Page MenuHomePhabricator
Create Task
Maniphest T170878

Audit users and account expiry dates for stat boxes
Closed, ResolvedPublic8 Estimated Story Points
Actions

Description

I've identified 56 accounts that are on one stat box or another that do not already have expiration dates and that either I'm not personally familiar with at first glance, or I'm not certain they need continued access. This ticket is to track down the folks and this list, and either verify that they still need (un expiring) access, or to set an expiration date.

  • amire80 @Amire80 - WMF Staff, uses stat1002 almost daily for collecting statistics about interlanguage links.
  • atgomez @atgo - WMF Staff, continue access
  • aude @aude - WMDE, keep access
  • bmansurov @bmansurov - WMF Staff, Reading Web Team, requires access to event logging data, account should stay expiryless
  • bsitzmann @bearND - WMF, keep access
  • chedasaurus @egalvezwmf - WMF Staff, keep access
  • chelsyx @chelsyx Chelsy is a data analyst at the WMF and needs access to data.
  • cwdent @cwdent
  • daisy @dchen - WMF staff, no answer to pings, Analytics decided to keep access
  • daniel @daniel - WMDE, keep access
  • dbrant @dbrant - I work on our Android app (at WMF), and need continued access to event logging data.
  • dduvall @dduvall - WMF staff, no answer to pings, Analytics decided to keep access
  • debt @debt - I'm staff at WMF and need occasional access to data
  • dfoy @DFoy - WMF Staff, keep
  • dstrine @DStrine - WMF Staff, keep
  • ellery @ellery - No longer at the WMF, absented user
  • etonkovidova @Etonkovidova - I'm WMF staff (QA) and occasionally using the access
  • foks @jrbs Backup to James Alexander, same use case as him.
  • gilles @Gilles - - WMF Staff, continue access
  • goransm @GoranSMilovanovic WMDE, keep access
  • gpaumier @gpaumier - WMF, removed access to analytics-privatedata since not used anymore.
  • hoo @hoo - WMDE, keep access
  • jamesur @Jalexander https://phabricator.wikimedia.org/T170878#3446584
  • jdcc @Jdcc-berkman expiry set to 2018-01-01
  • jdittrich @Jan_Dittrich - WMDE, keep access
  • jdrewniak @Jdrewniak Jan is a front-end engineer at the WMF and needs access to data for A/B tests and other activities.
  • jhernandez @Jhernandez - WMF Staff, Reading Web Team, requires access to event logging data, account should stay expiryless
  • jminor @JMinor, WMF Staff, keep access
  • joewalsh @JoeWalsh - WMF Staff, keep access
  • kartik @KartikMistry - WMF staff, keep access
  • lpintscher @Lydia_Pintscher - WMDE, removed access to analytics-privatedata since not used anymore
  • marktraceur @MarkTraceur - WMF, keep access
  • matmarex @matmarex WMF, occasionally need to run queries over non-public data or EventLogging stuff, please keep my access
  • mholloway-shell @Mholloway please don't remove my account! i work at WMF and analyze EL data sometimes.
  • mhurd @Mhurd, WMF Staff, keep
  • mlitn @matthiasmullie - WMF Staff, Multimedia team, needs access to EventLogging data
  • moushira @MoushiraEl - No longer at the WFM and no answer in the task, removing access to analytics privatedata
  • musikanimal @MusikAnimal - Work for WMF and need access to stat boxes for work purposes.
  • niedzielski @Niedzielski - Please keep me on. I work at the WMF and look at EL data.
  • niharika29 @Niharika - Work for WMF and need access to EL data for work.
  • nikerabbit @Nikerabbit - WMF Staff, need access to EL data
  • nschaaf @schana - WMF Staff, Research Team, need access to EL data and hadoop
  • ori @ori - Ex WMF Staff legend, NDA signed, still among the ops +2s
  • ovasileva @ovasileva - WMF Staff, Reading Web Team, requires access to event logging data, account should stay expiryless
  • pcoombe @Pcoombe - WMF Staff, Fundraising, need access to "banner history" and other EventLogging data
  • phuedx @phuedx - WMF Staff, Reading Web Team, requires access to event logging data, account should stay expiryless
  • pmiazga @pmiazga - Contractor for WMF, Reading Web Team, requires access to event logging data, account should stay expiryless
  • reedy @Reedy - WMF Staff / Security team
  • samtar @Samtar expiry set to 2018-01-01
  • samwalton9 @Samwalton9 expiry set to 2018-01-01
  • sbisson @SBisson WMF, Global Collaboration. I need to dig into event logging data and prod replica from time to time. Please keep my access expiryless for now.
  • tgr @Tgr - - WMF Staff, continue access
  • tjones @TJones I'm a back-end engineer working on search at the WMF and need access in particular to query data.
  • yuvipanda @yuvipanda
  • zhousquared @ZhouZ WMF legal team

If you are CCed on this project, maybe you know about someone on the above list! Please edit or comment and let me know which of the following is true:

  • The account should remain expiryless
  • The account should be given an expiration date of ___
  • The account can be removed now

Details

SubjectRepoBranchLines +/-
Ensure samtar and samwalton9 are absent after account expirationoperations/puppetproduction+3 -7
admin::data.yaml: Set cwdent to ldap user onlyoperations/puppetproduction+8 -4
Remove access to analytics posix groups for users not needing them.operations/puppetproduction+17 -9
Add expiry shell dates for 4 stat box usersoperations/puppetproduction+7 -0
Customize query in gerrit

Related Objects
Search...

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes
Ottomata added a comment.Jul 18 2017, 2:05 PM

Also - is this just about shell access, or also about access to dashboards?

This is about shell access only, and specifically to the various analytics 'stat' boxes that allow access to Hadoop or the MySQL research databases.

Besides that, there are quite a few surprising names on that list of WMF staff that I, as an "outsider", always assumed would have access to this kind of data

Yeah, I made this list only by familiarity. Many of these names I knew as well, but wasn't totally sure if they need continued access on the stat boxes. Often folks get access for a single project, and then never log in again, and we are trying to very slightly prune down the number of accounts.

TheresNoTime unsubscribed.Jul 18 2017, 2:08 PM
gerritbot subscribed.Jul 18 2017, 2:09 PM

Change 365971 had a related patch set uploaded (by Ottomata; owner: Ottomata):
[operations/puppet@production] Add expiry shell dates for 4 stat box users

https://gerrit.wikimedia.org/r/365971

gerritbot added a project: Patch-For-Review.Jul 18 2017, 2:09 PM
Ottomata updated the task description. (Show Details)Jul 18 2017, 2:13 PM
Ottomata added a subscriber: TheresNoTime.
gerritbot added a comment.Jul 18 2017, 2:13 PM

Change 365971 merged by Ottomata:
[operations/puppet@production] Add expiry shell dates for 4 stat box users

https://gerrit.wikimedia.org/r/365971

SBisson unsubscribed.Jul 18 2017, 2:15 PM
Niedzielski removed subscribers: phuedx, MusikAnimal, Niedzielski.Jul 18 2017, 2:17 PM
TJones updated the task description. (Show Details)Jul 18 2017, 3:14 PM
TJones removed subscribers: TheresNoTime, yuvipanda.
Niharika updated the task description. (Show Details)Jul 18 2017, 4:57 PM
Niharika unsubscribed.
Ottomata moved this task from Next Up to In Progress on the Analytics-Kanban board.Jul 18 2017, 5:35 PM
gpaumier added a comment.Jul 18 2017, 5:42 PM

I don't anticipate a need to use my access in the foreseeable future. You can remove my access and I'll ask for it back later should I need it.

leila added a comment.Jul 18 2017, 6:16 PM

@Ottomata: I went over the list and none of the formal collaborators I'm their point contact is on that list, and I myself am not. Thanks for the ping. I'm going to remove myself from this task at this point.

@DarTar You may want to set the expiration date of Ellery's access to the expiration date of his MOU to make sure the access is removed unless both sides agree to extend the MOU.

leila unsubscribed.Jul 18 2017, 6:17 PM
DarTar added a subscriber: RStallman-legalteam.Jul 18 2017, 7:07 PM

Thanks for starting this @Ottomata

Relevant to this thread I wanted to give you the heads up that @MoritzMuehlenhoff @RStallman-legalteam and I have started improving our internal tracking of NDAs/MOUs and server access. Hopefully we can consolidate the process so that Analytics, Ops, Legal, Research can all communicate via a centralized tool.

Jdcc-berkman unsubscribed.Jul 18 2017, 7:36 PM
RStallman-legalteam added a comment.Jul 18 2017, 8:18 PM

I can confirm that the following people from the list have signed NDAs that are on file with legal:

ellery
jdcc
goransm
jdittrich
moushirah

Lydia_Pintscher added a comment.Jul 18 2017, 8:28 PM

Like Guillaume: I don't anticipate a need to use my access in the foreseeable future. You can remove my access and I'll ask for it back later should I need it.

Tbayer added subscribers: ZhouZ, Moushira, Tbayer.Jul 19 2017, 3:54 AM

For the record, @ellery and @MoushiraEl / @Moushira sadly no longer work for WMF, although it's possible that they still require access as volunteers.

And are we certain that zhousquared belongs to @Zhouai and not @ZhouZ instead?

ZhouZ added a comment.Jul 19 2017, 4:05 AM

I can confirm zhousquared belongs to me.

hoo added a comment.Jul 19 2017, 6:43 PM

I would like to keep my access (along with my deploy shell access), as I'm using it from time to time.

See also @daniel's comment above.

bearND added a comment.Jul 20 2017, 9:00 PM

In the past life as an Android app dev I used EL quite regularly. Now in Reading Infrastructure I haven't had the need yet but it could be coming. Either way is fine with me for now. If access gets removed and I need it later, I'll ask for it.

zhuyifei1999 updated the task description. (Show Details)Jul 30 2017, 7:39 PM
zhuyifei1999 added a subscriber: Jdcc-berkman.
zhuyifei1999 removed a subscriber: Jdcc-berkman.
Nikerabbit updated the task description. (Show Details)Aug 4 2017, 5:17 PM
Nikerabbit added a subscriber: Jdcc-berkman.
Nemo_bis awarded a token.Aug 4 2017, 5:19 PM
elukey claimed this task.Sep 11 2017, 3:11 PM
elukey added a project: User-Elukey.
elukey moved this task from Backlog to In Progress on the User-Elukey board.Sep 12 2017, 10:44 AM
elukey updated the task description. (Show Details)Sep 12 2017, 12:18 PM
gerritbot added a comment.Sep 12 2017, 12:20 PM

Change 377446 had a related patch set uploaded (by Elukey; owner: Elukey):
[operations/puppet@production] Remove access to analytics posix groups for users not needing them.

https://gerrit.wikimedia.org/r/377446

gerritbot added a comment.Sep 12 2017, 1:23 PM

Change 377446 merged by Elukey:
[operations/puppet@production] Remove access to analytics posix groups for users not needing them.

https://gerrit.wikimedia.org/r/377446

elukey added a comment.Sep 12 2017, 1:28 PM

Remaining to check as far as I can see: @egalvezwmf, @cwdent, @dchen, @dduvall, @DFoy, @DStrine, @Etonkovidova, @JMinor, @JoeWalsh, @KartikMistry, @Mhurd, @ZhouZ

Sorry for the extra ping if you already answered, but could you please state if you need access to analytics stat hosts or not?

Thanks!

cwdent added a comment.Sep 12 2017, 2:11 PM

@elukey - at this point I do not need access, deactivate at will

gerritbot added a comment.Sep 12 2017, 2:15 PM

Change 377472 had a related patch set uploaded (by Elukey; owner: Elukey):
[operations/puppet@production] admin::data.yaml: Set cwdent to ldap user only

https://gerrit.wikimedia.org/r/377472

Mholloway unsubscribed.Sep 12 2017, 2:21 PM
gerritbot added a comment.Sep 12 2017, 3:07 PM

Change 377472 merged by Elukey:
[operations/puppet@production] admin::data.yaml: Set cwdent to ldap user only

https://gerrit.wikimedia.org/r/377472

elukey updated the task description. (Show Details)Sep 12 2017, 3:09 PM
elukey added a subscriber: Mholloway.
Reedy added a comment.Sep 12 2017, 3:18 PM

WMF staff, security team... Am I ok to keep access? :)

Samwalton9-WMF unsubscribed.Sep 12 2017, 3:23 PM
elukey added a comment.Sep 12 2017, 3:41 PM
In T170878#3600768, @Reedy wrote:

WMF staff, security team... Am I ok to keep access? :)

I am not sure if I trust you but it should be ok :)

Thanks for updating the task!

Nuria added a comment.Sep 12 2017, 6:39 PM

@elukey: Let me know if you think this is something that will be completed on Q1 or rather we need to continue on Q2

elukey updated the task description. (Show Details)Sep 13 2017, 7:59 AM
elukey added a subscriber: Samwalton9-WMF.
elukey added a subscriber: Unknown Object (User).Sep 13 2017, 8:08 AM
In T170878#3601557, @Nuria wrote:

@elukey: Let me know if you think this is something that will be completed on Q1 or rather we need to continue on Q2

All the remaining users have a @wikimedia email and afaics they are staff members, so I think that the only action to take for some of them is maybe removing access if not needed anymore, but we can definitely do it in Q2 as low priority task without the need of a goal. The main important point, in my opinion, is to ensure that non WMF staff accounts have an expiration date and somebody in the WFM to contact in case of issues.

Jhernandez unsubscribed.Sep 13 2017, 11:11 AM
Nuria added a comment.Sep 13 2017, 2:41 PM

The main important point, in my opinion, is to ensure that non WMF staff accounts have an expiration date and somebody in the WFM to contact in case of issues.

And this is done, correct?

MoritzMuehlenhoff added a comment.Sep 13 2017, 5:02 PM
In T170878#3604545, @Nuria wrote:

The main important point, in my opinion, is to ensure that non WMF staff accounts have an expiration date and somebody in the WFM to contact in case of issues.

And this is done, correct?

All the users with shell access which are not WMF staff have a a contact address for quite a while now (half a year maybe?). Not necessarily an expiry address, since NDAs for volunteers are not time-limited per se.

DarTar added a comment.Sep 13 2017, 5:17 PM
In T170878#3605013, @MoritzMuehlenhoff wrote:

All the users with shell access which are not WMF staff have a a contact address for quite a while now (half a year maybe?). Not necessarily an expiry address, since NDAs for volunteers are not time-limited per se.

I think it's important to distinguish the NDA – which is not expiring by design, to make sure we have extended legal protection – vs any agreement that governs server access for non WMF staff. In the context of research collaborations, we're tying server access to the duration of the MOU. With @RStallman-legalteam we created a dedicated sheet in the NDA tracker. As soon as an MOU expires and a collaboration is archived, server access should be revoked.

I met with Rachel the other day and we decided to

  • move the list of formal (MOU'ed) collaborations to the Foundation wiki (because they go beyond the Research team)
  • explicitly add the start and expiry date of each collaboration in that table, since there's nothing sensitive about those dates
elukey added a comment.Sep 15 2017, 2:29 PM

Sent an email to all the remaining users to verify their need of the accounts :)

Etonkovidova updated the task description. (Show Details)Sep 15 2017, 3:11 PM
Etonkovidova added a subscriber: Jhernandez.
egalvezwmf added a comment.Sep 15 2017, 3:26 PM

Please keep access for me (chedasaurus). We use it for our quarterly metrics. Thanks!

KartikMistry added a comment.Sep 15 2017, 3:34 PM

WMF staff. Backup of @Amire80 So, you can keep my access. Thanks!

elukey updated the task description. (Show Details)Sep 15 2017, 3:55 PM
elukey updated the task description. (Show Details)
DFoy added a comment.Sep 15 2017, 8:53 PM

Please keep access for me as I use this for reviewing Zero traffic along with other country-level research for Global Reach / New Readers

Jhernandez updated the task description. (Show Details)Sep 18 2017, 9:31 AM
Jhernandez unsubscribed.
elukey updated the task description. (Show Details)Sep 18 2017, 10:26 AM
Mholloway updated the task description. (Show Details)Sep 18 2017, 11:57 AM
Mholloway unsubscribed.
JoeWalsh added a comment.Sep 18 2017, 5:10 PM

I'd like to keep access without an expiration date for access to data from the mobile apps

elukey updated the task description. (Show Details)Sep 18 2017, 5:11 PM
JMinor added a comment.Sep 18 2017, 5:12 PM

I am a PM on the WMF staff and need continuing access to stats machines for product analysis.

elukey updated the task description. (Show Details)Sep 18 2017, 5:12 PM
Mhurd added a comment.Sep 18 2017, 5:37 PM

I'd also like to keep access w/o expiration for apps data access.

MoritzMuehlenhoff updated the task description. (Show Details)Sep 19 2017, 7:43 AM
elukey updated the task description. (Show Details)Sep 19 2017, 8:19 AM
elukey updated the task description. (Show Details)Sep 25 2017, 11:57 AM
GoranSMilovanovic added a subscriber: Tobi_WMDE_SW.Sep 25 2017, 12:54 PM

Hi, I need continuing access to the stat boxes beyond the set expiration date (2018-01-01). I will be working with WMDE at least until 2018-09-30, mainly Wikidata analytics related things . @Tobi_WMDE_SW can confirm. Thanks a lot!

elukey added a comment.Sep 27 2017, 5:39 AM

No answer from @dchen and @dduvall, but since they are WMF staff and they might be on vacation I am not inclined to remove their access. After a chat with my team we decided to keep their access since for the scope of this task it makes sense.

elukey updated the task description. (Show Details)Sep 27 2017, 5:39 AM
elukey added a comment.Sep 27 2017, 6:50 AM
In T170878#3631676, @GoranSMilovanovic wrote:

Hi, I need continuing access to the stat boxes beyond the set expiration date (2018-01-01). I will be working with WMDE at least until 2018-09-30, mainly Wikidata analytics related things . @Tobi_WMDE_SW can confirm. Thanks a lot!

Hi Goran, you don't have an expiry date, the description is wrong, all good :)

elukey updated the task description. (Show Details)Sep 27 2017, 6:50 AM
elukey moved this task from In Progress to Done on the Analytics-Kanban board.
elukey moved this task from In Progress to Done on the User-Elukey board.Sep 27 2017, 8:22 AM
Nuria closed this task as Resolved.Oct 9 2017, 4:32 PM
Nuria set the point value for this task to 8.
Liuxinyu970226 unsubscribed.Oct 10 2017, 3:04 PM
Jdcc-berkman mentioned this in T183291: Requesting account expiration extension.Dec 19 2017, 8:33 PM
Jdcc-berkman mentioned this in T184085: Requesting extended access to stat1005 for jdcc.Jan 3 2018, 5:36 PM
gerritbot added a comment.Jan 17 2018, 5:57 PM

Change 404743 had a related patch set uploaded (by Ottomata; owner: Ottomata):
[operations/puppet@production] Ensure samtar and samwalton9 are absent after account expiration

https://gerrit.wikimedia.org/r/404743

gerritbot added a comment.Jan 17 2018, 6:04 PM

Change 404743 merged by Ottomata:
[operations/puppet@production] Ensure samtar and samwalton9 are absent after account expiration

https://gerrit.wikimedia.org/r/404743

Ottomata added a subscriber: TheresNoTime.Jan 17 2018, 6:04 PM

FYI: @Samwalton9 and @Samtar, your access expired on 2018-01-01 and your accounts have been removed. Thanks! :)

(https://gerrit.wikimedia.org/r/#/c/404743/)

bearND unsubscribed.Jan 18 2018, 11:33 PM
TheresNoTime mentioned this in T186344: NDA request for Samtar.Feb 2 2018, 7:01 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL