Page MenuHomePhabricator

Requesting access to restricted production access and analytics-privatedata-users for Patrick Earley
Closed, ResolvedPublicRequest

Description

Username: pearley
Full name: Patrick Earley
SSH Key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCkuGVdh5aLFt5xlJ5k2+LFmELmsYknZvo+JICa650muKIizaI2/lYbCMwtl9VDNudpqzsgeITKZ04HFicGIPlraZU8yZ5KVoWmhddEyhUVBib1lq0WEnyPrjlR1ljb5ets052keahF8+nTekRa4p+cWS1CGFyyrIEwEmSFuAo5yPX64cFYzhIn9pysIDSwYJeH0I4kRcCr7gczS2L/qO64lbDhgeshTQsRxDVlNHdz5f3zp2xnSdLuOsXh5vMdETxSZGc7TdGv5TbRSZqD4I0uD9d8OvWS0ZU5NpL9mOtIrkU1zzYcQmggiO5wS0ChUKZoXTWZbBdbJensdq5rLEicejlxU2guStwJyL0wEAWePslcH9axlb69We1MTH+Iel+T41sJaAUJSzCuWGLiUeBX153xro1mWQWaOPkklkcf29nhsYBP7kd5O1JIMnpeOalXuc7onCyH3ate4F4b01Q6PVF4sQJEvJE3yLCdMIgITRpHJKm6qlgMhxOmkYW8v1FpJbmnz3IBeWUhLsvYE3HNVdKRZz6N6qg3+5BeM0t4vXzK79bvH2omZVztpxu1DAfJMbteNoxzUYDkJEAbNZLSjiL6aJNHjkFB5Gy4/nyt1S6DLrr2ysAVyKHx6pAlebxNduTlPJJf9nXE/OhiCzVH0/NiOHZ7Pfr2JhOXEr8g9Q==

I'd like to request access for @PEarleyWMF to what I believe will be the restricted group and analytics-privatedata-users (the same that I have). Trust and Safety has had a number of workflows requiring shell access and private analytics logs (hadoop). Many of our workflows (including these ones) have been increasing and the only two people on our team with access are myself and Joe Sutherland. This has caused some major bottleneck issues at times and we want to expand the available people within our team to include other members of the T&S Operations team which I manage as well as Patrick who, as my counterpart manager (on the policy side of T&S) is also a good backup when I'm out and we have sensitive issues come up.

Specifically some of the workflows he needs to be able to do (and I believe needs this access for):

  • Run maintenance scripts (mwmaint servers) to:
    • To remove 2FA for users who have lost their backup codes (after identity verification)
    • To add or reset user email addresses when locked out of their account (again after identity verification)
    • To permanently remove illegal images from the servers
  • Lookup private information such as user email addresses for legal or T&S investigations (such as urgent threats of harm or court orders).
  • Query webserver logs for private information such as IPs which have viewed certain pages (usually court orders)

Patrick has already signed L3. @JanWMF is his manager and I'll have him comment here in support. As always please let me know if any issues or questions.

SRE Clinic Duty Checklist for Access Requests

Most requirements are outlined on https://wikitech.wikimedia.org/wiki/Requesting_shell_access

This checklist should be used on all access requests to ensure that all steps are covered. This includes expansion to access. Please do not check off items on the list below unless you are in Ops and have confirmed the step.

  • - User has signed the L3 Acknowledgement of Wikimedia Server Access Responsibilities Document.
  • - User has a valid NDA on file with WMF legal. (This can be checked by Operations via the NDA tracking sheet & is included in all WMF Staff/Contractor hiring.)
  • - User has provided the following: wikitech username, preferred shell username, email address, and full reasoning for access (including what commands and/or tasks they expect to perform.
  • - User has provided a public SSH key. This ssh key pair should only be used for WMF cluster access, and not share with any other service (this includes not sharing with WMCS access, no shared keys.)
  • - access request (or expansion) has sign off of WMF sponsor/manager (sponser for volunteers, manager for wmf staff)
  • - non-sudo requests: 3 business day wait must pass with no objections being noted on the task
  • - Patchset for access request

Event Timeline

Restricted Application added a project: Operations. · View Herald TranscriptAug 10 2018, 8:52 AM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
herron triaged this task as Normal priority.Aug 10 2018, 5:51 PM

Looping in @Nuria for review/approval of analytics-privatedata-users membership request

Dzahn claimed this task.Aug 13 2018, 5:42 PM

Hi @PEarleyWMF @Jalexander Could you please create a user on Wikitech/LDAP (https://wikitech.wikimedia.org/w/index.php?title=Special:CreateAccount&returnto=Main+Page) and let us know which user name you picked?

Dzahn reassigned this task from Dzahn to PEarleyWMF.Aug 13 2018, 11:27 PM
Dzahn moved this task from In Discussion to Awaiting User Input on the SRE-Access-Requests board.
Dzahn added a subscriber: Dzahn.

Hi @PEarleyWMF @Jalexander Could you please create a user on Wikitech/LDAP (https://wikitech.wikimedia.org/w/index.php?title=Special:CreateAccount&returnto=Main+Page) and let us know which user name you picked?

Sure, his wiki name on Wikitech is PEarley (WMF), shell remains pearley

The comments from T201668#4503338 and following also apply to this ticket. The user_password field is not populated in the DB yet.

Dzahn changed the task status from Open to Stalled.Aug 14 2018, 11:47 PM
RobH added a subscriber: RobH.Aug 20 2018, 8:34 PM

Please note this task is currently blocked on @PEarleyWMF logging into their wikitech account to create the ldap entry (which is automatic upon their login.)

Until that time, this is unable to proceed.

Please note this task is currently blocked on @PEarleyWMF logging into their wikitech account to create the ldap entry (which is automatic upon their login.)
Until that time, this is unable to proceed.

I think this is fixed now (and I'm able to find their ldap account pearley via ldapsearch)

RobH updated the task description. (Show Details)Aug 21 2018, 6:30 PM
RobH removed PEarleyWMF as the assignee of this task.Aug 21 2018, 6:33 PM
RobH updated the task description. (Show Details)
RobH assigned this task to PEarleyWMF.Aug 21 2018, 6:38 PM

So, here is my problem with this task. It appears that @Jalexander provided the public SSH key for @PEarleyWMF into the task description when he made it. I don't see any update to the task description until I pasted in the checklist, which is why I assume that @Jalexander pasted in the key.

This is not an acceptable means of verifying that the ssh key provided actually belongs to @pearlywmf. So, this cannot be finished processing until the SSH key is provided. Once @PEarleyWMF (NOT ANYONE ELSE) logs in and comments on this task, pasting his public ssh key, we can process it.

Apologies, but having party A provide the ssh key that supposedly belongs to party B just isn't good security practice. It is not personal, it is simply our policy.

I'll prepare the patchset's and simply not include the ssh key for now.

Hey all,

Thanks for moving forward on this request. To address the concerns above from @RobH, this is me posting the key:

Username: pearley
Full name: Patrick Earley
SSH Key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCkuGVdh5aLFt5xlJ5k2+LFmELmsYknZvo+JICa650muKIizaI2/lYbCMwtl9VDNudpqzsgeITKZ04HFicGIPlraZU8yZ5KVoWmhddEyhUVBib1lq0WEnyPrjlR1ljb5ets052keahF8+nTekRa4p+cWS1CGFyyrIEwEmSFuAo5yPX64cFYzhIn9pysIDSwYJeH0I4kRcCr7gczS2L/qO64lbDhgeshTQsRxDVlNHdz5f3zp2xnSdLuOsXh5vMdETxSZGc7TdGv5TbRSZqD4I0uD9d8OvWS0ZU5NpL9mOtIrkU1zzYcQmggiO5wS0ChUKZoXTWZbBdbJensdq5rLEicejlxU2guStwJyL0wEAWePslcH9axlb69We1MTH+Iel+T41sJaAUJSzCuWGLiUeBX153xro1mWQWaOPkklkcf29nhsYBP7kd5O1JIMnpeOalXuc7onCyH3ate4F4b01Q6PVF4sQJEvJE3yLCdMIgITRpHJKm6qlgMhxOmkYW8v1FpJbmnz3IBeWUhLsvYE3HNVdKRZz6N6qg3+5BeM0t4vXzK79bvH2omZVztpxu1DAfJMbteNoxzUYDkJEAbNZLSjiL6aJNHjkFB5Gy4/nyt1S6DLrr2ysAVyKHx6pAlebxNduTlPJJf9nXE/OhiCzVH0/NiOHZ7Pfr2JhOXEr8g9Q==

Thanks again,

RobH claimed this task.Aug 23 2018, 6:27 PM

Ok, everything looks good on this. I'll go ahead and get the patchsets going.

Change 454882 had a related patch set uploaded (by RobH; owner: RobH):
[operations/puppet@production] adding Patrick Earley to shell users

https://gerrit.wikimedia.org/r/454882

Change 454885 had a related patch set uploaded (by RobH; owner: RobH):
[operations/puppet@production] adding Patrick Earley to groups

https://gerrit.wikimedia.org/r/454885

Change 454882 merged by RobH:
[operations/puppet@production] adding Patrick Earley to shell users

https://gerrit.wikimedia.org/r/454882

Change 454885 merged by RobH:
[operations/puppet@production] adding Patrick Earley to groups

https://gerrit.wikimedia.org/r/454885

RobH closed this task as Resolved.Aug 23 2018, 6:41 PM
RobH updated the task description. (Show Details)
RobH removed a project: Patch-For-Review.

Ok, all access has been merged live (since this request is weeks old, it was well over the 3 business day wait.)

@PEarleyWMF: You may have to wait up to 30 minutes to access the systems. If you have any issues, please feel free to re-open this task or just ping me directly via hangout or IRC (robh on irc).

Thanks kindly, @RobH !