Hello,
While trying to access the replica databases as per https://wikitech.wikimedia.org/wiki/Help:Tool_Labs/Database, using:
mysql --defaults-file="${HOME}"/replica.my.cnf -h enwiki.labsdb enwiki_p or sql enwiki
I get the following error:
Even ERROR 1045 (28000): Access denied for user 'xxxx'@'xxxxx' (using password: YES)
ls -lhd returns:
-rw-r--r-- 1 xxxx wikidev 50 Mar 17 2014 replica.my.cnf
The contents of the file are:
[client]
user='xxxx'
password='<redacted out for security>'
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Resolved | • madhuvishy | T135931 Tool Labs users missing replica.my.cnf (tracking) | |||
| Resolved | • madhuvishy | T151296 Cannot access replica databases - access denied |
With this username I don't remember if it did work or not. I've previously used the 'cff' shell username to access the replica databases, to which I've lost access (can't remember the ssh key used nor the wikitech account attached to it)
Can't a sysadmin revoke the user/pass in replica.my.cnf and create a new one that works or try to figure out why the current user/pass fails to connect?
There appears to be some generic problem with generating replica.my.cnf files in /home for users. It may take a bit to untangle. @Andrew is there a way to recover the cff shell account for this user in the short term?
I've found the ssh public/private key pair used.
I still have access to the email address, however I think I've changed or unset altogether the email address / ssh key of the user some time ago, I don't remember exactly.
If I try to recover the password of the user via https://wikitech.wikimedia.org/wiki/Special:PasswordReset I don't get any recovery email.
If I try to ssh into into dev.tools.wmflabs.org and the private key I get "Permission denied (publickey,keyboard-interactive,hostbased).", this probably means the ssh public key is not attached to any WikiTech account... even though it was attached to the user for sure, as I've used it in the past successfully.
@MnemonicFlow: The mail address for 9emE0iL18gxCqLT is hosted by Dr Evil :-). If you need further details or have difficulties with your access, please open a separate (private) task so that the scope of this task remains limited.
Regarding your problem here, the MySQL user u4507 is the shell user cff (getent passwd 4507). The shell user mnemonicflow should be the MySQL user u11597, so it appears as if you (?) copied the username once from cff's replica.my.cnf to mnemonicflow's.
But: Even with u11597 and any password from cff's and mnemonicflow's replica.my.cnfs I get ERROR 1045 (28000): Access denied for user 'u11597'@'10.68.23.58' (using password: YES).
So the replica.my.cnfs should be recreated by a Labs admin following https://wikitech.wikimedia.org/wiki/Nova_Resource:Tools/Admin#Regenerate_replica.my.cnf:
How can I contact an admin so that I can have a working replica.my.cnf file? I still cannot connect to the replicas...
As a simple user I don't have the necessary rights to do these changes. Can anyone help?
@MnemonicFlow You can contact an admin using IRC, connect to Cloud-Services at freenode and bring on your problem, Also include the Tnumber you can see in the URL as the admin can read other info too. You can connect to freenode IRC network by installed IRC client or, if you don't have one, by webclient at webchat.freenode.net.
Best,
Martin
This is a known issue and T158420 will resolve it but at present there is no mechanism for maintainer per-user replica creds, only per tool. It's in progress though.
@madhuvishy I see that the user exists:
root@labsdb1001[(none)]> SHOW GRANTS FOR 'u4507'; +---------------------------------------------------------------+ | Grants for u4507@% | +---------------------------------------------------------------+ | GRANT USAGE ON *.* TO 'u4507'@'%' IDENTIFIED BY <secret stuff>| | GRANT ALL PRIVILEGES ON `u4507\_\_%`.* TO 'u4507'@'%' | | GRANT SELECT, SHOW VIEW ON `%\_p`.* TO 'u4507'@'%' | +---------------------------------------------------------------+ 3 rows in set (0.00 sec)
Okay I think this springs from there being two users cff and mnemonicflow and both mapping to ldap user id 4507 - I'm looking into how we can resolve this.
@MnemonicFlow Hi, okay - i'm still investigating how to cleanup user cff. But I think your replica file as shell user MnemonicFlow on tools should work now.
Update - both shell accounts cff and MnemonicFlow should have working replica.my.cnfs in their home directory now.
To explain, user cff is ldap id 4507 (mysql user u4507), and the replica.my.cnf for this user I assumed was at some point was copied over to the home for user MnemonicFlow. User MnemonicFlow is infact ldap id 11597, and mysql user u11597. When the maintain-dbuser script harvested existing creds, it had two matching u4507 and hence no account/grants for user MnemonicFlow were created. I deleted and recreated all the records and it's all good now.
@madhuvishy Thanks! Replica file works for user mnemonicflow!
However, for shell user cff, I couldn't test as I have the problem that I cannot connect through ssh to the server.
I still have the public/private key pair for the user, however I think the key is not attached to any Wikimedia accounts.
And I cannot remember what is the email address set for the Wikimedia account '9emE0iL18gxCqLT', i.e. the one that should have attached to it the shell user 'cff'.
Can you assist with this issue?
@scfc said I should create another (private) task for this issue.
I'm not sure how to do that, as the https://phabricator.wikimedia.org/maniphest/task/edit/form/1/ doesn't have any field 'private' issue for that.
All I could think of is a tag called "Privacy".
The LDAP record for shell account cff / wikitech user 9emE0iL18gxCqLT does not have any ssh keys attached to it. To correct this you would need to recover the password for the 9emE0iL18gxCqLT user and login to attach a key using either wikitech or the labsadmin console. Unfortunately that account was registered using a disposable temporary email provider, so I think you are out of luck unless you suddenly remember the password.
As a public service announcement to everyone, don't use a fake/temporary email to register your Wikimedia developer account. There is nothing heroic that the admins for wikitech or the community stewards can do to get you access to an account that you have lost all authentication credentials for. Our communities are too large for non-automated interventions to scale and the potential for phishing/impersonation are too great.
Thanks @bd808. Since the original scope of this task is working db credentials for user MnemonicFlow, and that has been done and confirmed as working now, I'm resolving this ticket.
@bd808 Can I please know the temporary email address used?
Thanks for the advice, I agree that it was a big mistake on my part, however some disposable email providers allow you to set a custom address. If I used one of them I still have a chance to recover the account.
@MnemonicFlow this is probably WP:BEANS, but anyone with shell access to a Labs host can read the LDAP directory and the email addresses for any account are right there in the directory. Try ldapsearch -xLLL uid=cff from any host that you have access to.