Page MenuHomePhabricator

NDA-Request Jonas Kress
Closed, ResolvedPublic

Description

As an employee of WMDE Germany I request access to

Grafana backend - To make dashboards based on data in graphite
WebRequestLogs - To see referrers in requests to query.wikidata.org

Event Timeline

Grafana backend - To make dashboards based on data in graphite

https://wikitech.wikimedia.org/wiki/LDAP_Groups lists "grafana-admin - for others that, without signing an NDA, can log in and edit dashboards on grafana-admin.wikimedia.org". If that's the case, this might be LDAP-Access-Requests instead - see the link for required info.

jcrespo added a subscriber: jcrespo.

I do not know why this is assigned to me, these requests should be handled by https://wikitech.wikimedia.org/wiki/Ops_Clinic_Duty (I've added the right tags).

For the person on duty: indeed, grafana-admin is though for access to grafana without needed special privileges (I only would put as a condition that the request is legitimate (someone comfirms he is who he sais and explains why it is needed).

I am not sure what WebRequestLogs means, that should be clarified.

The NDA group grants access to grafana-admin and a few more things. If @Jonas has already signed an NDA, we should probably add him to the nda group and not individual groups.

Gehel triaged this task as Medium priority.Jul 21 2016, 4:50 PM

FWIW I can confirm that @Jonas is who he says he is.

@Jonas has not yet signed NDA. He needs access to access logs of query.wikidata.org. We probably can't give access to that without NDA, so let's wait until this is signed and move forward on all of this at once.

Looking at the documentation, this require approval from a WMF manager. @K4-713 as this is related to the Discovery-ARCHIVED work on WDQS, could you give your approval?

Documentation says:

(Have someone with access double-check which mediawiki.org account that the manager's Phabricator account is linked to, where the SUL account was created, and how it was created on that wiki.)

I'm not sure what all that means, but at least Jonas mediawiki username is: Jonas_Kress_(WMDE)

Looking at the documentation, this require approval from a WMF manager. @K4-713 as this is related to the Discovery-ARCHIVED work on WDQS, could you give your approval?

Generally @Deskana has given approval for previous WMDE requests / NDAs ( T116784#1764810 )

Then @debt (who now has @Deskana's role) could probably also approve this. Actually any of [ @K4-713, @Deskana, @debt ] should be sufficient for approval.

(Have someone with access double-check which mediawiki.org account that the manager's Phabricator account is linked to, where the SUL account was created, and how it was created on that wiki.)

The reason is to check that the Phabricator account is from someone who they claim to be.

I added @Jonas to WMF-NDA-Requests project, which should allow him to sign the NDA as per documentation.

Apparently not

Access Denied: L2 Trusted Volunteer Access & Confidentiality Agreement	
You do not have permission to edit this object.

The correct link should be https://phabricator.wikimedia.org/L2 (thanks @Krenair). I'm not able to test... so I might be missing something...

confirmed Jonas has signed L2 now

@Jonas Do you have a user on wikitech wiki? (https://wikitech.wikimedia.org/wiki/Main_Page) please paste the user name or create one if you don't have one yet. This is because that creates an LDAP user, which then has to be added to a group to allow access to grafana admin.

Alright, found the shell name associated with the wikitech user is "jk" using ldapsearch. Added jk to the LDAP group called "nda".

ldapsearch -x -b ou=people,dc=wikimedia,dc=org cn=Jonas*
..
sudo modify-ldap-group --addmembers jk nda

@terbium:~# sudo ldaplist -l group nda | grep jk
member: uid=jk,ou=people,dc=wikimedia,dc=org

@terbium:~# sudo ldaplist -l passwd jk | grep cn:
cn: Jonas Kress (WMDE)

@Jonas You should now be able to login at grafana-admin using your wikitech credentials. It also gives you a login at icinga and servermon.

the grafana-admin part of this request should be resolved now. i am not sure about the WebRequestLogs , @Gehel do you know how to continue there now that the NDA has been signed?

the grafana-admin part of this request should be resolved now. i am not sure about the WebRequestLogs , @Gehel do you know how to continue there now that the NDA has been signed?

@Jonas see https://wikitech.wikimedia.org/wiki/Production_shell_access#Requesting_access for the extra details that are needed to proceed with your access to 'WebRequestLogs'

You a production shell account and then you need to be added to the 'analytics-privatedata-users' group I believe which will give you access to hadoop via stat1002 which contains the web request data.

I endorse this request. (but it might make sense to do the webrequest / shell access request in a separate ticket)

@Jonas You should now be able to login at grafana-admin using your wikitech credentials. It also gives you a login at icinga and servermon.

Actually servermon doesn't give access to wmf/nda users, only ops and me.

AlexMonk is right, i said that because of this line " 31 # Require ldap-group cn=nda,ou=groups,dc=wikimedia,dc=org
" but did not notice right away it's commented out.

It would probably be easier for @Jonas to have direct access to the nginx logs on the wdqs servers. I'm not familiar to how we handle that (if we do). Currently those logs are owned www-data:adm, mode 750 but no one on those servers seems to be in adm group. So my guess is that we only allow people with full sudo access to see those logs, which we don't want to give to @Jonas. So the "easy" options might not be possible...

Would it be ok with everyone here if we confirm the grafana part works, close this ticket as resolved (since it was all about NDA) and open a new one for actual shell access if that is needed to fix the second part of it.

It would probably be easier for @Jonas to have direct access to the nginx logs on the wdqs servers. I'm not familiar to how we handle that (if we do). Currently those logs are owned www-data:adm, mode 750 but no one on those servers seems to be in adm group. So my guess is that we only allow people with full sudo access to see those logs, which we don't want to give to @Jonas. So the "easy" options might not be possible...

The only thing to note there is no requests that are cached by varnish will make it to the nginx logs.

Would it be ok with everyone here if we confirm the grafana part works, close this ticket as resolved (since it was all about NDA) and open a new one for actual shell access if that is needed to fix the second part of it.

I think that makes sense

I am calling this ticket resolved because the NDA part is completed.

@Jonas If you think you need actual shell access please open another ticket starting from https://wikitech.wikimedia.org/wiki/Production_shell_access#Requesting_access