Page MenuHomePhabricator
Create Task
Maniphest T151969

Tiziano Piccardi shell request + analytics-privatedata-users
Closed, ResolvedPublic
Actions

Description

Who
Tiziano Piccardi

Access Group
analytics-privatedata-users
bastiononly

Steps

Details

SubjectRepoBranchLines +/-
admin: update user piccardi's ssh public keyoperations/puppetproduction+1 -1
user piccardi ssh key updateoperations/puppetproduction+1 -1
new shell user piccardioperations/puppetproduction+9 -1
Customize query in gerrit

Related Objects

Event Timeline

leila created this task.Nov 30 2016, 12:26 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 30 2016, 12:26 AM
tizianopiccardi subscribed.Dec 1 2016, 10:13 AM

piccardi

  • Append public ssh key to this phabricator task

ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAozlVbJ2Cmn3TrZvHChyiHShcWIERWVtl0A+V/w2P5jrpq4WGe2qx/DMPkUDsS5AvhOwY2b9qtAGbx/M+26+b0+xkJihrnT9Fy/IwEDxBFRtcIZ0N1ZvRlK2epb12gfX3oTfQWiSJcmlZOhJCS/GUfeZAAvJiDifnyWeaJAYlkPxPaWVhbF0Xv/W+3zQTQYfPuQEp1S6IKecN3bvW0/8t8fANzbfIjRtwBTSfZiKtHNZwnphaVAPF+xF7wV36spPeRbrxaB6Xy/3pEU00uT7qvyoDpB511w6IVIQfhiAVROVfCbTwyrPtuP+BZHRGFGE7hyo8pFQDQUnEU0yM11NYdQ==

  • What is his preferred login name?

piccardi

Thanks

leila updated the task description. (Show Details)Dec 1 2016, 7:51 PM
leila updated the task description. (Show Details)
leila added a subscriber: Nuria.Dec 1 2016, 7:56 PM

Thanks, @tizianopiccardi . :)

@Nuria we need your approval to give Tiziano access to the cluster. If you need any information from me, please let me know. The access is requested since for the article/stub expansion recommendation research we need computation power provided in the cluster as well as access to logs for building a measure of importance for ranking articles to be expanded.

leila moved this task from Backlog to In Progress on the Research board.Dec 7 2016, 4:48 PM
Nuria added a comment.Dec 7 2016, 6:24 PM

What is the project this access is linked to?

leila added a comment.Dec 7 2016, 8:14 PM

@Nuria this request is related to the proposal for building a recommendation system for expanding articles/stubs across languages: https://meta.wikimedia.org/wiki/Research:Expanding_Wikipedia_stubs_across_languages

Nuria added a comment.Dec 7 2016, 8:28 PM

Approved on my end. Please remember to open ticket to revoke access when project is done.

leila added a project: SRE-Access-Requests.Dec 7 2016, 8:58 PM
leila updated the task description. (Show Details)
Restricted Application added a project: SRE. · View Herald TranscriptDec 7 2016, 8:58 PM
leila added a subscriber: Cmjohnson.Dec 7 2016, 8:59 PM

@Cmjohnson same comment as in T152023#2855353.

RobH removed leila as the assignee of this task.Dec 8 2016, 1:37 AM
RobH subscribed.

Please note that ops clinic duty handles this, not @Cmjohnson specifically. As this was missing the SRE-Access-Requests, it wasn't triaged by the clinic duty person (me) this week until it was added. (Additionally it's assigned to someone, rather than no one for clinic duty to pick up, so I'm fixing that.)

I'll followup on this shortly.

gerritbot subscribed.Dec 8 2016, 1:54 AM

Change 325869 had a related patch set uploaded (by RobH):
new shell user piccardi

https://gerrit.wikimedia.org/r/325869

gerritbot added a project: Patch-For-Review.Dec 8 2016, 1:54 AM
RobH added a comment.Dec 8 2016, 1:55 AM

Please note that there are a couple things that'll make future requests easier:

  • tag with SRE-Access-Requests, full details can be viewed on getting help from operations.
  • the ops clinic duty assignee for the week handles and process all access requests, this changes weekly, so please avoid assigning or requesting access requests from a specific person.
  • if you are ready for ops to take it over, please ensure it isnt assigned to anyone awaiting input, this way clinic duty takes it over.

Since the NDA process is a bit different for different departments, I'm not sure where to verify NDA status. I don't see a signature on the NDA form in phabricator (L2.) Please advise on this @leila. (I also don't see him on the staff contact page, since all staff paperwork has NDA included that would suffice.)

I've created this patchset for the access request: https://gerrit.wikimedia.org/r/#/c/325869/

Once the NDA info has been added, and a full 3 business day wait has passed, its approved from Ops. Since this only got tagged with the ops-access-request today, the 3 day wait starts now. (Any days before adding the tag don't allow any kind of oversight.)

Krenair subscribed.Dec 8 2016, 1:56 AM
leila added a comment.Dec 8 2016, 5:15 AM
In T151969#2856231, @RobH wrote:

Please note that there are a couple things that'll make future requests easier:

  • tag with SRE-Access-Requests, full details can be viewed on getting help from operations.
  • the ops clinic duty assignee for the week handles and process all access requests, this changes weekly, so please avoid assigning or requesting access requests from a specific person.
  • if you are ready for ops to take it over, please ensure it isnt assigned to anyone awaiting input, this way clinic duty takes it over.

Thanks for explaining the process. :)

Since the NDA process is a bit different for different departments, I'm not sure where to verify NDA status. I don't see a signature on the NDA form in phabricator (L2.) Please advise on this @leila. (I also don't see him on the staff contact page, since all staff paperwork has NDA included that would suffice.)

The two researchers are formal collaborators, non-staff. The task that captures the NDA and MOU signatures is T148546 and the corresponding comment from Legal is T148546#2831609 . Does this help?

RobH claimed this task.Dec 8 2016, 4:17 PM

@leila: I don't have access to view/read T148546. Can its permissions be adjusted to allow #acl*operations-team to that task/project so ops clinic can triage related tasks and view that task?

Since you are confirming NDA status, that should be good enough for now! Since the SRE-Access-Requests was added on Wednesday, I'll merge it live if there are no objections.

RobH renamed this task from Request access to data/cluster for article expansion research to Tiziano Piccardi shell request + analytics-privatedata-users.Dec 8 2016, 4:18 PM
RobH mentioned this in T152718: add the #acl*operations-team to the s9 analytics space for nda approvals.Dec 8 2016, 7:53 PM
RobH moved this task from Untriaged to 3 Business Day Wait on the SRE-Access-Requests board.Dec 9 2016, 7:12 PM
gerritbot added a comment.Dec 9 2016, 7:17 PM

Change 325869 merged by RobH:
new shell user piccardi

https://gerrit.wikimedia.org/r/325869

RobH closed this task as Resolved.Dec 9 2016, 7:18 PM

No objections were noted, so this has been merged live. It will take up to 30 minutes for all affected hosts to receive the updates from their calls into puppet.

Miriam reopened this task as Open.Jul 3 2018, 7:13 PM
Miriam subscribed.Jul 3 2018, 7:22 PM

Re-opening this, as @tizianopiccardi has accidentally deleted his private key. He has generated a new key pair. He will post it below. @RobH could you please update tiziano's key on the system? Thanks!

tizianopiccardi added a comment.Jul 3 2018, 7:24 PM

Hi all, this is my new public key. You can revoke the old one. Thank you!

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC/gM+ET26j1I16ZWjbbcoWQhMNYj3AlS0yZQCSnLKbv6pbGCOs9xtTsxQQLH71ITdrlvS9E7KTjR4Ycn/gbgprkrtxCT89U4kU41kQTDHfAow8zodB7S99B0NR2cfUzAVglzw28mDfiCnlk7RS761Zgw+vJhrvGIwwwQngDXR7Y3PN8I3n6h4Jvv3Sm+NvWZD2j/OzeGWZF6XE60sRxXR9IriEjSpETqTwrAk6l0PhrJgzccfEtFWWcLy+ueSrSjL7TF6rxG663C8WA3F2NGm3GTGJCwxGyH94urPOoHZ/Xfqwa3vt6al8DLNpgVziUPnARXN0DsNsT0bUV2MIhRm1b0vapWUySFHr4yyGYjoMzB4WWqQZXeswJr4LYhf2j8RRhjacKp4ucKwbNO/ytwXzwvAGXXxgA+RGqxcKp6wwGVyZNDS0kRyI23xlaIM7N9nJxsK+q9n7uTDeeR+beUxmqoRg0x4pt8nNI2C+NnNL0vKdZtPtHBhunIN2ARycBm8Q8oEfOq/eA7RDw+srPFCaadG0z9jQ0qJB69RHCVZZohCHv7Jryz+iHTdiRcAPqUBCB9MwcpzqkWUirdpSQR1kz0qJpGN3BWxU6VlDpBpMRnjByTcAigVPfei2fOzAH3P7k1yE9eoT7ooyU+RtLreYbtCODpp03sTwRTOzvbjWiQ== tiziano.piccardi@epfl.ch

gerritbot added a comment.Jul 6 2018, 7:58 AM

Change 444162 had a related patch set uploaded (by Alexandros Kosiaris; owner: Alexandros Kosiaris):
[operations/puppet@production] user piccardi ssh key update

https://gerrit.wikimedia.org/r/444162

gerritbot added a comment.Jul 6 2018, 8:00 AM

Change 444162 merged by Alexandros Kosiaris:
[operations/puppet@production] user piccardi ssh key update

https://gerrit.wikimedia.org/r/444162

akosiaris closed this task as Resolved.Jul 6 2018, 8:00 AM
akosiaris subscribed.

Key updated, should make it to the cluster in the next 30 mins. I am resolving this, feel free to reopen/reach out if there's a problem.

Miriam added a comment.Jul 6 2018, 8:06 AM

Thanks @akosiaris !!

Miriam mentioned this in T199736: Help accessing SWAP for research collaborators.Jul 16 2018, 6:13 PM
tizianopiccardi reopened this task as Open.Jan 14 2020, 6:14 PM

Hi all,

I have a problem to login via ssh. I did not change anything recently, but I'm able to access anymore. The last time I used the services was mid-December.

Apparently my ssh key is not valid anymore and when I try to connect the server asks for a password:

> ssh -vvv notebook1003.eqiad.wmnet
OpenSSH_7.9p1, LibreSSL 2.7.3
debug1: Reading configuration data /Users/tiziano/.ssh/config
debug1: /Users/tiziano/.ssh/config line 1: Applying options for *
debug1: /Users/tiziano/.ssh/config line 2: Deprecated option "useroaming"
debug1: /Users/tiziano/.ssh/config line 4: Applying options for *
debug1: /Users/tiziano/.ssh/config line 29: Applying options for *.eqiad.wmnet
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 48: Applying options for *
debug1: Executing proxy command: exec ssh -a -W notebook1003.eqiad.wmnet:22 bastproduction
debug1: identity file /Users/tiziano/.ssh/wikipedia type 0
debug1: identity file /Users/tiziano/.ssh/wikipedia-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.9
Password:

I'm accessing though bast1002.wikimedia.org

I quickly asked to Luca (elukey) and on the server side the log shows:

Jan 14 17:51:26 bast1002 sshd[18654]: Failed publickey for piccardi from 128.179.254.181 port 63721 ssh2

Any idea about what the problem can be?

In the case, for some reasons, the old key has to be discarded, here a new one:

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDV9Dd9jc59vycssn/ybotO20SV5kL81t83bxSb3g/FNUB0D9TgRQeRAS4+2Aph8gWfJtCpVppXjb2BjtC1L/pm3zce2qK0wvi+BPeZbogdQ/ysBXv1tJWuspasUz8ps3sPPMBpyRgZNfEaeKjS4iESF9Y0GkUkis0j26CVRSfLBvkyFrysuzrm7J4rSWexjZNsYGF5oOph4hrSrh9G+702MZVLZ5rA10MC1QwZc05Hr0/aBnt1h94hR9wcOqtxkhlX/dajIpgqNx+5SZ8vThK38YuEHN6p5q7dRG22JQp9SDv/62sleticciuJGa4OpcGTBEf0FGtBJjWoJka7GXRC0riGhSZvlznhKfGd1OI49hR4+vUDlW0OHI2bsfDp9Jv6lxwNqc1x2e70G74Xm+vSkSQ2ZOtZy5CCkgLfbzIXeVuGHA4lxQd4RatNVuytVTjdFBYrKElCxoGNpccRs3qRKxVpiXfNk0dQHUw8ZqlNweXUepjTFBIhKr+m0tkkTU4AVEgTjkQVgH3W37Jg7jPVGSYFibUx7UfrhXwNVLZFaKkbkww1epBUIGUbxWNWVZpzzRTYDBkKjj/Tqe9bjzto6zoCif/QTi8nPHYqY6EQQsJtONAaomjral7utelMLa+OmX4gepZeL9EmcmHpx8MRiCk/PnFn0WT+CPg9xPXlfQ== tiziano.piccardi@epfl.ch

Thank you
Tiziano

gerritbot added a comment.Jan 14 2020, 6:16 PM

Change 564747 had a related patch set uploaded (by Elukey; owner: Elukey):
[operations/puppet@production] admin: update user piccardi's ssh public key

https://gerrit.wikimedia.org/r/564747

Dzahn subscribed.Jan 14 2020, 6:35 PM

hi @tizianopiccardi i can confirm your user exists on bast1002 and notebook1003 and your key has not been revoked. It is:

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC/gM+ET26j1I16ZWjbbcoWQhMNYj3AlS0yZQCSnLKbv6pbGCOs9xtTsxQQLH71ITdrlvS9E7KTjR4Ycn/gbgprkrtxCT89U4kU41kQTDHfAow8zodB7S99B0NR2cfUzAVglzw28mDfiCnlk7RS761Zgw+vJhrvGIwwwQngDXR7Y3PN8I3n6h4Jvv3Sm+NvWZD2j/OzeGWZF6XE60sRxXR9IriEjSpETqTwrAk6l0PhrJgzccfEtFWWcLy+ueSrSjL7TF6rxG663C8WA3F2NGm3GTGJCwxGyH94urPOoHZ/Xfqwa3vt6al8DLNpgVziUPnARXN0DsNsT0bUV2MIhRm1b0vapWUySFHr4yyGYjoMzB4WWqQZXeswJr4LYhf2j8RRhjacKp4ucKwbNO/ytwXzwvAGXXxgA+RGqxcKp6wwGVyZNDS0kRyI23xlaIM7N9nJxsK+q9n7uTDeeR+beUxmqoRg0x4pt8nNI2C+NnNL0vKdZtPtHBhunIN2ARycBm8Q8oEfOq/eA7RDw+srPFCaadG0z9jQ0qJB69RHCVZZohCHv7Jryz+iHTdiRcAPqUBCB9MwcpzqkWUirdpSQR1kz0qJpGN3BWxU6VlDpBpMRnjByTcAigVPfei2fOzAH3P7k1yE9eoT7ooyU+RtLreYbtCODpp03sTwRTOzvbjWiQ==

and that matches what is in the repository and on disk.

Are you sure that's the one you are currently trying to use? Could you maybe paste your .ssh/config file?

Dzahn added a comment.Jan 14 2020, 6:44 PM

I see the SHA256 of the public key you are attempting to use is:

SHA256:wNTUKNPfq5Wyubriy6VGxmqrPq3m9l6GSiyF0SV/ywE

but the SHA256 of the public key you have in the repo and on disk is:

SHA256:aw4jMdpq+mw0hkDDlqx+rJ6+qVHDj7UL7d9wyr+KXVg

So that looks like your config has a different key in it or you have multiple keys loaded in ssh-agent.

If you run "ssh-keygen -lf <filename>" on your keys and it matches the hash above then it should be the correct one. Maybe you can verify that and make sure all other keys are unloaded.

Dzahn reassigned this task from RobH to Muehlenhoff.Jan 14 2020, 6:49 PM
tizianopiccardi added a comment.Jan 14 2020, 6:55 PM

Hi Daniel,

yes, I'm quite sure I didn't change anything (unless OSX updated and changed files somewhere). Here a full log:

> cat ~/.ssh/config

Host *
    UseRoaming no

Host *
  ServerAliveInterval 60

### Short names
#Host <some host you want your system to auto-complete>

## Use bastion-eqiad.wmflabs.org as proxy to labs
Host bastlabs
HostName bastion-eqiad.wmflabs.org
User piccardi

Host *.eqiad.wmflabs !bastion-eqiad.wmflabs.org
User piccardi
IdentityFile ~/.ssh/wikipedia
ProxyCommand ssh -a -W %h:%p bastlabs

## production
Host bastproduction
HostName bast1002.wikimedia.org
User piccardi
#for accessing mysql locally
LocalForward 8889 analytics1027.eqiad.wmnet:8888
LocalForward 8001 analytics-store.eqiad.wmnet:3306
LocalForward 8002 s1-analytics-slave.eqiad.wmnet:3306

Host *.eqiad.wmnet *.wikimedia.org !bastproduction
User piccardi
IdentityFile ~/.ssh/wikipedia
ProxyCommand ssh -a -W %h:%p bastproduction

Host tools-dev.wmflabs.org
User piccardi
IdentityFile ~/.ssh/wikipedia
> cat /etc/ssh/ssh_config

# <comments omitted>

Host *
	SendEnv LANG LC_*
> cat ~/.ssh/wikipedia.pub

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC/gM+ET26j1I16ZWjbbcoWQhMNYj3AlS0yZQCSnLKbv6pbGCOs9xtTsxQQLH71ITdrlvS9E7KTjR4Ycn/gbgprkrtxCT89U4kU41kQTDHfAow8zodB7S99B0NR2cfUzAVglzw28mDfiCnlk7RS761Zgw+vJhrvGIwwwQngDXR7Y3PN8I3n6h4Jvv3Sm+NvWZD2j/OzeGWZF6XE60sRxXR9IriEjSpETqTwrAk6l0PhrJgzccfEtFWWcLy+ueSrSjL7TF6rxG663C8WA3F2NGm3GTGJCwxGyH94urPOoHZ/Xfqwa3vt6al8DLNpgVziUPnARXN0DsNsT0bUV2MIhRm1b0vapWUySFHr4yyGYjoMzB4WWqQZXeswJr4LYhf2j8RRhjacKp4ucKwbNO/ytwXzwvAGXXxgA+RGqxcKp6wwGVyZNDS0kRyI23xlaIM7N9nJxsK+q9n7uTDeeR+beUxmqoRg0x4pt8nNI2C+NnNL0vKdZtPtHBhunIN2ARycBm8Q8oEfOq/eA7RDw+srPFCaadG0z9jQ0qJB69RHCVZZohCHv7Jryz+iHTdiRcAPqUBCB9MwcpzqkWUirdpSQR1kz0qJpGN3BWxU6VlDpBpMRnjByTcAigVPfei2fOzAH3P7k1yE9eoT7ooyU+RtLreYbtCODpp03sTwRTOzvbjWiQ== tiziano.piccardi@epfl.ch
> ssh -vvv notebook1003.eqiad.wmnet

OpenSSH_7.9p1, LibreSSL 2.7.3
debug1: Reading configuration data /Users/tiziano/.ssh/config
debug1: /Users/tiziano/.ssh/config line 1: Applying options for *
debug1: /Users/tiziano/.ssh/config line 2: Deprecated option "useroaming"
debug1: /Users/tiziano/.ssh/config line 4: Applying options for *
debug1: /Users/tiziano/.ssh/config line 29: Applying options for *.eqiad.wmnet
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 48: Applying options for *
debug1: Executing proxy command: exec ssh -a -W notebook1003.eqiad.wmnet:22 bastproduction
debug1: identity file /Users/tiziano/.ssh/wikipedia type 0
debug1: identity file /Users/tiziano/.ssh/wikipedia-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.9
Password:
> ssh -vvv -i ~/.ssh/wikipedia piccardi@bast3004.wikimedia.org

OpenSSH_7.9p1, LibreSSL 2.7.3
debug1: Reading configuration data /Users/tiziano/.ssh/config
debug1: /Users/tiziano/.ssh/config line 1: Applying options for *
debug1: /Users/tiziano/.ssh/config line 2: Deprecated option "useroaming"
debug1: /Users/tiziano/.ssh/config line 4: Applying options for *
debug1: /Users/tiziano/.ssh/config line 29: Applying options for *.wikimedia.org
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 48: Applying options for *
debug1: Executing proxy command: exec ssh -a -W bast3004.wikimedia.org:22 bastproduction
debug1: identity file /Users/tiziano/.ssh/wikipedia type 0
debug1: identity file /Users/tiziano/.ssh/wikipedia-cert type -1
debug1: identity file /Users/tiziano/.ssh/wikipedia type 0
debug1: identity file /Users/tiziano/.ssh/wikipedia-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.9
Password:
> ls -lh ~/.ssh

<file omitted...>

-rw-------@ 1 tiziano  staff   3.2K Jul  3  2018 wikipedia
-rw-r--r--  1 tiziano  staff   750B Jul  3  2018 wikipedia.pub
RobH unsubscribed.Jan 14 2020, 7:46 PM
Dzahn added a comment.Jan 14 2020, 7:56 PM

We talked on IRC debugged a bit more and Tiziano could confirm logging in works with the existing key after moving the ssh config file out of the way temp. It is using the wrong (default id_rsa) key for some reason. So we should not have to replace it and issue should not be on the server side.

tizianopiccardi closed this task as Resolved.Jan 14 2020, 8:18 PM

The problem was in the config file.

ForwardAgent no
IdentitiesOnly yes
IdentityFile ~/.ssh/wikipedia

missing in the field Host bastproduction

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL