On 2025-04-01 16:41:55, Gabriel Filion wrote:
[...]
Some precisions here, if I may. :)
The password will take some time to get synchronized to the servers, so allow some 1 to 2 hours before you test out your new credentials. When ready, head over to https://grafana2.torproject.org/ and use your ldap username with your new web password to confirm that you're able to login there.
The delay is normally between 5 to 15 minutes:
https://gitlab.torproject.org/tpo/tpa/team/-/wikis/howto/ldap#know-when-will...
The shared passwords that are currently in use are bound to be removed on April 17th.
Specifically, here we're talking about the "metrics" Grafana (and Prometheus!) user you folks have been sharing around with each other. I don't know exactly how far it was shared, but you need to, now, let those people know that this password will stop working soon.
Also be aware, as announced in TPA-RFC-33, that this effectively gives access to all users with an LDAP account to the Prometheus server. When we last discussed this, it was okayed by people here, but it's still time to review that policy. It would be more complicated for us because we'd need to grant access on a username basis (like "hiro can login") but it's possible.
[...]
additional note for TPA members: we now have a fallback password that's present in our password manager. it should let us access the monitoring sites even if ldap has a disruption. you can try that one as well.
For TPA folks, that's in services/prometheus.torproject.org. You *should* use your "web password" to operate prometheus on a daily basis however: for now, you can write that in your .netrc file (like we do for the KGB bot password), but I have plans to hook that up to pass(1) instead.
Let me know if you think that should be expedited.
a.