Page MenuHomePhabricator

Requesting access to stat1003, stat1002 and bast1001 for AGomez (WMF)
Closed, ResolvedPublic

Description

Username: AGomez (WMF)
Full name: Anne Gomez

RSA/DSA key - I have one that was used for Fundraising stuff. Is it OK to use the same one or should I generate another?

Reason: As a product manager for the Reading team, I need to be able to access event & pageview logs in order to analyze the effectiveness of features that we're working on. My manager is Lisa Gruwell, who is not in Phabricator, but I work closely with Jon Katz and Toby Negrin on the Reading side. They should be able to sign off. Do you need Lisa to sign off as well? If so, how do we make that happen?

Event Timeline

atgo created this task.Oct 15 2015, 10:03 PM
atgo raised the priority of this task from to Needs Triage.
atgo updated the task description. (Show Details)
atgo added a project: SRE-Access-Requests.
atgo added subscribers: atgo, JKatzWMF, Tnegrin, Jgreen.
Restricted Application added a project: acl*sre-team. · View Herald TranscriptOct 15 2015, 10:03 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript

Could you edit the title of the task to replace the placeholders "RESOURCE" and "USER"?

Restricted Application added a subscriber: Matanya. · View Herald TranscriptOct 15 2015, 10:03 PM
atgo renamed this task from Requesting access to RESOURCE for USER[S] to Requesting access to stat1003, stat1002 and bast1001 for AGomez (WMF).Oct 15 2015, 10:03 PM
atgo set Security to None.
atgo removed a subscriber: Catrope.
atgo added a subscriber: Catrope.

@Catrope - done. Sorry about that! Had it right and then had to switch computers :)

It sounds like you need the statistics-privatedata-users group then, I think... But maybe researcher? sigh...

And, of course, bastiononly, because that still isn't fixed.

Also, do you have an LDAP account (providing login to labs, gerrit, phabricator, etc.)?

Dzahn claimed this task.Oct 19 2015, 4:38 PM
Dzahn added a comment.Oct 19 2015, 8:58 PM

Hi @atgo Do you have a wikitech user yet? If not, please create one there and let me know the user name, so we can match it with the production user we need to create.

Can you ask Lisa Gruwell to login on Phabricator and comment here for approval? She doesn't really have to create a new account, she can login with an existing Wiki(pedia) user.

Dzahn triaged this task as Normal priority.Oct 19 2015, 8:58 PM
atgo added a comment.Oct 19 2015, 9:00 PM

Hi @Dzahn - here's my Wikitech acct: https://wikitech.wikimedia.org/wiki/User:Atgomez

I'll work on Lisa.

atgo added a comment.Oct 19 2015, 9:01 PM

@Krenair yes I have LDAP - not sure how to find more information. I think my ideal setup/access here should be parallel to what @JKatzWMF has in case that helps.

Dzahn added a comment.Oct 19 2015, 9:06 PM

@atgo ok, thanks. The wikitech user and the LDAP user are the same here. I have the UID now which i needed to create a patch for this, so that covers the LDAP question too.

Could you please read and sign L3?

regarding the SSH key, i'm not entirely sure if it's ok to use the same as in fundraising. maybe create another one? could you attach a key here on the ticket ? thanks

atgo added a comment.Oct 19 2015, 9:24 PM

Read and signed. I'll attach a new key shortly... I'm on a loaner computer
right now since mine is having charging problems.

Change 247467 had a related patch set uploaded (by Dzahn):
admin: create agomez and add to stats-privatedata

https://gerrit.wikimedia.org/r/247467

Dzahn added a comment.Oct 19 2015, 9:45 PM

ok, cool, i uploaded a change and can amend it anytime with the right key

Since this explicitly asks for stat1003 and stat1002, atgo will also need to be in the statistics-users group. That will give access to stat1003.

Dzahn added a comment.Oct 21 2015, 4:26 PM

@atgo did you get to create a key yet?

atgo added a comment.Oct 21 2015, 8:56 PM

Yes! Here's the contents of the file:

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC+rFSx3I00yhYMJzgg3IthAqLBEnE9nab3DF9l+QKT2pWFQP7adRDOz5FqI5nPKNrTl122q8xm4qErbXLb07momy2gFYCGNTtCTiyV4z7+Ckmvqc42FKJ3qjzAI2BFsBK/2A9RAdXDgbkmd7nyiEIEhL1r+rdL2W0VYa1exhMjeXme8ckfYDpCxcWtHz4+4OXe6tO+K4SVfzlhfqMrQCzBRRaIrjhvV1WrxNddPS2+CWQ03v/2l6RSjftc2ibzKiq1uvtrN99Hi6OYt9j6pUsXaG/z0WpLuT5ekaxyeKcEHwFMI32zn6+Pw/kRCGBFA9rOKdtYpQYarFsZsM43MVP9 agomez@Annes-MacBook-Air-2.local

Dzahn added a comment.EditedOct 22 2015, 5:48 PM

@atgo thanks, i added that key to the code change waiting in code review on gerrit now.

Everything looks ready to go here now except the manager approval is still needed.

Ideally if we can get Lisa to login here and just add "approved" as a comment. Alternatively i think a director such as Toby can also do it.

atgo added a comment.Oct 22 2015, 6:05 PM

If it's OK with you guy that @Tnegrin approve, that would be super. Otherwise is there a way for Lisa to do it by email instead? She's having trouble with phabricator login.

Dzahn added a comment.Oct 22 2015, 7:58 PM

Otherwise is there a way for Lisa to do it by email instead? She's having trouble with phabricator login.

I asked #wikimedia-devtools. It is possible to email phabricator but only from email addresses that are registered users. So she would have to login at least once, but in the future could then use email. Allowing mail from anonymous users would be a problem with spam. She does _not_ have to register in phabricator as long as she has a normal Wikipedia user she can just use that.

atgo added a comment.Oct 22 2015, 8:00 PM

Ok. Is @Tnegrin not an option for sign off?

Anne's doing this as part of her work for the readership team and I approve.

atgo added a comment.Oct 22 2015, 8:07 PM

Thanks @Tnegrin

@Dzahn @Catrope lmk if that's not enough and I can get a time to walk
through this with Lisa.

Change 247467 merged by Dzahn:
admin: create agomez and add to stats groups

https://gerrit.wikimedia.org/r/247467

Dzahn added a comment.Oct 22 2015, 8:49 PM

Thanks, yea, it's ok. I noted on the change that it's work for the Readership team and went ahead with Toby's approval.

I merged the change and ran puppet on the three hosts names from the ticket title. I could see it create your new user:

Notice: /Stage[main]/Admin/Admin::Hashuser[atgomez]/Admin::User[atgomez]/ ... etc ...

[stat1003:~] $ id atgomez
uid=4891(atgomez) gid=500(wikidev) groups=500(wikidev),726(statistics-users),725(statistics-privatedata-users)

[stat1002:~] $ id atgomez
uid=4891(atgomez) gid=500(wikidev) groups=500(wikidev),725(statistics-privatedata-users)

bast1001:~] $ id atgomez
uid=4891(atgomez) gid=500(wikidev) groups=500(wikidev),707(bastiononly)

Dzahn closed this task as Resolved.Oct 22 2015, 8:56 PM

@atgo Here's an example SSH config snippet, for your /home/atgomez/.ssh/config (assuming you use atgomez as your user on your local computer)

Host stat1002 stat1003
ProxyCommand ssh -W %h:%p atgomez@bast1001.wikimedia.org
User atgomez

If you put that into your config once, you should be able to simply ssh stat1002 or ssh stat1003 and get on these hosts transparently jumping via bast1001.wikimedia.org.

Alternatively you can also use bast2001 (Texas), bast4001 (San Francisco) or hooft.esams.wikimedia.org in Amsterdam.
There's a map here:

https://wikitech.wikimedia.org/wiki/Bastion
and more info on ssh config here:

https://wikitech.wikimedia.org/wiki/SSH_access

Let me know if any questions,

atgo added a comment.Oct 29 2015, 9:48 PM

I'm still not able to get in. @Jgreen tried to help but it seems we're hitting a wall. Reopening pending this getting fixed.

I'm available to do a screenshare/IRC chat or whatever at a time that's good for you. Thanks!

atgo reopened this task as Open.Oct 29 2015, 9:49 PM

Paste the output of ssh -vvv stat1002? We might be able to see what the problem is.

atgo added a comment.Oct 29 2015, 10:11 PM

OpenSSH_6.9p1, LibreSSL 2.1.7
debug1: Reading configuration data /Users/agomez/.ssh/config
debug1: /Users/agomez/.ssh/config line 23: Applying options for stat1002
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug1: Executing proxy command: exec /usr/bin/ssh -q -W stat1002:22 bast1001.wikimedia.org
debug1: permanently_drop_suid: 503
debug1: identity file /Users/agomez/.ssh/analytics_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/agomez/.ssh/analytics_rsa-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.9

Dzahn added a comment.EditedOct 29 2015, 10:13 PM

Hi,

so the key part here seems this:

debug1: identity file /Users/agomez/.ssh/analytics_rsa type 1
debug1: key_load_public: No such file or directory

In your config this path to your key file is specified, but then it can't find it in that place.

Are you sure it's in /Users/agomez/.ssh/analytics_rsa on your local computer?

I don't think you copied @Dzahn's config, did you? Since your local username (agomez) is different to your remote username (atgomez), you need to prepend atgomez@ to bastion host part of the ProxyCommand line.

atgo added a comment.Oct 29 2015, 10:16 PM

If I do "cat /Users/agomez/.ssh/analytics_rsa" I get the RSA private key,
so seems like it.

atgo added a comment.Oct 29 2015, 10:18 PM

Here's the full text of my config, crafted by @Jgreen

OH I SEE IT. (I think...)

Host bast1001.wikimedia.org

User atgomez
IdentityFile ~/.ssh/analytics_rsa

bad--> ProxyCommand /usr/bin/ssh -q -W %h:%p bast1001.wikimedia.org

oops. ^^^^

Try removing the ProxyCommand line in the bast1001.wikimedia.org block that attempts to proxy connections to bast1001 through bast1001...

krenair: What you said seemed right, though on bast1001, i checked logfiles, and i don't see an attempt from "agomez", just one from "atgomez", but "Failed publickey for atgomez".

atgo: We can try this: remove or comment-out any "IdentityFile" lines from your ssh config so it doesn't try to automatically select a specific key. Then use ssh-add -D to remove all keys loaded in the agent, followed by` ssh-add /Users/agomez/.ssh/analytics_rsa ` to load this specific key into the agent. Then try again. This is because it sounds to me like somehow there are multiple keys and this is the wrong one. That matches the "failed publickey" error i see.

Dzahn added a comment.EditedOct 29 2015, 10:24 PM

bad--> ProxyCommand /usr/bin/ssh -q -W %h:%p bast1001.wikimedia.org

oops. ^^^^

Yes, that's it. The user name is missing there. Compare to my example above:

ProxyCommand ssh -W %h:%p atgomez@bast1001.wikimedia.org
User atgomez

Note how the user name appears in 2 places and both are needed.

So yea, just fix that ProxyCommand line and ignore my comments above. I was writing that while others already commented.

atgo added a comment.Oct 29 2015, 10:26 PM

Success! I removed the ProxyCommand line and made it in to bast1001.
Everything look OK from your side?

Yes, it does :) "Starting session: shell on pts/7 for atgomez"

Now let's try if you can also jump via bast1001 straight to stat1002/1003.

Just "ssh stat1002.eqiad.wmnet" from your local computer should work, and transparently connect you to stat1002 via bast1001 with a single command.

I see you also got on stat1002:

stat1002 sshd[17449]: Starting session: shell on pts/16 for atgomez

So claiming it's resolved again. Right?

Dzahn closed this task as Resolved.Oct 29 2015, 10:43 PM
atgo added a comment.Oct 29 2015, 11:08 PM

Rad. Thanks guys. I'd also like to be able to use Sequel Pro: sequelpro.com

Any kernels of wisdom you could share about setting that up?
Thanks!

I suspect you're unlikely to get official support for it. Is the mysql CLI not good enough?

I don't know about how access control works for most of the analytics groups, but if there are shared accounts/passwords involved you probably won't be allowed to keep those details locally to use with this software.

EBernhardson added a subscriber: EBernhardson.EditedOct 29 2015, 11:17 PM

setup an ssh tunnel, point sequel pro at the ssh tunnel. thats about all there is to it. The details don't need to be kept locally and can be input on each use of the software.