Could you edit the title of the task to replace the placeholders "RESOURCE" and "USER"?

@Catrope - done. Sorry about that! Had it right and then had to switch computers :)

It sounds like you need the statistics-privatedata-users group then, I think... But maybe researcher? sigh...

And, of course, bastiononly, because that still isn't fixed.

Also, do you have an LDAP account (providing login to labs, gerrit, phabricator, etc.)?

Hi @atgo Do you have a wikitech user yet? If not, please create one there and let me know the user name, so we can match it with the production user we need to create.

Can you ask Lisa Gruwell to login on Phabricator and comment here for approval? She doesn't really have to create a new account, she can login with an existing Wiki(pedia) user.

Hi @Dzahn - here's my Wikitech acct: https://wikitech.wikimedia.org/wiki/User:Atgomez

I'll work on Lisa.

@Krenair yes I have LDAP - not sure how to find more information. I think my ideal setup/access here should be parallel to what @JKatzWMF has in case that helps.

@atgo ok, thanks. The wikitech user and the LDAP user are the same here. I have the UID now which i needed to create a patch for this, so that covers the LDAP question too.

Could you please read and sign L3?

regarding the SSH key, i'm not entirely sure if it's ok to use the same as in fundraising. maybe create another one? could you attach a key here on the ticket ? thanks

Read and signed. I'll attach a new key shortly... I'm on a loaner computer
right now since mine is having charging problems.

Change 247467 had a related patch set uploaded (by Dzahn):
admin: create agomez and add to stats-privatedata

https://gerrit.wikimedia.org/r/247467

ok, cool, i uploaded a change and can amend it anytime with the right key

Since this explicitly asks for stat1003 and stat1002, atgo will also need to be in the statistics-users group. That will give access to stat1003.

thanks @Ottomata. amended the change

https://gerrit.wikimedia.org/r/#/c/247467/

@atgo did you get to create a key yet?

Yes! Here's the contents of the file:

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC+rFSx3I00yhYMJzgg3IthAqLBEnE9nab3DF9l+QKT2pWFQP7adRDOz5FqI5nPKNrTl122q8xm4qErbXLb07momy2gFYCGNTtCTiyV4z7+Ckmvqc42FKJ3qjzAI2BFsBK/2A9RAdXDgbkmd7nyiEIEhL1r+rdL2W0VYa1exhMjeXme8ckfYDpCxcWtHz4+4OXe6tO+K4SVfzlhfqMrQCzBRRaIrjhvV1WrxNddPS2+CWQ03v/2l6RSjftc2ibzKiq1uvtrN99Hi6OYt9j6pUsXaG/z0WpLuT5ekaxyeKcEHwFMI32zn6+Pw/kRCGBFA9rOKdtYpQYarFsZsM43MVP9 agomez@Annes-MacBook-Air-2.local

@atgo thanks, i added that key to the code change waiting in code review on gerrit now.

Everything looks ready to go here now except the manager approval is still needed.

Ideally if we can get Lisa to login here and just add "approved" as a comment. Alternatively i think a director such as Toby can also do it.

If it's OK with you guy that @Tnegrin approve, that would be super. Otherwise is there a way for Lisa to do it by email instead? She's having trouble with phabricator login.

In T115666#1746016, @atgo wrote:

Otherwise is there a way for Lisa to do it by email instead? She's having trouble with phabricator login.

I asked #wikimedia-devtools. It is possible to email phabricator but only from email addresses that are registered users. So she would have to login at least once, but in the future could then use email. Allowing mail from anonymous users would be a problem with spam. She does _not_ have to register in phabricator as long as she has a normal Wikipedia user she can just use that.

Ok. Is @Tnegrin not an option for sign off?

Anne's doing this as part of her work for the readership team and I approve.

Thanks @Tnegrin

@Dzahn @Catrope lmk if that's not enough and I can get a time to walk
through this with Lisa.

Change 247467 merged by Dzahn:
admin: create agomez and add to stats groups

https://gerrit.wikimedia.org/r/247467

Thanks, yea, it's ok. I noted on the change that it's work for the Readership team and went ahead with Toby's approval.

I merged the change and ran puppet on the three hosts names from the ticket title. I could see it create your new user:

Notice: /Stage[main]/Admin/Admin::Hashuser[atgomez]/Admin::User[atgomez]/ ... etc ...

[stat1003:~] $ id atgomez
uid=4891(atgomez) gid=500(wikidev) groups=500(wikidev),726(statistics-users),725(statistics-privatedata-users)

[stat1002:~] $ id atgomez
uid=4891(atgomez) gid=500(wikidev) groups=500(wikidev),725(statistics-privatedata-users)

bast1001:~] $ id atgomez
uid=4891(atgomez) gid=500(wikidev) groups=500(wikidev),707(bastiononly)

Thanks @Dzahn and @Catrope!

I'm still not able to get in. @Jgreen tried to help but it seems we're hitting a wall. Reopening pending this getting fixed.

I'm available to do a screenshare/IRC chat or whatever at a time that's good for you. Thanks!

Paste the output of ssh -vvv stat1002? We might be able to see what the problem is.

OpenSSH_6.9p1, LibreSSL 2.1.7
debug1: Reading configuration data /Users/agomez/.ssh/config
debug1: /Users/agomez/.ssh/config line 23: Applying options for stat1002
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug1: Executing proxy command: exec /usr/bin/ssh -q -W stat1002:22 bast1001.wikimedia.org
debug1: permanently_drop_suid: 503
debug1: identity file /Users/agomez/.ssh/analytics_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/agomez/.ssh/analytics_rsa-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.9

Hi,

so the key part here seems this:

debug1: identity file /Users/agomez/.ssh/analytics_rsa type 1
debug1: key_load_public: No such file or directory

In your config this path to your key file is specified, but then it can't find it in that place.

Are you sure it's in /Users/agomez/.ssh/analytics_rsa on your local computer?

I don't think you copied @Dzahn's config, did you? Since your local username (agomez) is different to your remote username (atgomez), you need to prepend atgomez@ to bastion host part of the ProxyCommand line.

If I do "cat /Users/agomez/.ssh/analytics_rsa" I get the RSA private key,
so seems like it.

Here's the full text of my config, crafted by @Jgreen

OH I SEE IT. (I think...)

Host bast1001.wikimedia.org

User atgomez
IdentityFile ~/.ssh/analytics_rsa

bad--> ProxyCommand /usr/bin/ssh -q -W %h:%p bast1001.wikimedia.org

oops. ^^^^

Try removing the ProxyCommand line in the bast1001.wikimedia.org block that attempts to proxy connections to bast1001 through bast1001...

krenair: What you said seemed right, though on bast1001, i checked logfiles, and i don't see an attempt from "agomez", just one from "atgomez", but "Failed publickey for atgomez".

atgo: We can try this: remove or comment-out any "IdentityFile" lines from your ssh config so it doesn't try to automatically select a specific key. Then use ssh-add -D to remove all keys loaded in the agent, followed by` ssh-add /Users/agomez/.ssh/analytics_rsa ` to load this specific key into the agent. Then try again. This is because it sounds to me like somehow there are multiple keys and this is the wrong one. That matches the "failed publickey" error i see.

In T115666#1766994, @Jgreen wrote:

bad--> ProxyCommand /usr/bin/ssh -q -W %h:%p bast1001.wikimedia.org

oops. ^^^^

Yes, that's it. The user name is missing there. Compare to my example above:

ProxyCommand ssh -W %h:%p atgomez@bast1001.wikimedia.org
User atgomez

Note how the user name appears in 2 places and both are needed.

So yea, just fix that ProxyCommand line and ignore my comments above. I was writing that while others already commented.

Success! I removed the ProxyCommand line and made it in to bast1001.
Everything look OK from your side?

Yes, it does :) "Starting session: shell on pts/7 for atgomez"

Now let's try if you can also jump via bast1001 straight to stat1002/1003.

Just "ssh stat1002.eqiad.wmnet" from your local computer should work, and transparently connect you to stat1002 via bast1001 with a single command.

I see you also got on stat1002:

stat1002 sshd[17449]: Starting session: shell on pts/16 for atgomez

So claiming it's resolved again. Right?

Rad. Thanks guys. I'd also like to be able to use Sequel Pro: sequelpro.com

Any kernels of wisdom you could share about setting that up?
Thanks!

I suspect you're unlikely to get official support for it. Is the mysql CLI not good enough?

I don't know about how access control works for most of the analytics groups, but if there are shared accounts/passwords involved you probably won't be allowed to keep those details locally to use with this software.

setup an ssh tunnel, point sequel pro at the ssh tunnel. thats about all there is to it. The details don't need to be kept locally and can be input on each use of the software.