyXIxoUdUK0Luh2eVkR+CZ8+5lLVDJOhrGpBT6r/Z9p+o+9rVopNEkHM8QxqbhDoS5gbSEngISM+Zcyo1wTK+bB4tbzCcX7eJEVlxmPv4Tb85zDcMWSR2ZWV+jPMai9/3uO61Q3n9GOX94+3qIWmZE55AIjLT/lw3iGffwSMffO9/8UC9U2sVW3v3daXuvDgmjKkAiGaJp+Evq82ahQEOgOWPDuLXYo1DyFuqsL67CDA1hYZfA9FJRfUhOW9I32mGmFpjdJsFeWSU4VIOHO//Blpy0j6h4IPacJ otto@klein.local
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC3UFojv43WYMDf9WoD18t5tKosJE5liMQp2w3ibTiuXUuj6c67E9g2UqNNK9O2hej2vo7KYsLG5VmguzhHYLxFRWKHflicrgDWEdMIiR2lxUtcUDJggwcS0PGnocstiYNFNQRCcvC/XbqW7k2741V5UsVoE4MIe+e0a3KiHGN3HLbkStz/07I1r8e0H16fbJUwfKE95gtzI/rOGT9J9LBjuS5QBuWyPk2dv5HSaRlQp83L3KeVBUUZgN82TnNj/QSLH7bmK0/5L6bLof+UnYPiA6teJAKpB9RlwO9z3DQIVnjO3TDo9MHZct3kob1YWm1uLoz+rKoBtD6E5rLJH8Tj otto@kleiner.local
uid: 2129
email: aotto@wikimedia.org
krb: present
cmjohnson:
ensure: present
gid: 500
name: cmjohnson
realname: Chris Johnson
ssh_keys:
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDRcpxRnwLHjFjOuadfyyQB2CEFArfVzXA9gGZ0yI+zgF7tTfqj0vpAJpo4y8II7RayRuYbMQNMKdSdcHkg0qWrcljaLmkgMxg4eUNSHWWdBuGDKIFKH9Rj7vU7WKK/jmXGf1Slt2h7oFakRUp4p6u1kb4+P2yJwrYyQFXaCmiIQ9elEkkij7fEY2o1BZQ7S9MmmyQwbfg/cw1DShoQJkHlAm6ZG4m4fzYU2z8z+Pgm6d86QsEa8rEBf6GgwMcSon/b7fsXBc/XL0VV9CZOQ6Z5qkSe7ccOlhjS1wSRq6O4IdkxfSgVHAi00HsUZPlMoueB7hX1d9UQOxSMja48Pwklc7XarkuENZdVWu7b7CoJrQ2bSYDky19mKwU5iTZlm/843yE4MtnM8pqq2mx8+onQTAK0Fnmb+cqt8wEz3PAImC0cMnPscmUWYWC2z+2eeOsKUdNe3WyA4wbnR+hRqeUAYHUHEpQobpKHWhOFIh3kIns/WprJj+ezL2jcJRev12qhIoDW3b/VDhkU/Hx22qFHraT6i91j2/qtxNnwInlhQbQ6POCXYaGSTe4BViUAu7T7/OCL6Tx7WW5TCrEeBRKtOqNI3/Un8eob90GdQQ4PzAyEznHRqv5XmgR988WrDtsvR11DgN3benu9GJYFZZJwkt6BvEJDT+W+hlAbc0Rq6Q== cmjohnson@wikimedia.org
uid: 2399
email: cjohnson@wikimedia.org
andrew:
ensure: present
gid: 500
name: andrew
realname: Andrew Bogott
ssh_keys:
- ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAo94dwMdsdm0Q39cGgGu+9Vq1ROf43/dym/0kWyzX5tT9SaPM3RjuHukiXRFgVtSW6SNyPTFxjU2dUoWeGrolNLZudHlCPLFTU1d5BIzLnDJmjcqgm76D2na4KrhnH8JZ24PM2iur08SnDr33AU/xETCVoG/7DcTXzeWxBnnMBUa9Lo55NALEN9v/rJbFa4/1ah4PzFUSxO+IWHl7bxFFWRBd2vErbVgYBbdmt9p8WePxZWHczkZ3oSM4s+/C1ydoXcpdV35f8/XcINsC28WLIqnyeZUCzgBli13/R6dB3Kk3xVqnFFQqATNYrs3MIj/vt2JBV7kZcKkmVm2d36KnHw== andrew@AndrewMacbook-6.local
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDbWwOolgMepvvtX9wloNTgIkAwgOEFuc4gSq3PxiT7R5tDIw8gYb+m34GGyLzp/rIbRm6UsvDwmjDj+z5PdQHQxY2muZ+fkilmwA5XvujE1iHvLvfti5des7ABTBztzlOkvGDfMESVdSvXGzWnx3yeK2cjo8ckCHhLgdfHFNVkJggaIVSXUFoKAV4YvzXm/bSoT6PMGs6W3k556I5OcndPKPOqL/W/BGvi9LOQm2QqOdw0XGFZCwnOmxiHBkRHk2SC1r5zq8dbZAqRE7RE3i66TCLtLlXgDVVsFcRK9LNcKkubkAKD77pYFzsXu3hpWKGSAs6/GWUHwOZ72YXOyP2V andrew@yubi
uid: 2093
email: abogott@wikimedia.org
gwicke:
ensure: absent
gid: 500
name: gwicke
realname: Gabriel Wicke
ssh_keys: []
uid: 1239
aaron:
ensure: present
gid: 500
name: aaron
realname: Aaron Schulz
ssh_keys:
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICbkUdkdNfnufBSoAQbtZKJ2n+WFYjiZPm6+fY+5PXeZ aschulz@encrypted-usb
- ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBKamm3DYoDu3G4YaK1WDvB3ze3vbSj95tuWXbsEJeKuarkdC5YJ/1xl+FD4YZeWkLFNG+ImjOe+w8HykRlBL0iwqn0n2SanKBctV0nGUVJOAkZfvXi9ttsFvxF4SWRsbAA== aschulz@yubikey-5c
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDn/Y3cKWbwPc8g0sJ45fkFWlKIyiu3u+1rOFDgqvp8qhJTWwXNYaR2ykv4mRbD5kv2JZT1XD72LbhSTx8bn3hoTh02IWoRdjuhcrvPWe+9Cz4otKpeDXJoYll/eNgX3dW0hHBBc2YSuYnj3DROswg0gcgST40GoIqECgD3zDdJEl723q178mjlRDboM7JXQNStPvbi+JS1ebmj17J/p3CGIvLnvGEReUDFpJSRI+nAkzOCITF4cXn8K3RKJaaQHUVGGqcNs3zqxNxfeeUCoTiGq+5q2eUdZuWkSlMtLnDirMukRBZy0KJ/63sFucoTN/+AFcTYWXcUzR8ikgCqu6hl aschulz@yubi-neo
uid: 544
krb: present
email: aschulz@wikimedia.org
dr0ptp4kt:
ensure: present
gid: 500
name: dr0ptp4kt
realname: Adam Baso
ssh_keys: [ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDoKHi5isY9FixH31qz/81V7fOHsorLZI/NLKr9Z6Xawl2a2Ih0ZV/pJtD+BTu1ufK2QOdgobeRSrnybzf2/1aCqi3Z9H2XxJhMCfnLb/9AIcKJ9tN63T4nRnjLoPsmRgDQrOSIqY5NfLKzXBsQOqc3chZ5SaDf8f09OdBk+Obn5vhr6yWh4GhrfTzoZUfp6+JRiueZZYuGMIKdBAH82s9TyuhuGWvHJmO9WC1MJOV/3hIcim+X0xR+BNLEU/Uj4OPEXC0/EiXh2CJDLugBpLU28RF+Y16TRj/WmO2H0H6qVdmkiK7Ez9PCbsy4RFPq4hdART9QiQbQJzZzaYSAkSFV
abaso@wikimedia.org]
uid: 2962
email: abaso@wikimedia.org
krb: present
werdna:
ensure: absent
gid: 500
name: werdna
realname: Andrew Garrett
ssh_keys: []
uid: 1039
anomie:
ensure: absent
gid: 500
name: anomie
realname: Brad Jorsch
ssh_keys: []
uid: 2248
aude:
ensure: present
gid: 500
name: aude
realname: Katie Filbert
ssh_keys: [ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC+OiQ1ptiP6VqmiP8IOp0sKET9pQHOJxscK6bAvAmAP72DL9MgLIBaWpaL9iWsb/DMXI2CQpEnu88VMVXCSgiqw+Gy6Q93pAquAQWAzkMnDD+QvxTm23oFCxP795IEP3JMHuONNg2x3NU3jYaOADOGZX41nRhbkO4yl32jQCTF9i670KS+CFDHxRzmOMzNhlytWJYyVPS6iqUGykaFcebFNThMtRtQF+pWJNreCFxZoXp1TyzkiJE1rX98tj2yhVQmET6mENuGXuAES/Atzpxp8zvsckHn06Mm1RZZmIExEqn/JdK6nHs1UoSNpsI195ltzkKSEWdFdYKRLZNFuRBL aude.wiki@gmail.com]
uid: 1185
email: aude.wiki@gmail.com
awight:
ensure: present
gid: 500
name: awight