Page MenuHomePhabricator

NDA-Request Jonas Kress
Closed, ResolvedPublic

Description

As an employee of WMDE Germany I request access to

Grafana backend - To make dashboards based on data in graphite
WebRequestLogs - To see referrers in requests to query.wikidata.org

Event Timeline

Restricted Application added subscribers: Zppix, Aklapper. · View Herald TranscriptJul 20 2016, 4:01 PM

Grafana backend - To make dashboards based on data in graphite

https://wikitech.wikimedia.org/wiki/LDAP_Groups lists "grafana-admin - for others that, without signing an NDA, can log in and edit dashboards on grafana-admin.wikimedia.org". If that's the case, this might be LDAP-Access-Requests instead - see the link for required info.

jcrespo removed jcrespo as the assignee of this task.Jul 21 2016, 4:19 PM
jcrespo added a subscriber: jcrespo.

I do not know why this is assigned to me, these requests should be handled by https://wikitech.wikimedia.org/wiki/Ops_Clinic_Duty (I've added the right tags).

For the person on duty: indeed, grafana-admin is though for access to grafana without needed special privileges (I only would put as a condition that the request is legitimate (someone comfirms he is who he sais and explains why it is needed).

I am not sure what WebRequestLogs means, that should be clarified.

Restricted Application added a project: Operations. · View Herald TranscriptJul 21 2016, 4:19 PM
jcrespo removed a subscriber: jcrespo.Jul 21 2016, 4:19 PM
Gehel added a subscriber: Gehel.Jul 21 2016, 4:43 PM

The NDA group grants access to grafana-admin and a few more things. If @Jonas has already signed an NDA, we should probably add him to the nda group and not individual groups.

Gehel triaged this task as Normal priority.Jul 21 2016, 4:50 PM

FWIW I can confirm that @Jonas is who he says he is.

Gehel added a comment.Jul 22 2016, 9:20 AM

@Jonas has not yet signed NDA. He needs access to access logs of query.wikidata.org. We probably can't give access to that without NDA, so let's wait until this is signed and move forward on all of this at once.

Gehel added a subscriber: K4-713.Jul 22 2016, 1:00 PM

Looking at the documentation, this require approval from a WMF manager. @K4-713 as this is related to the Discovery work on WDQS, could you give your approval?

Gehel added a comment.Jul 22 2016, 1:07 PM

Documentation says:

(Have someone with access double-check which mediawiki.org account that the manager's Phabricator account is linked to, where the SUL account was created, and how it was created on that wiki.)

I'm not sure what all that means, but at least Jonas mediawiki username is: Jonas_Kress_(WMDE)

Looking at the documentation, this require approval from a WMF manager. @K4-713 as this is related to the Discovery work on WDQS, could you give your approval?

Generally @Deskana has given approval for previous WMDE requests / NDAs ( T116784#1764810 )

Gehel added a subscriber: debt.Jul 22 2016, 1:26 PM

Then @debt (who now has @Deskana's role) could probably also approve this. Actually any of [ @K4-713, @Deskana, @debt ] should be sufficient for approval.

(Have someone with access double-check which mediawiki.org account that the manager's Phabricator account is linked to, where the SUL account was created, and how it was created on that wiki.)

The reason is to check that the Phabricator account is from someone who they claim to be.

Gehel added a comment.Jul 22 2016, 4:22 PM

I added @Jonas to WMF-NDA-Requests project, which should allow him to sign the NDA as per documentation.

Apparently not

Access Denied: L2 Trusted Volunteer Access & Confidentiality Agreement	
You do not have permission to edit this object.
Gehel added a subscriber: Krenair.Jul 22 2016, 7:47 PM

The correct link should be https://phabricator.wikimedia.org/L2 (thanks @Krenair). I'm not able to test... so I might be missing something...

Dzahn added a subscriber: Dzahn.Jul 22 2016, 10:38 PM

confirmed Jonas has signed L2 now

@Jonas Do you have a user on wikitech wiki? (https://wikitech.wikimedia.org/wiki/Main_Page) please paste the user name or create one if you don't have one yet. This is because that creates an LDAP user, which then has to be added to a group to allow access to grafana admin.

Dzahn added a comment.Jul 26 2016, 6:18 AM

Alright, found the shell name associated with the wikitech user is "jk" using ldapsearch. Added jk to the LDAP group called "nda".

ldapsearch -x -b ou=people,dc=wikimedia,dc=org cn=Jonas*
..
sudo modify-ldap-group --addmembers jk nda

@terbium:~# sudo ldaplist -l group nda | grep jk
member: uid=jk,ou=people,dc=wikimedia,dc=org

@terbium:~# sudo ldaplist -l passwd jk | grep cn:
cn: Jonas Kress (WMDE)

@Jonas You should now be able to login at grafana-admin using your wikitech credentials. It also gives you a login at icinga and servermon.

Dzahn closed this task as Resolved.Jul 26 2016, 6:20 AM

the grafana-admin part of this request should be resolved now. i am not sure about the WebRequestLogs , @Gehel do you know how to continue there now that the NDA has been signed?

Dzahn reopened this task as Open.Jul 26 2016, 6:20 AM
Addshore added a comment.EditedJul 26 2016, 9:52 AM

the grafana-admin part of this request should be resolved now. i am not sure about the WebRequestLogs , @Gehel do you know how to continue there now that the NDA has been signed?

@Jonas see https://wikitech.wikimedia.org/wiki/Production_shell_access#Requesting_access for the extra details that are needed to proceed with your access to 'WebRequestLogs'

You a production shell account and then you need to be added to the 'analytics-privatedata-users' group I believe which will give you access to hadoop via stat1002 which contains the web request data.

I endorse this request. (but it might make sense to do the webrequest / shell access request in a separate ticket)

@Jonas You should now be able to login at grafana-admin using your wikitech credentials. It also gives you a login at icinga and servermon.

Actually servermon doesn't give access to wmf/nda users, only ops and me.

Dzahn added a comment.Jul 26 2016, 3:00 PM

AlexMonk is right, i said that because of this line " 31 # Require ldap-group cn=nda,ou=groups,dc=wikimedia,dc=org
" but did not notice right away it's commented out.

Gehel added a comment.Jul 26 2016, 8:01 PM

It would probably be easier for @Jonas to have direct access to the nginx logs on the wdqs servers. I'm not familiar to how we handle that (if we do). Currently those logs are owned www-data:adm, mode 750 but no one on those servers seems to be in adm group. So my guess is that we only allow people with full sudo access to see those logs, which we don't want to give to @Jonas. So the "easy" options might not be possible...

Dzahn added a comment.Jul 26 2016, 8:23 PM

Would it be ok with everyone here if we confirm the grafana part works, close this ticket as resolved (since it was all about NDA) and open a new one for actual shell access if that is needed to fix the second part of it.

It would probably be easier for @Jonas to have direct access to the nginx logs on the wdqs servers. I'm not familiar to how we handle that (if we do). Currently those logs are owned www-data:adm, mode 750 but no one on those servers seems to be in adm group. So my guess is that we only allow people with full sudo access to see those logs, which we don't want to give to @Jonas. So the "easy" options might not be possible...

The only thing to note there is no requests that are cached by varnish will make it to the nginx logs.

Would it be ok with everyone here if we confirm the grafana part works, close this ticket as resolved (since it was all about NDA) and open a new one for actual shell access if that is needed to fix the second part of it.

I think that makes sense

Dzahn added a comment.Jul 27 2016, 1:17 AM

I am calling this ticket resolved because the NDA part is completed.

@Jonas If you think you need actual shell access please open another ticket starting from https://wikitech.wikimedia.org/wiki/Production_shell_access#Requesting_access

Dzahn closed this task as Resolved.Jul 27 2016, 1:18 AM