Page MenuHomePhabricator

Cluster Access for Nithum Thain
Closed, ResolvedPublic

Description

Hi,

I would like to request access to stat1002 and the analytics cluster for one of my external research collaborators, Nithum Thain. @Nithum is already under an MOU and an NDA.

Full name: Nithum Thain
Instance shell account name: nithum

Public key:

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDdoZ4fXmaua+K80DRZ93bLfohcl3IXOixTXZ+WLUwcVPvKKZpHriUC2PmmMGU9cqgnYP5f3Rix4h9dTkHhZneW4qFyhwdeuseLjFbCJ3E7bOY9fvsIj6fVlbUWn48UG2UfkQLI+8vf5jtxfocurIgoCPkx3yxpVjfflW/l9v2hVEvdQWngKy/Skn1+3IqScvwZ0GTqPG7GKOfPPSnFrCRb6+1fiOTRMEov0WoVGqBx3H0klVQQtbAJksrUw+yNvykVGIhfXzRiSfXcch+DBgUNmk8WgMGxwKMSmE5kdDx1+mY/z/7Yz69Y8zURr/DF5SnijLdNVkoFYJn6IXL1eElx nithum@MBP.local

Event Timeline

ellery created this task.Feb 9 2017, 8:00 PM
Restricted Application added a project: Operations. · View Herald TranscriptFeb 9 2017, 8:00 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript

@ellery: So there are some new access request policies being put into place. @MoritzMuehlenhoff has been point on them, so he may have to elaborate. However, we'll need to confirm with legal about the NDA directly (as shell access now requires a legal reviewed NDA, just something in phabricator isn't enough.)

Other than the new NDA policy, the rest are outlined on https://wikitech.wikimedia.org/wiki/Production_shell_access

There are a few actions that must be taken by Nithum Thain to obtain access:

  • Login to Phabricator, read & sign the L3 document. (This outlines the responsibilities for access.)
  • Nithum must append their public ssh key to this task. This key should NOT be the same key used for any kind of access elsewhere (this includes labs, this should not be the same key used in labs.)
  • users email address to tie to shell account (if none is specified, we'll simply use the one listed in wikitech, however this file is public so that email address will be listed in the file.)

Please review the above, once we have answers/actions on them, we'll be able to move this request forward.

Thanks!

ellery updated the task description. (Show Details)Feb 9 2017, 10:49 PM

Thanks @RobH. Nithum signed an NDA that was approved by Manprit, Dario and Wes. I pointed Nithum to this ticket and asked him to complete the tasks you listed. The access group should be analytics-privatedata-users.

RobH added a comment.Feb 9 2017, 10:56 PM

@ellery: Thanks for the info! I still think our new guidelines mean we have to have a legal person confirm, but I'll find out!

@RobH: Thanks for all the help!

I've signed the L3 document, @ellery attached the public ssh key and I'd like to use the e-mail address nthain@google.com. Please let me know if there's anything else you need.

@ellery and @Nithum: Hi there, it's Rachel from legal. We do have a current MOU on file for Nithum, but not an NDA. We had begun updating the NDAs on file for those who need shell access this past fall. I'll contact you via email with the details.

RobH added a comment.Feb 10 2017, 5:11 PM

Please note that this shell request is blocked on two items:

Thanks!

@RobH: @ellery suggested analytics-privatedata-users would be the correct group above.

When I receive the NDA, I'll pass it on to the Jigsaw team, but we should hopefully be able to have it signed soon.

RobH added a comment.EditedFeb 10 2017, 6:03 PM

I'll prepare the patchset, thanks! (Once legal confirms on this task pending all the nda stuff in followup from their earlier comment, we should be good.)

Just signed the NDA. Please let me know if there's anything else needed on my end.

RobH added a comment.Feb 13 2017, 4:01 PM

We actually have to have legal confirm the NDA signatures. They should be able to update the task confirming shortly.

Yes, the NDA is fully executed and on file. Thanks everyone!

RobH claimed this task.EditedFeb 13 2017, 5:06 PM

Thanks! I'm claiming this to push my patch and merge at the end of the 3 day wait - pending no objections. Just to summarize:

  • - new login details (login name, ssh key) obtained
  • - NDA on file, confirmed with legal
  • - L3 document signed.
  • - patchset prepared https://gerrit.wikimedia.org/r/337438
  • - merged after 3 business day wait, pending no objections. This ends on 2017-02-14.

Change 337438 had a related patch set uploaded (by RobH):
new shell user Nithum Thain

https://gerrit.wikimedia.org/r/337438

Change 337438 merged by RobH:
new shell user Nithum Thain

https://gerrit.wikimedia.org/r/337438

RobH added a comment.EditedFeb 14 2017, 5:03 PM

@ellery/@Nithum:

I screwed up and I just realized that while @Nithum's access is live, since he is a contractor I should have put in a expiry date and contact (to check for contract renewal)

Can you guys (either @ellery or @Nithum provide me with the contract end/renewal date and who should be emailed when that expiration nears (typically the manager of that person @ WMF.)

Access is now live, but I've flagged this task for followup. Basically I don't want to hold up @Nithum's work by my having forgot to ask for this info, but I need this info to resolve the task. I've kept the access live, since neglecting to ask for this in advance was MY FAULT. We just introduced these new expiry dates into our infrastructure/workflow for access requests quite recently. Also, since expiry is to ensure its not forgotten, and I've flagged this task for followup, that risk is mitigated in the short-term.)

Please advise,

Hi RobH, I can give you the info. The current Memo of Understanding between Nithum and WMF is through June 15, 2017. We usually check in a few weeks before the expiration to see if another six month extension is needed. The NDA is ongoing with no expiration date.

Best,
Rachel

RobH added a comment.Feb 14 2017, 5:38 PM

@RStallman-legalteam: Do we have who at WMF should get the email notification of the account expiry? (Typically that person's direct manager.)

That would be @DarTar .

RobH added a comment.Feb 14 2017, 5:50 PM

Awesome, I'll correct the access now (it won't affect actual usage, as that is already live.)

Change 337614 had a related patch set uploaded (by RobH):
adding info to nithum's shell account

https://gerrit.wikimedia.org/r/337614

Change 337614 merged by RobH:
adding info to nithum's shell account

https://gerrit.wikimedia.org/r/337614

RobH closed this task as Resolved.Feb 14 2017, 6:06 PM

Fixed to add in expiry info and contact, so resolving this task again.

Hi Rob, could you change the ssh public key:

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDHQ6oDkb1WXmbizF6PX4hIELg7azLCcAaNiIl2ytjKTv7DcunsiwM/IkzoU94SUc1uIfijevzDTDU2moSTv8OJ5b/2RxG2RpL8pPVA+aLIm/2Yfo/ulCnjs0WgHbRpY7GKagliU6/PG8JV8byoLglVbPUcepie4P33yAqsA3BxdVsGxw4WnyOIIG2mRsYyAQsMNB5xwofkHW3fPLetY6MYpu9EtKCjaJzX2FzETT7E8WpjwYpqBnAC108hqueyCoZ7Q3eD6qs+pUdcKDPjFHPOQCxPulVjkdsUczct3r5s9ryze0ziSb5GvMowgc1i1Kn9fUPcPPmqRwR4to8348DN nithum@MBP.local

Change 338291 had a related patch set uploaded (by RobH):
update nithum's ssh pub key

https://gerrit.wikimedia.org/r/338291

Change 338291 merged by RobH:
update nithum's ssh pub key

https://gerrit.wikimedia.org/r/338291

RobH added a comment.Feb 16 2017, 11:49 PM

The new key is now live, it can take up to 30 minutes for all affected hosts to call in for the change.

Seems to be working. Thanks for all of the help everyone!