Faidon Liambotis has uploaded a new change for review.
https://gerrit.wikimedia.org/r/298976
Change subject: admin: add an NDA audit helper script
......................................................................
admin: add an NDA audit helper script
Hacky Python code currently being used to perform user access and NDA
audits with the WMF's Legal department.
Change-Id: I5a846618854613b2a04d619e308fb58da3bccfe9
---
A modules/admin/data/nda_audit.py
1 file changed, 105 insertions(+), 0 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/operations/puppet
refs/changes/76/298976/1
diff --git a/modules/admin/data/nda_audit.py b/modules/admin/data/nda_audit.py
new file mode 100644
index 0000000..75b82ed
--- /dev/null
+++ b/modules/admin/data/nda_audit.py
@@ -0,0 +1,105 @@
+#!/usr/bin/env python
+#
+# Copyright (c) 2016 Wikimedia Foundation, Inc.
+#
+# This script parses our data.yaml file for all users and enriches the
+# information using information gathered from the production/Labs LDAP tree. It
+# finally outputs the information with non-technical labels into a CSV.
+#
+# It's currently being used to perform user access and NDA audits with the
+# WMF's Legal department.
+
+import sys
+import yaml
+import ldap
+import csv
+
+
+def extract_from_yaml():
+ data = open('data.yaml', 'r')
+ admins = yaml.safe_load(data)
+
+ users = {}
+
+ for username, userdata in admins['users'].items():
+ if userdata['ensure'] == 'absent':
+ continue
+
+ groups = []
+ for group, groupdata in admins['groups'].items():
+ if username in groupdata['members']:
+ groups.append(group)
+
+ users[username] = {
+ 'realname': userdata['realname'],
+ 'uid': userdata['uid'],
+ 'prod_groups': groups,
+ 'has_server_access': (len(userdata['ssh_keys']) > 0),
+ }
+
+ return users
+
+
+def enrich_from_ldap(users):
+ # needs some configuration
+ ldap_conn = ldap.initialize('ldap://%s:389' % 'localhost')
+ ldap_conn.protocol_version = ldap.VERSION3
+
+ base_dn = "dc=wikimedia,dc=org"
+ people_dn = "ou=people," + base_dn
+ groups_dn = "ou=groups," + base_dn
+
+ for username in users.keys():
+ ldapdata = ldap_conn.search_s(
+ people_dn,
+ ldap.SCOPE_SUBTREE,
+ "(&(objectclass=inetOrgPerson)(uid=" + username + "))",
+ attrlist=['*', '+']
+ )
+ attrs = ldapdata[0][1]
+ user_dn = ldapdata[0][0]
+
+ ldapdata = ldap_conn.search_s(
+ groups_dn,
+ ldap.SCOPE_SUBTREE,
+ "(&(objectclass=groupOfNames)(member=" + user_dn + "))",
+ attrlist=['cn'],
+ )
+ groups = [l[1]['cn'][0] for l in ldapdata]
+
+ users[username]['email'] = ','.join(attrs['mail'])
+ users[username]['has_nda_group'] = ('nda' in groups)
+ users[username]['has_wmf_group'] = ('wmf' in groups)
+ users[username]['ldap_groups'] = groups
+
+ return users
+
+
+def main():
+ users = extract_from_yaml()
+ users = enrich_from_ldap(users)
+
+ userwriter = csv.writer(sys.stdout, delimiter=';')
+ userwriter.writerow([
+ 'Username',
+ 'Full name',
+ 'email',
+ 'Has server access',
+ 'Has LDAP NDA access',
+ 'Has LDAP Staff access',
+ ])
+
+ for username in sorted(users.keys()):
+ userdata = users[username]
+ userwriter.writerow([
+ username,
+ userdata['realname'],
+ userdata['email'],
+ ('yes' if userdata['has_server_access'] else 'no'),
+ ('yes' if userdata['has_nda_group'] else 'no'),
+ ('yes' if userdata['has_wmf_group'] else 'no'),
+ ])
+
+
+if __name__ == '__main__':
+ main()
--
To view, visit https://gerrit.wikimedia.org/r/298976
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I5a846618854613b2a04d619e308fb58da3bccfe9
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Faidon Liambotis <fai...@wikimedia.org>
_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
