Page MenuHomePhabricator

Requesting access to stat1006 for Go Fish Digital
Closed, DeclinedPublic


The Audiences department is currently engaging with Go Fish Digital to help us improve our understanding of search engine optimization. I have the data they asked for in T193052 but they would need to download it from my homedir on stat1006 over SSH via SCP/SFTP.

As @Deskana said in T192893:

They have signed a master service agreement which fully covers our privacy policy, data retention, and data security requirements, and the agreement received signoff from Jim Buatti (in Legal) and Toby (the Chief Product Officer), amongst others.

Here is their public SSH key:

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCpQIxqEhJS6rGDp5VCJ5ID0IROW408fSFD7xTf4HaE1lC3mSMZ3XKtnswCEGYnpnHZsPbwvw4BMPVV9Igr0DIuEREEF0gUO8tpyhYYt5WzB6s/oRAK5cLbF5v/0dGV1bvL2xIlZUdfNU8uKPE61So59xOd8vYCu308KxPWYDMCXj4ApMyR4eDGDUSxo5nVrcjo89x8rdG6Z+MCnIdr3VbrdNSbbmWqkOeBZm8stChQw0S/818tDqN3y1eF+xQn/nYHwgH6o5ZIJw0iWMl9TVGgfFuwOiXz1wVCjxFki+I0RUENRmjLPj9M4aK1n0k3XZJ6J/MUHG3G9vQpqwJdi+HV danhinckley@Dans-iMac-Pro.local

Event Timeline

mpopov triaged this task as High priority.May 9 2018, 4:46 PM
mpopov created this task.

Pinging @RStallman-legalteam & @JbuattiWMF to confirm that Go Fish Digital have signed the NDAs so that Ops can proceed with adding their public SSH key to the list of allowed keys.

Ok, this needs quite a bit more info. Shell access is handled by individual accounts, so we'll need to know the individual users they want to setup. Each user will have the following checklist:

  • - User has signed the L3 Acknowledgement of Wikimedia Server Access Responsibilities Document.

This is in addition to the NDA. And it has to happen for each individual user. They'll need a wikitech account for the UID, so it may be easier for them to create their wikitech accounts, and then use them to access phab to sign the L3.

  • - User has a valid NDA on file with WMF legal. (This can be checked by Operations via the NDA tracking sheet & is included in all WMF Staff/Contractor hiring.)

Legal has been pinged on this task to confirm this.

  • - User has provided the following: wikitech username, preferred shell username, email address, and full reasoning for access (including what commands and/or tasks they expect to perform.

They need to detail their username preferences, and INDIVIDUAL ssh keys. We don't do shared production access.

  • - User has provided a public SSH key. This ssh key pair should only be used for WMF cluster access, and not share with any other service (this includes not sharing with WMCS access, no shared keys.)

This further spells out the production access key needs to not be shared.

  • - access request (or expansion) has sign off of WMF sponsor/manager (sponser for volunteers, manager for wmf staff)

@mpopov is sponsoring this request, as he is the one who made it for a third party/contractors.

  • - non-sudo requests: 3 business day wait must pass with no objections being noted on the task
  • - sudo requests: all sudo requests require explicit approval during the weekly operations team meeting. No sudo requests will be approved outside of those meetings without the direct override of the Director of Operations.
  • - Patchset for access request

So no shared accounts, please update the task description to list off the individual accounts and details requested above.


Edit addition: We also include expiry dates for third party contractor access like this, so please provide an expiry for shell access.

RobH moved this task from Untriaged to Awaiting User Input on the SRE-Access-Requests board.

Assigning back to @mpopov for feedback. Once given, just set to unassigned to be picked back up by SRE team.

Cancelling this request as I will be uploading the data to them instead.

Vvjjkkii renamed this task from Requesting access to stat1006 for Go Fish Digital to gadaaaaaaa.Jul 1 2018, 1:10 AM
Vvjjkkii reopened this task as Open.
Vvjjkkii removed mpopov as the assignee of this task.
Vvjjkkii updated the task description. (Show Details)
Vvjjkkii removed a subscriber: Aklapper.