[11:15:54] <paravoid>	 how people feel about cancelling this week's meeting in favor of the goal meeting?
[11:16:00] <paravoid>	 the alternative would be to reschedule for Thursday
[11:16:45] <paravoid>	 I lean towards cancelling because it's been a busy week (and will get busier), so I'd like to avoid more meetings etc.
[11:23:40] <moritzm>	 +1
[11:23:51] <moritzm>	 (for cancelling)
[11:26:24] <volans>	 +1
[12:41:14] <paravoid>	 (done)
[12:41:33] <paravoid>	 herron: would like to see a draft Kafka goal with a few different bullet points
[12:41:51] <paravoid>	 is that something that you could work on, or do you feel it's still too nebulous?
[12:43:25] <paravoid>	 moritzm, jbond42: would like to talk about authn/z if you get a chance (if you're responding to the incident, then definitely not now :)
[12:44:00] <moritzm>	 sure, wfm
[12:44:04] <herron>	 sure, I’ll draft a few items
[12:44:33] <jbond42>	 yes im free
[12:45:05] <paravoid>	 herron: thanks :)
[12:45:34] <paravoid>	 * Audit infrastructure for authentication requirements/protocols
[12:45:45] <paravoid>	 what does that mean?
[12:45:46] <paravoid>	 actually
[12:45:51] <paravoid>	 scratch that, different question first
[12:46:21] <paravoid>	 so the way I've thought about this problem so far (and it may an incorrect view, correct me if you feel differently)
[12:46:27] <paravoid>	 has been that there's a few different parts to it
[12:46:50] <jbond42>	 currently we have lots of applications gerrit, icinga, logstash etc.  we need to know what they all support i.e. saml, openid , cas so we know what products fit out needs
[12:46:56] <paravoid>	 the first is the "account management" part, where we take over from OpenStackManager/wikitech for that
[12:46:59] <jbond42>	 sorry carry on
[12:47:26] <paravoid>	 for users creating their own "developer account", and us managing that etc.
[12:47:55] <paravoid>	 the second part is the SSO part, where we replace HTTP Basic Auth + custom LDAP binds with something unified, that ideally also supports WebAuthn, 2FA etc.
[12:48:14] <paravoid>	 and the third part I guess is self-service group management and all that
[12:48:43] <paravoid>	 are we going to address each of those separately, or do you guys feel we should just kind of attack it from all angles at the same time?
[12:48:46] <paravoid>	 I can see arguments for both :)
[12:49:55] <jijiki>	 I think jbond42 is right, maybe we should start with which apps and what each one supports for auth 
[12:50:16] <moritzm>	 the "Design a workflow for administrative changes" from the third sub task is about coming up with a more fine-grained plan (which some high level steps outlined in the gdoc)
[12:50:40] <moritzm>	 several of the actual workflows will need more input from other teams as well
[12:50:54] <paravoid>	 is it workflows for LDAP account management?
[12:51:07] <paravoid>	 I don't fully grasp "administrative changes" :)
[12:53:10] <moritzm>	 some of the steps are outlined in the gdoc, e.g. a new user gets created in self-service and then e.g. requests access to Superset, then the access could be requested by the user, but the access would be authorised by the analytics team
[12:53:34] <paravoid>	 I haven't looked at the doc much, I'm sorry :(
[12:53:44] <jbond42>	 I think we have some core issues identity managemtent (including SSO); user managment and application intergration.  The data may be in (probably) LDAP and the user managment could likley by stricker however the service intergration and identiy managment pices are probably going to be a floss solution so i think we need to get thsoe requirments in place first
[12:53:57] <moritzm>	 and part of the 3rd bullet is to look a all current wirkflows and task to the stakeholders involved for a more detailed implementation plan
[12:54:04] <paravoid>	 ack
[12:54:19] <moritzm>	 talk, not task
[12:54:43] <paravoid>	 the goal wording is confusing me
[12:55:01] <paravoid>	 and I'm trying to figure out why and express it well :)
[12:55:06] <paravoid>	 so part of it I guess is
[12:55:28] <paravoid>	 there is talk about "administrative changes", but what about user registration & changes?
[12:55:40] <paravoid>	 end users registering themselves, reseting their password, etc.?
[12:56:03] <paravoid>	 none of the three bullet points seem to cover that, right?
[12:56:10] <moritzm>	 that was more or less implied, but we should probably spell it out by including self-service or so
[12:56:22] <paravoid>	 yeah
[12:57:36] <moritzm>	 e.g. "Design a workflow for user permissions (self service and administrative) (,..)"  ?
[13:00:31] <paravoid>	 sec, working on a strawdog :)
[13:01:47] <paravoid>	 * Audit production and WMCS infrastructure and document all authenticated services and their authentication & authorization capabilities
[13:01:50] <paravoid>	 * Engage with stakeholders and collect functional and non-functional requirements for identity and access management for web services
[13:01:53] <paravoid>	 * Evaluate free & open source Identity Management/SSO software solutions against our requirements and deploy test installations of 1-2
[13:01:56] <paravoid>	 * Build a migration plan from OpenStackManager and Striker towards a unified identity and access management system for developer accounts
[13:01:59] <paravoid>	 how does that sound?
[13:02:13] <paravoid>	 sorry if it sounds dismissive, I just didn't feel good about opposing without proposing :)
[13:06:01] <moritzm>	 sounds good, but let's maybe strike the "and deploy test installations of 1-2", installing the individual solutions will be part of the evaluation of any solution anyway
[13:07:17] <paravoid>	 are you saying that the deployment of test installs is to be left for next quarter
[13:07:24] <paravoid>	 or that it's going to happen earlier than that?
[13:10:57] <moritzm>	 my point is that "deploy test installations" is inpreceise; during the tests of the solutions we'll surely install them in WMCS or some other VM, but a PoC of the selected solution in prod is also dependent on the outcome of (1) and partly (4) and will probably only happen after the ground work is done
[13:11:20] <paravoid>	 oh i was referring to test installs in WMCS, not prod
[13:11:27] <paravoid>	 but I see the confusion
[13:11:54] <jbond42>	 i think the test looks good, also i added the bit about installing and the intention was to test not as a PoC
[13:11:57] <moritzm>	 we can totally make sure to point out that we won't pick the tools based on slides and websites :-)
[13:12:00] <paravoid>	 copied the previous wording
[13:12:00] <jbond42>	 s/test/text/
[13:12:00] <paravoid>	 * Evaluate free & open source Identity Management/SSO software solutions against our requirements and create a short list of 1-2
[13:12:07] <paravoid>	 moritzm: yeah that was the point :)
[13:12:22] <moritzm>	 +1 on the revised wording :-)
[13:12:30] <jbond42>	 yes lgtm
[13:12:38] <paravoid>	 final question
[13:12:50] <paravoid>	 do you guys want to include some wording around the offboarding script
[13:13:00] <paravoid>	 the stuff from the previous days basically?
[13:13:05] <moritzm>	 good point
[13:13:38] <moritzm>	 maybe we can reflect the wording to also cater for the offboarding/removal process
[13:14:17] <moritzm>	 "(..) requirements for identity and access management (and their revocation) (..) " maybe?
[13:15:08] <moritzm>	 designing such workflows is certainly a part of it, e.g. I'd like to incluce Legal in the NDA sign off process
[13:15:32] <paravoid>	 I think that's implied, but I was wondering if you wanted to include something more short-term
[13:15:50] <paravoid>	 changing our scripts in the meantime to include some of the stuff we've been discussing the past few days
[13:16:15] <moritzm>	 I changed the LDAP script this morning, it's only waiting on gerrit being back
[13:16:19] <paravoid>	 oh ok
[13:16:25] <moritzm>	 for proper review etc,
[13:16:29] <paravoid>	 sure yeah
[13:16:32] <paravoid>	 I wasn't sure if it was that short-term :)
[13:17:10] <paravoid>	 cool ok
[13:17:18] <paravoid>	 I guess I'll post it as draft then
[13:17:27] <paravoid>	 jbond42: do you feel comfortable with me posting the puppet one as well?
[13:17:27] <moritzm>	 sounds good to me!
[13:17:36] <jbond42>	 yes im happy with that
[13:17:39] <paravoid>	 cool thanks
[13:17:42] <jbond42>	 thanks
[13:17:45] <paravoid>	 we'll discuss them all tomorrow again
[13:17:51] <paravoid>	 but we're discussing them at tech-mgmt in a couple of hours
[13:18:11] <paravoid>	 so I'd like to at least give a heads-up with the draft to my peers
[13:18:11] <jbond42>	 ack
[13:19:26] <paravoid>	 more broadly
[13:20:13] <paravoid>	 I'd like to keep a balance between exploratory goals ("we're going to investigate A, evaluate B and C, plan for D") and tangible goals ("we are going to upgrade X to Y, replace K by L")
[13:20:35] <paravoid>	 authn/z goal is more in the first category (but would love to find more tangible things to include in it)
[13:20:39] <paravoid>	 puppet is in the latter, that's good
[13:21:03] <paravoid>	 Kafka seems to be going towards the former atm, wondering if we can add more tangible deliverables to it herron 
[13:21:30] <moritzm>	 the whole automation goal can probably be made very tangible ("implement X cook books to automate common maintenance tasks")
[13:21:39] <paravoid>	 which goal is that?
[13:22:04] <moritzm>	 the one that is yet to be discussed tomorrow :-)
[13:22:10] <paravoid>	 oh
[13:22:19] <paravoid>	 do we have a draft or raw thoughts somewhere in the pad?
[13:22:44] <moritzm>	 I mean there were only ideas floating around, not sure if this will even be a goal
[13:23:12] <volans>	 FYI, related: https://phabricator.wikimedia.org/T203943
[13:23:47] <cdanis>	 in some ways the DBA automation goal is a tangible realization of the larger automation goal ;)
[13:24:03] <paravoid>	 nod
[13:24:16] <paravoid>	 the DBA automation goal is my strawdog, haven't discussed it with anyone
[13:24:30] <paravoid>	 serviceops drafted a wider mediawiki goal that is in the pad but I think that's unrealistic right now
[13:24:39] <paravoid>	 it's way too much work given all the other stuff
[13:24:42] <cdanis>	 it seemed reasonable as written to me
[13:24:48] <cdanis>	 I know _joe_ wanted to sneak in some Envoy stuff on that goal
[13:24:55] <paravoid>	 (was talking about line 232)
[13:28:34] <herron>	 paravoid: we could add the hardware for cluster expansion, but will need to decide if we will proceed with the upgrade-ram-in-place approach the analytics hardware planning spreadsheet outlines (https://docs.google.com/spreadsheets/d/1123OTmek4eRriBkZrAjbp06aH0RMmR0e69TMUlVF84s/edit#gid=1814156814) or address it with a different approach/timeline
[13:30:04] <paravoid>	 uh
[13:30:12] <paravoid>	 item (4) there we can do
[13:30:18] <paravoid>	 item (3) (RAM in place) is a bit... meh
[13:30:25] <paravoid>	 gotta run, interview
[13:30:28] <paravoid>	 talk to you in an hour :)
[13:30:39] <herron>	 kk
[15:54:31] <chaomodus>	 herron: is there a big issue with having mixed specs
[15:55:43] <herron>	 chaomodus: hey, fai.don and I spok about it off irc and updated here https://etherpad.wikimedia.org/p/SRE-goals-FQ4-FY1819 (line 110)
[15:56:12] <chaomodus>	 ah hah i just noticed the timestamps :)
[15:57:21] <herron>	 in a nutshell no not a big issue, but since the hosts are nearing retirement age it will feed two birds with one scone.  hw refresh and cluster expansion at the same time
[15:57:38] <chaomodus>	 makes sense
[16:19:07] <chaomodus>	 if anyone has review bandwidth: https://gerrit.wikimedia.org/r/c/operations/puppet/+/497421 https://gerrit.wikimedia.org/r/c/operations/software/netbox-reports/+/495267
[17:06:17] <cdanis>	 anyone have any thought as to where on officewiki my backups of catchpoint configuration should live?
[17:14:28] <chaomodus>	 is tehre an external monitoring page?
[17:14:37] <chaomodus>	 like a subpage from there seems logical.
[17:14:53] <chaomodus>	 shdubsh: if you would +1 this again, there was a gerrit snafu : https://gerrit.wikimedia.org/r/c/operations/puppet/+/497563
[17:19:02] <shdubsh>	 chaomodus: you got it
[17:20:19] <chaomodus>	 thanks!_ :D
[17:54:10] <arturo>	 o/
[17:55:22] <arturo>	 bryan mentioned that you (you as in SRE team) are looking for some replacement for ldap/account management stuff/sso sollution
[17:57:48] <arturo>	 wondering if I can take a look at the phab task
[18:03:09] <paravoid>	 arturo: just quarterly goal drafts so far, no phab task yet, other than an old one: https://phabricator.wikimedia.org/T179463