Page MenuHomePhabricator

Requesting access to analytics-privatedata-users group for Jonas Kress
Closed, ResolvedPublic

Description

Username: Jonas Kress (WMDE)
Full name: Jonas Kress
shell username: jk
NDA request: T140911: NDA-Request Jonas Kress

Reason for access request: I am a developer in the Wikidata team. I would like to get access to maintain services around Wikidata in production.
Please add user to ‘analytics-privatedata-users’ group to allow for access to https://hue.wikimedia.org.

operations access request checklist

  • - User has signed the L3 Acknowledgement of Wikimedia Server Access Responsibilities Document.
  • - User has a valid NDA on file with WMF legal. (This can be checked by Operations via the NDA tracking sheet.)
  • - User has provided the following: wikitech username, preferred shell username, email address, and full reasoning for access (including what commands and/or tasks they expect to perform.
  • - User has provided a public SSH key. This ssh key pair should only be used for WMF cluster access, and not share with any other service (this includes not sharing with WMCS access, no shared keys.)
  • - non-sudo requests: 3 business day wait must pass with no objections being noted on the task - This particular task's 3 day wait ends on Tuesday, 2017-12-19.
  • - patchset for access request - https://gerrit.wikimedia.org/r/#/c/398524/

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 14 2017, 7:27 PM
RobH assigned this task to Jonas.EditedDec 14 2017, 8:47 PM
RobH added a subscriber: RobH.

Jonas: Typically web logins are not tied to shell user groups. Is this request to be able to login to https://hue.wikimedia.org or to have the rights to login stat100[56] via analytics-privatedata-users? Our web services logins (that I am aware of) are not tied to shell access.

The details for the various analytics groups are at: https://wikitech.wikimedia.org/wiki/Analytics/Data_access#Access_Groups

I've confirmed your ldap nda access is current, but perhaps the hue service isn't tied to the ldap nda flag. I'll ask some folks in analytics for some info, but if you can provide clarification on the above question, I'd appreciate it.

If you do require shell access, can you detail exactly what you would be doing? (Simply stating maintaining the service doesn't give me much to go on in regards to seeking approvals.)

Additionally, all shell requests need to include the following:

  • User must read and sign the L3 document. (Checked, and you have done so, thank you.)
  • User must provide a public SSH key that is NOT used on any other systems/services. (This should be a wholly dedicated key, not shared with WMCS or any other systems.)
  • User should seek the sponsorship of a WMF staff in regards to their access and planned contributions. (Analytics should approve of you getting access to their systems.)

Once we determine exactly what (and why) access is needed, there is either a 3 day wait for review OR if it includes sudo rights, it has to be approved in our weekly operations meeting.

Please provide feedback, providing detailed info on what systems you need to access and your planned activities on them (be specific.) Also please have someone in analytics sponsor your access via comment on this task.

I've assigned this back to you pending update. Once the above is addressed, feel free to unassign it so it has no owner, and it will be picked back up via Ops Clinic Duty (which is me for this week.)

Thanks!

@Jonas, actually, when you emailed me, I also should have asked: what data are you trying to access? You might only need to be in the analytics-users group, if you don't need access to private data (e.g. webrequests) in Hadoop.

RobH added a comment.Dec 14 2017, 8:54 PM

Corrections: (Seems easier to append a new comment than try to edit my above)

It seems login to hue is a manual process detailed on https://wikitech.wikimedia.org/wiki/Analytics/Systems/Cluster/Access#HTTP_Access This includes the requirement that the user have a shell account.

So @Jonas was correct in requesting a shell account in addition to login rights for hue.wikimedia.org. The latter part just has a hadoop admin manually activate their access to the web service.

However, we still need to have a public key added to this task for @Jonas, as well as a sponsorship comment (from someone in Analytics who understands what @Jonas will be working on) for addition to analytics-privatedata-users.

Sorry for the first posts confusion, the access for this was new to me!

Dzahn added a subscriber: hoo.Dec 14 2017, 8:58 PM

get access to maintain services around Wikidata in production

^ This sounds quite different from "acccess to hue" and "analytics-privatedata"? Do you maybe mean shell access similar to what @hoo recently got in T179317? Because we just made new shell groups for the needs of people working on Wikidata issues but they are unrelated to anything analytics-*.

Sorry for the confusion!

@Ottomata
One of the things I would like to do is using hive queries to analyze web API endpoint usage.
This would also include user data such as referrers, user agents and IP addresses.

@RobH
Do I need to provide the SSH key, although it is just a web login?

Ok, then you need analytics-privatedata-users.

@Jonas, yes, you need a shell login, because access to the data is controlled by verifying your shell account's group membership on the Hadoop cluster. Hue is just a dumb gateway.

Addshore moved this task from Unsorted 💣 to Watching 👀 on the User-Addshore board.

Here is the SSH key.

@Smalyshev or @Gehel could you please vouch for me?

Jonas removed Jonas as the assignee of this task.Dec 15 2017, 6:30 PM

Change 398524 had a related patch set uploaded (by RobH; owner: RobH):
[operations/puppet@production] Jonas Kress move from ldap to shell, add to groups

https://gerrit.wikimedia.org/r/398524

RobH triaged this task as Normal priority.Dec 15 2017, 7:22 PM
RobH updated the task description. (Show Details)
RobH updated the task description. (Show Details)
RobH moved this task from user confirm to 3 Business Day Wait on the SRE-Access-Requests board.
RobH added a comment.Dec 16 2017, 12:02 AM

Everything on this looks good, just pending the 3 day wait for objections. This ends on Tuesday, 2017-12-19.

Change 398524 merged by Volans:
[operations/puppet@production] Jonas Kress move from ldap to shell, add to groups

https://gerrit.wikimedia.org/r/398524

Volans closed this task as Resolved.Dec 19 2017, 4:56 PM
Volans claimed this task.
Volans updated the task description. (Show Details)
Volans removed a project: Patch-For-Review.
Volans added a subscriber: Volans.

All done, resolving.

Change 399401 had a related patch set uploaded (by Ottomata; owner: Ottomata):
[operations/puppet/cdh@master] Fix bug in create_hdfs_user_directories.sh script

https://gerrit.wikimedia.org/r/399401

Heya! There was a bug in the script that was creating your HDFS user home directory, which also was keeping me from syncing your LDAP account to Hue. You should be able to login now. Use your shell username 'jk' and your LDAP password.

Change 399401 merged by Ottomata:
[operations/puppet/cdh@master] Fix bug in create_hdfs_user_directories.sh script

https://gerrit.wikimedia.org/r/399401