Page MenuHomePhabricator
Create Task
Maniphest T190150

Access request to stat1005 and stat1006 for cooltey
Closed, ResolvedPublic
Actions

Description

I need access to stat1005 and stat1006 to have a look at the Wikipedia Android app analytics data.

Thank you!

Ops Clinic Duty Checklist for Access Requests

Most requirements are outlined on https://wikitech.wikimedia.org/wiki/Requesting_shell_access

This checklist should be used on all access requests to ensure that all steps are covered. This includes expansion to access. Please do not check off items on the list below unless you are in Ops and have confirmed the step.

  • - User has signed the L3 Acknowledgement of Wikimedia Server Access Responsibilities Document. on Aug 23 2017, 16:36
  • - User has a valid NDA on file with WMF legal. (This can be checked by Operations via the NDA tracking sheet & is included in all WMF Staff/Contractor hiring.) - user is staff, has nda as part of staff package
  • - User has provided the following: wikitech username, preferred shell username, email address, and full reasoning for access (including what commands and/or tasks they expect to perform. - user already has a shell account, this is expanding rights
  • - User has provided a public SSH key. This ssh key pair should only be used for WMF cluster access, and not share with any other service (this includes not sharing with WMCS access, no shared keys.) - user already has a shell account with key, key was checked not to match labs.
  • - access request (or expansion) has sign off of WMF sponsor/manager (sponser for volunteers, manager for wmf staff)
  • - non-sudo requests: 3 business day wait must pass with no objections being noted on the task - ends Friday, 2018-03-23.
  • - Patchset for access request https://gerrit.wikimedia.org/r/#/c/420809/

Details

SubjectRepoBranchLines +/-
fixing typo in cooltey's ssh key entryoperations/puppetproduction+1 -1
adding cooltey to reserachersoperations/puppetproduction+1 -1
user ctooley provided a dedicated ssh pubkeyoperations/puppetproduction+1 -1
user cooltey has same key in cloud and productionoperations/puppetproduction+1 -1
Customize query in gerrit

Related Objects

Event Timeline

cooltey created this task.Mar 20 2018, 1:55 PM
Restricted Application added a project: SRE. · View Herald TranscriptMar 20 2018, 1:55 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Fjalapeno subscribed.Mar 20 2018, 2:07 PM

Approving this from the management side. Let me know for you need anything else

RobH updated the task description. (Show Details)Mar 20 2018, 3:09 PM
RobH updated the task description. (Show Details)Mar 20 2018, 3:12 PM
RobH assigned this task to cooltey.Mar 20 2018, 3:14 PM
RobH subscribed.

In triaging this request, I found that the user is using the same ssh key in both cloud/labs and in production. Please note the L3 is very clear on this, your production key should be a dedicated key, not used anywhere else, including cloud services.

The key in question is:

AAAAB3NzaC1yc2EAAAADAQABAAABAQDAAArRsGDz/viZw3cKmJUSuuChGUgvKWjBa1j+X1fiaOqFYhHWONOHNYqNTsLXzsfCptxkJjZMtmwd0SixphmGODuao0XjSERPREopHBPonZqtEdOrHLoyn/EZ43vIUvfBiGIkvq7ZfjLpg2u747x786EgeC8IBy/KN5Vqfll4JoVc22ZZOMssaXFKj4cYxUzTqT282nFIqTYlFFFobqZTwfFQOXuIyY2FV/1nz6tw1aIYiUcTgK+i9j+H5Tj3xbbIo6P6T7LWpG+zAm3OfEAfXTMjSJGzcfz1YvU+C1lvMemxCZUW5sOtq/Y5YxteIQ/oeKdF/5QT2vZX+0w5lMvb cfeng@wikimedia.org

This is used in both the admins module for production access, and in your labs/wikitech account (I can see it tied to your user on wikitech.) This production key is thus revoked. You need to provide a NEW public key, not in use anywhere else, dedicated to WMF production use. Please set a passphrase for it as a best practice, and provide the public key here.

Until this new key is provided, I've had to revoke your production access entirely.

I'm assigning this back to @cooltey for him to update this task with a new key.

gerritbot subscribed.Mar 20 2018, 3:16 PM

Change 420728 had a related patch set uploaded (by RobH; owner: RobH):
[operations/puppet@production] user cooltey has same key in cloud and production

https://gerrit.wikimedia.org/r/420728

gerritbot added a project: Patch-For-Review.Mar 20 2018, 3:16 PM

Change 420728 merged by RobH:
[operations/puppet@production] user cooltey has same key in cloud and production

https://gerrit.wikimedia.org/r/420728

RobH added a comment.Mar 20 2018, 3:22 PM

Additionally, you are requesting access to stat1005 and stat1006 for the Wikipedia Android app analytics data. Do you happen to know if that is data in hadoop or elsewhere? (It matters so we know what group to give you.)

Please see https://wikitech.wikimedia.org/wiki/Analytics/Data_access#Access_Groups

It seems like the only group that accesses both systems is statistics-privatedata-users, but I wanted to be certain that is the group you need.

RobH moved this task from Untriaged to user confirm on the SRE-Access-Requests board.Mar 20 2018, 3:23 PM
cooltey added a comment.Mar 20 2018, 4:26 PM

id_rsa_wikimedia.pub401 BDownload

The user group should be researchers

Thanks!

gerritbot added a comment.Mar 20 2018, 6:34 PM

Change 420803 had a related patch set uploaded (by RobH; owner: RobH):
[operations/puppet@production] user ctooley provided a dedicated ssh pubkey

https://gerrit.wikimedia.org/r/420803

gerritbot added a comment.Mar 20 2018, 6:35 PM

Change 420803 merged by RobH:
[operations/puppet@production] user ctooley provided a dedicated ssh pubkey

https://gerrit.wikimedia.org/r/420803

RobH removed cooltey as the assignee of this task.Mar 20 2018, 6:38 PM
RobH moved this task from user confirm to 3 Business Day Wait on the SRE-Access-Requests board.

I've restored @cooltey's shell access to what was there before I revoked it (due to shared key between production and cloud.)

The actual addition to researchers will be done on another patchset. Since it has a 3 day wait, it won't be merged until Friday, 2018-03-23. If no objections are noted by that time, @cooltey will get access to the researchers group.

I'm setting this to waiting period column on the SRE-Access-Requests workboard, with no user assigned (since its not waiting on anyone.)

gerritbot added a comment.Mar 20 2018, 6:40 PM

Change 420809 had a related patch set uploaded (by RobH; owner: RobH):
[operations/puppet@production] adding cooltey to reserachers

https://gerrit.wikimedia.org/r/420809

RobH triaged this task as Medium priority.Mar 20 2018, 6:40 PM
RobH updated the task description. (Show Details)
cooltey added a comment.EditedMar 21 2018, 1:47 AM
This comment has been deleted.
gerritbot added a comment.Mar 23 2018, 3:09 PM

Change 420809 merged by RobH:
[operations/puppet@production] adding cooltey to reserachers

https://gerrit.wikimedia.org/r/420809

RobH closed this task as Resolved.Mar 23 2018, 3:17 PM
RobH claimed this task.

No objections have been noted, so access to researchers group has been merged live. Please allow 30 minutes for affected hosts to call in, and you should be all set. If there are any questions or issues with your accessing the new group later today, please feel free to reopen this task.

cooltey added a comment.Jul 25 2018, 6:57 PM

Hi @RobH,

I tried to access the release server to upload an alpha APK to it, but I cannot access it successfully. It returns ssh_exchange_identification: Connection closed by remote host

The command is: scp app-alpha-prototype_1.apk releases1001.eqiad.wmnet:/srv/org/wikimedia/releases/mobile/android/wikipedia/scratch/

Can still my account cooltey access the release server ( releasers-mobile group) after the previous key has been replaced by a new key? T190150#4064984

This is the previous ticket of requesting access to releasers-mobile T173886

Thanks!

gerritbot added a comment.Jul 25 2018, 8:59 PM

Change 447915 had a related patch set uploaded (by RobH; owner: RobH):
[operations/puppet@production] fixing typo in cooltey's ssh key entry

https://gerrit.wikimedia.org/r/447915

gerritbot added a comment.Jul 25 2018, 9:02 PM

Change 447915 merged by RobH:
[operations/puppet@production] fixing typo in cooltey's ssh key entry

https://gerrit.wikimedia.org/r/447915

RobH added a comment.Jul 25 2018, 9:11 PM

Ok, fixed the typo and synced with @cooltey via irc. Login is now working.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL