Page MenuHomePhabricator

Requesting access to terbium for smalyshev (restricted group)
Closed, ResolvedPublic

Description

Username: smalyshev
Full name: Stas Malyshev

Requesting access to terbium to be able to run scripts for reindexing the ElasticSearch database, like required by T145561.

Event Timeline

Smalyshev created this task.Oct 7 2016, 6:30 PM
Restricted Application added a project: Operations. · View Herald TranscriptOct 7 2016, 6:30 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript

This would be either restricted or the much more powerful deployment. Probably not ldap-admins

RobH assigned this task to Smalyshev.Oct 7 2016, 7:27 PM
RobH added a subscriber: RobH.

@Smalyshev: What exactly do you need to do with your access to terbium? (This will let us know which group to add you do.)

As Alex already commented on, this is likely for 'restricted' or 'deployment', both require ops team meeting approval as they are sudo.

Our ops meeting next week is on Tuesday. Please try to clarify your request before then, or it will have to wait for the ops meeting the following week.

I've assigned this to @Smalyshev pending feedback. Once feedback is provided, please set to unassigned and ops clinic will pick it back up.

Clinic Duty Note: Stas already had cluster access, so this is just a group addition (likely with some sudo rights)

Thanks!

Smalyshev added a comment.EditedOct 7 2016, 7:34 PM

@RobH: for now mainly run scripts, e.g. reindexing Elasticsearch after deploying various changes to mappings/indexing, like these: https://wikitech.wikimedia.org/wiki/Search#In_place_reindex

I don't think I actually need sudo for now, the only thing sudo may be needed is restarts and I'm not going to need that AFAIK.

Not sure which group it is, as long as I can log in to terbium and run the scripts as described above, that'd be enough for my current needs.

@RobH: for now mainly run scripts, e.g. reindexing Elasticsearch after deploying various changes to mappings/indexing, like these: https://wikitech.wikimedia.org/wiki/Search#In_place_reindex
I don't think I actually need sudo for now, the only thing sudo may be needed is restarts and I'm not going to need that AFAIK.

mwscript uses sudo to become www-data. I wouldn't run MW code as your own user in production.

Smalyshev reassigned this task from Smalyshev to RobH.Oct 7 2016, 7:36 PM

@AlexMonk-WMF OK, I didn't know that :) Then I do need the sudo which allows to use mwscript.

RobH added a comment.EditedOct 7 2016, 7:55 PM

As @AlexMonk-WMF points out, you likely need to run your scripts as www-data, not as yourself. Hence being added to 'restricted' group to allow that access/sudo level. You aren't getting sudo as root, merely as www-data to servers that allow 'restricted' user group to access them.

As far as I can tell, 'restricted' would only give you access to the following hosts:

hosts/fluorine.yaml: - restricted
hosts/mw1152.yaml: - restricted
role/common/mediawiki/maintenance.yaml: - restricted

And the last only includes terbium and wasat.

The index update for elastic seems to be something that needs to apply across which servers exactly? Just terbium or one of the hosts listed above, or more than those?

restricted looks good then. IIRC elasticsearch will take care of the replication etc.

Pinging @EBernhardson just in case I miss something, but looks good to me.

being able to run scripts from terbium is the only important part, sounds like the restricted group should cover our bases.

RobH changed the task status from Open to Stalled.Oct 7 2016, 8:45 PM

Sounds good. As noted previously, this uses sudo for www-data, so it'll have to be approved in the Operations meeting next week.

The meeting typically takes place on Monday, but is Tuesday next week (due to holiday in USA.)

Dzahn added a subscriber: Dzahn.Oct 7 2016, 10:42 PM

@Smalyshev Btw, it's not just terbium it's also wasat, the equivalent of terbium in codfw. So if we switch over at some point it will be that to do the same thing. You would get access via the role mediawiki::maintenance though, not by hostname, so your access will always be applied where that role is applied.

RobH renamed this task from Requesting access to terbium for smalyshev to Requesting access to terbium for smalyshev (restricted group).Oct 11 2016, 3:15 PM

Change 315308 had a related patch set uploaded (by RobH):
smalyshev access to restricted usergroup

https://gerrit.wikimedia.org/r/315308

Change 315308 merged by RobH:
smalyshev access to restricted usergroup

https://gerrit.wikimedia.org/r/315308

RobH closed this task as Resolved.Oct 11 2016, 6:00 PM
RobH removed a project: Patch-For-Review.

@Smalyshev

This was approved in the ops meeting today, so I've merged your access to the cluster. It may take up to 30 minutes for the affected systems to get the update.

RobH removed RobH as the assignee of this task.Oct 11 2016, 6:01 PM