Page MenuHomePhabricator

Requesting access to research groups for Helen Jiang
Closed, ResolvedPublic

Description

Helen Jiang is a new data analyst in the Editing team, so she will need access to MariaDB replicas of the application and EventLogging databases and to the pageview and other datasets in Hadoop.

Groups requested: bastiononly, researchers, statistics-users, statistics-privatedata-users, analytics-users, analytics-privatedata-users
(some of these might be overlapping but I'm not sure which)

Username: hjiang
Full name: Helen Jiang

Event Timeline

Restricted Application added subscribers: Zppix, Aklapper. · View Herald Transcript

@HJiang-WMF, you'll need to sign the server access responsibilities document and post your production-only public key here.

@Jdforrester-WMF, you'll need to give manager approval.

Restricted Application removed a subscriber: Zppix. · View Herald TranscriptJul 18 2016, 5:19 PM

I already signed the Acknowledgment of Wikimedia Server Access Responsibilities.

Dzahn triaged this task as Medium priority.Jul 19 2016, 1:56 AM

SSH public key:

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDaary3YNmqf/fNSfBuhAkOQjOJhAKmwUjlKM5eQXlBMTyYdkFxdhEzBVKQeba2O8WSoazfx9fgmtdrJY4LVBH5Xk6DVe7tZcsS6ovpkPFqdey5bOVUOV4IYviuINBIuHjo8Z1LEXGibbB2EsrqsXsm+9NX9bcPifUhFK1ymd6LPjaD/XMeYWld29WwXqK8VW56SWdWpCcSmnVASaHrTXlqgDw6FY3sOjGZbUxoRz2qknSaapMIT2W6rkFoPrDiG5eqi2dS45/vMpEN7FBN6sx3FbjStM3kGu0PrfVDyDcK3+YyvwNgshV4RiW7VMWcsYkpxSWJlKBJMmQwEQDWNabH helen@localhost.localdomain

Change 300003 had a related patch set uploaded (by Elukey):
Add new user 'hjiang' for Helen Jiang

https://gerrit.wikimedia.org/r/300003

Change 300003 merged by Dzahn:
Add new user 'hjiang' for Helen Jiang

https://gerrit.wikimedia.org/r/300003

@Dzahn, thank you!

One question: as far as I can tell, the patch creates a new shell account for Helen but doesn't add her to any of the access groups (e.g. researchers) she needs. Am I missing something?

No, you are right about that. Just that the creation of the user and adding it to groups has to be in separate patches and i was just merging the first one that Elukey already uploaded.

Ah, okay, thanks for the clarification!

@Neil_P._Quinn_WMF yep, we will get this done and add the groups asap. thanks for the patience.

Change 300526 had a related patch set uploaded (by Elukey):
Add user hjiang to analytics/research related groups.

https://gerrit.wikimedia.org/r/300526

Change 300526 merged by Dzahn:
Add user hjiang to analytics/research related groups.

https://gerrit.wikimedia.org/r/300526

on bast1001.wikimedia.org:

Notice: /Stage[main]/Admin/Admin::Hashuser[hjiang]/Admin::User[hjiang]/Ssh::Userkey[hjiang]/File[/etc/ssh/userkeys/hjiang]/ensure: created

@Neil_P._Quinn_WMF ^ The user has been created on the first bastion host. It will also be created on bastion2001, 3001 and 4001 and the stats/analytics hosts once puppet runs there within the next half hour or so.

Dzahn closed this task as Resolved.EditedJul 22 2016, 9:35 PM
Dzahn claimed this task.

@HJiang-WMF Hi, your access has been granted. You should be able to connect now (or within the next hour at least). I think your team mates with existing access can walk you through the details. Let us know if you run into any problems.

also see:

https://wikitech.wikimedia.org/wiki/Production_shell_access#Standard_config for examples of the ssh config you'll need.

You can test by connecting to bast1001.wikimedia.org directly first, and then set it up so that you proxy through that machine directly to the stats servers.

Thanks a lot Dan! Will do the config and try the connection as you suggested.

Outage of access to bast1001.

OS: Fedora 23. Have successfully ssh-ed into other services before. Standard ssh config file but unable to ssh into bast1001 now. Also have to "sudo" to ssh into bast1001, then after sudo password OS asks for "Password" which is not any one of my existing WMF-related passwords.

Attempts:

  1. ssh -v did not give any useful information(the authentication was continued and then denied).
  2. ssh -i path_to_my_private_key asks for the 2nd password too.
  3. ssh-add path_to_my_private_key successful(did not prompt passphrase when I created the key pairs, but showed "identity added"), then ssh to bast1001 still encounters the same 2nd password trap.

4+ . Kept the standard config untouched and tried to add different config settings with ssh combinations as well, all failed and encountered the same 2nd password trap.

Following Daniel's advice, I post the comment here on Phabricator. Thank you so much and your help will be much appreciated!

Standard ssh config file but unable to ssh into bast1001 now. Also have to "sudo" to ssh into bast1001, then after sudo password OS asks for "Password" which is not any one of my existing WMF-related passwords.

You should not have to sudo to use ssh, something must be wrong on your machine. What happens when you use SSH without sudo?
There is no password that will successfully log you in from that prompt - getting a password prompt means your SSH keys failed to authenticate you.
Please check ssh-add -L - there should be one listed as ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDaary3YNmqf/fNSfBuhAkOQjOJhAKmwUjlKM5eQXlBMTyYdkFxdhEzBVKQeba2O8WSoazfx9fgmtdrJY4LVBH5Xk6DVe7tZcsS6ovpkPFqdey5bOVUOV4IYviuINBIuHjo8Z1LEXGibbB2EsrqsXsm+9NX9bcPifUhFK1ymd6LPjaD/XMeYWld29WwXqK8VW56SWdWpCcSmnVASaHrTXlqgDw6FY3sOjGZbUxoRz2qknSaapMIT2W6rkFoPrDiG5eqi2dS45/vMpEN7FBN6sx3FbjStM3kGu0PrfVDyDcK3+YyvwNgshV4RiW7VMWcsYkpxSWJlKBJMmQwEQDWNabH

ssh-add -L lists exactly the key listed in the previous comment

"Bad owner or permissions“ on my path_to_ssh_config file if I don't sudo...,y ssh config is standard as the wikitech article inducated

"Bad owner or permissions“ on my path_to_ssh_config file if I don't sudo...,

Hi, can you try this:

  • navigate to directory with ssh config, usually called ".ssh" starting with a dot, in your home directory
    • type cd .ssh
  • change permissions so that all files are read-write for owner but not others
    • type chmod 600 *

also see this for additional info, it could also be the permissions on the home directory itself

http://unix.stackexchange.com/questions/37164/ssh-and-home-directory-permissions#37167

Hi, I tried the chmod 600 * for a 2nd time and was able to log in to myusername@bast1001 without sudo, but when I tried to ssh from there in to any specific stat machines (e.g. stat1001), the same "password" prompt appeared and the log in credential I have on WikiTech nor Phabricator authenticated me...I configed the ssh config file and set the identity file to my key. I'm very confused about what is to be done from here...

When you say "when I tried to ssh from there in to any specific stat machines (e.g. stat1001)", did you just type "ssh stat1003" into the console on hjiang@bast1001? That will not work. You should ssh to stat1003 from your own machine, and let your SSH config take care of proxying it through the bastion host.

Also:

There is no password that will successfully log you in from that prompt - getting a password prompt means your SSH keys failed to authenticate you.

I would not share my wikitech/phabricator passwords with other systems, even production servers.

No, I meant that even with my ssh config specified that I could log in just at my local machine with ssh stat1003, it did not log me in and dragged my machine to halt and death every time...My ssh config specified details from stat1001 to stat1004, and all but stat1003 work...

Clarification: stat1003 log in is so slow that I'm not certain if it would actually be logged in. The "password" issue is resolved, thanks!

Changing bastion host does not work, and even 1001, 1002, and 1004 could not be logged in easily any more.

"Slow" is that after waiting for ~10 minutes and no keyboard shortcut or mouse could move anything on the user interface, and no command line message is show in-window or popped up.

HJiang-WMF closed this task as Resolved.EditedAug 4 2016, 7:24 PM

The "password" issue and connection to bastion hosts are resolved so closing the ticket. The time out issue of logging in to stat machines is located at: https://phabricator.wikimedia.org/T142126. Thanks everyone for helping!