Page MenuHomePhabricator

Grant jgirault an jan_drewniak access to the eventlogging db on stat1003 and hive to query webrequests tables on stat1002
Closed, ResolvedPublic

Description

In their work on updating the portals julien and jan will need to be able to query out data about the event logging they are doing, and will additionally need access to the webrequests table in hive to do other exploration related to requests against the portals.

Neither of them currently has shell access to prod, so that will need to be done as well.

Hive access is gated on the analytics-privatedata-users group in puppet. i'm not sure about stat1002 for the eventlogging access. I think its the researchers group.

Event Timeline

EBernhardson raised the priority of this task from to Needs Triage.
EBernhardson updated the task description. (Show Details)
EBernhardson added a subscriber: EBernhardson.
Restricted Application added subscribers: StudiesWorld, Aklapper. · View Herald Transcript

@JGirault @Jdrewniak You will both need to generate ssh keys used only for wmf production (with passwords on them) and attach the public key portion to this ticket.

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMR2TEdzI8TP4Khbvm7AOqX/dTKWoxtrcb4fb0gDzocfdiiONAPPhTQc4zsN5RtGUnNhZYm/iUTH2wUQi40uvupjdcKr0RcfAlfrShiqouNQemdOjcy9YQ7CPHmFjs+o3qmpS+STT+FBiRKHC9upy25/UXwW1FXizq1/BINB83WRdeLO5SgRsp1gEKXNeClhPYW8YTUMLC2TqP9P5fdel+mcFKCKhO4HH0SIAXHDoMht2spdLAW+PMxdX0t1iSrXM4x4cV1bQ9AFm+4Pji4zSr+lliv7/G5dR5hw6JCjJJ3DaDM1j5T+oRpc+VfwIIrzl/DgcpAl9pohZJ5Gt8GXT8EyJsDo0crN0aI7+n1sqW/mncNqYHzcZ+EaVsZEXMLrH/hF794dss+rSyBMHZ4/+rN2x1RGLZMyseaAceAh5Zp26hDuHVHg0GZLl5hZ9toadNJHIag/WfNkJiJ4Z5lEwc7kMJV/LHalCi+tdwNN7Ai6m4hLohiCIDn2p+G1umtta8eUJRTnS0qWyn6W72PHXqJlXit4WUzDtOWo5oWdvMcvN26WC10oA1QtbYoLdNulNdpJCk8Aszl9NkoraVt3GWTWpWEvisCFdmNS859vhKjw+cyDJ4jO9rAwFSO8rNK3NxPD9OLEBL8ysjMyB8R4swhwxS+Fof5hgp/Ldr7PSWlw== jgirault@wikimedia.org
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDpY8H5wj5hwRngoX6xScBN9RTPvnpKoxq7lqXj7QjTXNyEA20XhXfpp46KA7XwokHx3lepXOn8JLnJ98jCwLxMNL2AlpflN46JAgC+f+Zk53+ImXYKCUaLEyhgonUoaLhpEr0cukFMosDgDDw3PRD7Y/ph2O+WXNeOkXAlhxp/eKsHEwLbf+LTATApT69hT7lAjR3WLAiW8ENM6dmyiztjBLW122RjJv/Lp21caK7ttIf2TIGKrbYSFwVvlrEPVUk4QIqRgOrn8KV4FpgJ+4QI4DrTAVBMzVu2dFd/dcNaR8HjsTsWz+eTwGbcz797BSZ9M+1mXjXQERF8w95dgG+criSqJDh1Yjm1F8w+vQbBatSmoTSrQ1+NtL+FovB+GVtHmsAu6dEIcx4q59oe79iK0xPZCpRg40DIpdLwSeXsPUBroGQmu6i5wFnEABwqwwN5q7KcV0BDbmIksJp6BYy6YIfcfiAxPuvESCN17BgusLUrPitCgpohbtiiRMl2/92UfyB8n/gJpAEQUAa7WhvEUTvFcFH0u8dhyBt6QOUuLftxO7ou27jXApn/8YYucofl34lX+BTNWYBWFiib90sVO/Azb7cpMmESagN0Nn4x4qg8gcmq/frtd8N4QF21WjxT1MxLDPc+ux02KVHE/qNggEDn03nZxBFrm3811Z2H6w== jdrewniak@wikimedia.org

@JGirault and @Jdrewniak, please visit and sign the L3 document regarding responsibilities associated with server access. Meanwhile, I'll write a patch...

analytics-privatedata-users includes shell on stat1002, so that one group should do it.

Andrew triaged this task as Medium priority.Nov 20 2015, 3:39 PM

I was mistaken for the eventlogging access, that happens on stat1003 (and is where the mysql credentials file is stored: stat1003:/etc/mysql/conf.d/research-client.conf).

It looks like the same credentials file exists on stat1002 so in theory it could work, but on stat1002 the file is owned by root:root and has 440 permissions. On stat1003 the file is owned by root:researchers and has 440 permissions.

Ping @Jdrewniak; please sign the L3 document mentioned in Andrew's comment above. Thanks!

We may still need to give you the right access on stat1003; your accounts are up on stat1002 so let me know if you can't get all you need there and I'll fix you up.

If one has stat1002 access via the analytics-privatedata-users group, they can read the mysql credentials out of `/etc/mysql/conf.d/analytics-research-client.cnf, and no stat1003 access is needed.

Also, for pedanticness: there is no eventlogging db on stat1003! There is a mysql client installed on stat1003 that is often used to access the eventlogging db which lives elsewhere on some mysql database box. There is also a mysql client on stat1002 that can be used for the same purpose.

https://wikitech.wikimedia.org/wiki/Analytics/Data_access#Analytics_slaves
https://wikitech.wikimedia.org/wiki/Analytics/Data_access#EventLogging_data

I see no one's tried to get onto stat1002 or anything yet; as soon as you folks verify that your access is good, I can close this ticket. Thanks!

I set up my ssh config file according to https://wikitech.wikimedia.org/wiki/Analytics/Cluster/Access but I was unable to ssh into stat1002.eqiad.wmnet. I tried to ssh into bastion directly but I received a permission denied error. @ArielGlenn could you confirm that I have bastion access?

Change 256121 had a related patch set uploaded (by ArielGlenn):
give jgirault and jdrewniak bastion access

https://gerrit.wikimedia.org/r/256121

Change 256121 merged by ArielGlenn:
give jgirault and jdrewniak bastion access

https://gerrit.wikimedia.org/r/256121

Good catch. Your accounts are now also both live on bast1001.wikimedia.org (if you plan to go through another bastion, please wait 30 minutes for puppet to run over there before trying). Care to check again?

thanks! I 'm able to login to stat1002 now :)

Can you nudge jgirault to check too (I dunno if you are in the same physical location or not but we can always hope)?

@JGirault, can you verify that you have access to stat1002 please? Then I can close this ticket.

Dzahn added a subscriber: Dzahn.

[stat1002:~] $ lastlog | grep jgirault
jgirault Never logged in

^ @JGirault can you login and confirm it works for you?

Works, I just logged in :)

Thanks for confirming :) We are closing the ticket then.

Dzahn removed a project: Patch-For-Review.
Dzahn set Security to None.