Maniphest T202475

Give WMDE-Fisch permission to upload wikidiff2 releases (releasers-wikidiff2)
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	Legoktm
	Aug 22 2018, 12:24 AM

Description

@WMDE-Fisch (realname: Christoph Jauera) will be partly taking over release manager duties for wikidiff2 from me, and will need access to upload tarballs to releases.wikimedia.org. Note that the "releasers-wikidiff2" group doesn't exist yet, it's being created as part of T202473.

As far as I can tell, Fisch doesn't have a shell account yet, so they'll need to follow the steps on https://wikitech.wikimedia.org/wiki/Production_shell_access#New_users

SRE Clinic Duty Checklist for Access Requests

Most requirements are outlined on https://wikitech.wikimedia.org/wiki/Requesting_shell_access

This checklist should be used on all access requests to ensure that all steps are covered. This includes expansion to access. Please do not check off items on the list below unless you are in Ops and have confirmed the step.

- User has signed the L3 Acknowledgement of Wikimedia Server Access Responsibilities Document.
- User has a valid NDA on file with WMF legal. (This can be checked by Operations via the NDA tracking sheet & is included in all WMF Staff/Contractor hiring.)
- User has provided the following: wikitech username, preferred shell username, email address, and full reasoning for access (including what commands and/or tasks they expect to perform. (add to releasers-wikidiff2 group)
- User has provided a public SSH key. This ssh key pair should only be used for WMF cluster access, and not share with any other service (this includes not sharing with WMCS access, no shared keys.)
- access request (or expansion) has sign off of WMF sponsor/manager (sponser for volunteers, manager for wmf staff) @Legoktm is requesting this for this person to take over some responsibilities from them
- non-sudo requests: 3 business day wait must pass with no objections being noted on the task - Ends Monday, 2018-08-27.
- Patchset for access request user: https://gerrit.wikimedia.org/r/454873 group addition: https://gerrit.wikimedia.org/r/454879

Details

	Subject	Repo	Branch	Lines +/-
	adding Christoph Jauera to production shell users	operations/puppet	production	+9 -4
	adding Christoph Jauera to releasers-wikidiff2	operations/puppet	production	+1 -1

Customize query in gerrit

Related Objects
Search...

Status	Assigned	Task
Resolved	Legoktm	T202335 Have a more active developer take over as release manager for wikidiff2
Resolved	Dzahn	T202473 Create releasers-wikidiff2 group, split from releasers-mediawiki
Resolved	WMDE-Fisch	T202475 Give WMDE-Fisch permission to upload wikidiff2 releases (releasers-wikidiff2)

Event Timeline

Legoktm created this task.Aug 22 2018, 12:24 AM

Restricted Application added a project: SRE. · View Herald TranscriptAug 22 2018, 12:24 AM

Legoktm added a subtask: T202473: Create releasers-wikidiff2 group, split from releasers-mediawiki.Aug 22 2018, 12:26 AM

Addshore added a project: User-Addshore.Aug 22 2018, 10:14 AM

Addshore moved this task from Unsorted 💣 to Watching 👀 on the User-Addshore board.

Addshore awarded a token.

Following the steps on https://wikitech.wikimedia.org/wiki/Production_shell_access#New_users for new users:

Full name: Christoph Jauera
Developer access username wmde-fisch
Public key: P7878

Dzahn closed subtask T202473: Create releasers-wikidiff2 group, split from releasers-mediawiki as Resolved.Aug 22 2018, 9:58 PM

Dzahn removed a subtask: T202473: Create releasers-wikidiff2 group, split from releasers-mediawiki.Aug 22 2018, 10:01 PM

Dzahn added a parent task: T202473: Create releasers-wikidiff2 group, split from releasers-mediawiki.

Please note that @WMDE-Fisch will need to provide/work on some further steps for us to process this request:

We have your username as WMDE-Fisch (from your wikitech account) and know what group you need (releasers-wikidiff2 per T202473). However, we need a few more things from you:

Please coordinate with WMDE and WMF Legal (typically @RStallman-legalteam) to have a signed NDA on file with us. (This is required for ALL shell access requests.)
Please review and sign the L3 document.
- Provide a public ssh key, this key (per the L3 document) should be dedicated to WMF production shell access ONLY and not used anywhere else (not even WMF cloud services.)

Once we have that info/NDA on file for you, we should be able to move forward with this request.

RobH updated the task description. (Show Details)Aug 22 2018, 10:59 PM

In T202475#4525265, @RobH wrote:

Please review and sign the L3 document.

Provide a public ssh key, this key (per the L3 document) should be dedicated to WMF production shell access ONLY and not used anywhere else (not even WMF cloud services.)

Hi @RobH, thanks for taking care of this.

I signed the L3 and provided a SSH Key above. I just created that key yesterday and will exclusively use it for the WMF production shell access.

Screenshot_2018-08-23 © Acknowledgement of Wikimedia Server Access Responsibilities.png (408×1 px, 29 KB)

In T202475#4525265, @RobH wrote:

Once we have that info/NDA on file for you, we should be able to move forward with this request.

Per https://tools.wmflabs.org/ldap/user/wmde-fisch they're already in the LDAP nda group.

In T202475#4527572, @Legoktm wrote:

In T202475#4525265, @RobH wrote:

Once we have that info/NDA on file for you, we should be able to move forward with this request.

Per https://tools.wmflabs.org/ldap/user/wmde-fisch they're already in the LDAP nda group.

Indeed, I overlooked them because in re-checking, I see their entry on the tracking sheet for NDA!

So I'll go ahead and work on the patchsets. If no objections are noted, your access will merge live on Monday, 2018-08-27.

RobH updated the task description. (Show Details)Aug 23 2018, 6:19 PM

RobH moved this task from Manager/NDA Approval/Confirmation to 3 Business Day Wait on the SRE-Access-Requests board.

Change 454873 had a related patch set uploaded (by RobH; owner: RobH):
[operations/puppet@production] adding Christoph Fischer to production shell users

https://gerrit.wikimedia.org/r/454873

Change 454879 had a related patch set uploaded (by RobH; owner: RobH):
[operations/puppet@production] adding Christoph Jauera to releasers-wikidiff2

https://gerrit.wikimedia.org/r/454879

RobH removed WMDE-Fisch as the assignee of this task.Aug 23 2018, 6:25 PM

RobH updated the task description. (Show Details)

@WMDE-Fisch I have updated the real name to reflect the name given here (see https://gerrit.wikimedia.org/r/#/c/operations/puppet/+/454873/). Please let me know if that's right, and then we can merge these patches.

ArielGlenn updated the task description. (Show Details)Aug 28 2018, 9:56 AM

ArielGlenn moved this task from 3 Business Day Wait to Awaiting User Input on the SRE-Access-Requests board.

In T202475#4537669, @ArielGlenn wrote:

@WMDE-Fisch I have updated the real name to reflect the name given here (see https://gerrit.wikimedia.org/r/#/c/operations/puppet/+/454873/). Please let me know if that's right, and then we can merge these patches.

Thanks, left a comment. You could change the email address as well.

Please have another look at the patch and let me know.

In T202475#4537719, @ArielGlenn wrote:

Please have another look at the patch and let me know.

Done, thanks :-)!

Change 454873 merged by ArielGlenn:
[operations/puppet@production] adding Christoph Jauera to production shell users

https://gerrit.wikimedia.org/r/454873

Change 454879 merged by ArielGlenn:
[operations/puppet@production] adding Christoph Jauera to releasers-wikidiff2

https://gerrit.wikimedia.org/r/454879

ArielGlenn moved this task from Awaiting User Input to user confirm on the SRE-Access-Requests board.Aug 28 2018, 10:21 AM

ArielGlenn updated the task description. (Show Details)Aug 28 2018, 10:44 AM

As soon as the user verifies that access works as expected, we can close this ticket.

In T202475#4537876, @ArielGlenn wrote:

As soon as the user verifies that access works as expected, we can close this ticket.

So this is the first time for me doing something with production shell access, I might do something wrong but:

looking at https://wikitech.wikimedia.org/wiki/Releases.wikimedia.org I guess I need to ssh to tin to do anything release related
ssh deployment.eqiad.wmnet he asks for a password ( after I entered my ssh key password).
ssh bast3002.wikimedia.org works

Snippet from my config:

Host bast3002.wikimedia.org
    # Direct connection for the bastion host
    ProxyCommand none
    ControlMaster auto

Host *.wikimedia.org *.wmnet !gerrit.wikimedia.org !git-ssh.wikimedia.org
    User wmde-fisch
    IdentityFile /home/chfi/.ssh/wmdev_rsa
    IdentityAgent /run/user/1000/ssh-wmdev.socket
    IdentitiesOnly yes
    ForwardAgent no
    ProxyCommand ssh -a -W %h:%p bast3002.wikimedia.org

Snippet of ssh output with -vvv:

debug1: Host 'deployment.eqiad.wmnet' is known and matches the ECDSA host key.
debug1: Found key in /home/chfi/.ssh/known_hosts:57
debug3: send packet: type 21
debug2: set_newkeys: mode 1
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey after 134217728 blocks
debug1: pubkey_prepare: ssh_get_authentication_socket: No such file or directory
debug2: key: /home/chfi/.ssh/wmdev_rsa (0x561e6c69b0d0), explicit
debug3: send packet: type 5
debug3: receive packet: type 7
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,keyboard-interactive
debug3: start over, passed a different list publickey,keyboard-interactive
debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering public key: RSA SHA256:s2pf0PPzJblbGXx+nOuveeLGE482SRqPx58iP07Tgns /home/chfi/.ssh/wmdev_rsa
debug3: send_pubkey_test
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,keyboard-interactive
debug2: we did not send a packet, disable method
debug3: authmethod_lookup keyboard-interactive
debug3: remaining preferred: password
debug3: authmethod_is_enabled keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug3: send packet: type 50
debug2: we sent a keyboard-interactive packet, wait for reply
debug3: receive packet: type 60
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 1
Password:

Sorry about this, but the task asks for access to upload things onto the release hosts (release1001/2001), and so that's what you got. I verified that your home directory and key are there. Do you/will you need access for other sorts of things?

In T202475#4538616, @ArielGlenn wrote:

Sorry about this, but the task asks for access to upload things onto the release hosts (release1001/2001), and so that's what you got. I verified that your home directory and key are there. Do you/will you need access for other sorts of things?

Thanks for checking - lets first wait for someone to confirm, that my process is correct there. :-)

In T202475#4538527, @WMDE-Fisch wrote:

In T202475#4537876, @ArielGlenn wrote:

As soon as the user verifies that access works as expected, we can close this ticket.

So this is the first time for me doing something with production shell access, I might do something wrong but:

looking at https://wikitech.wikimedia.org/wiki/Releases.wikimedia.org I guess I need to ssh to tin to do anything release related

ssh deployment.eqiad.wmnet he asks for a password ( after I entered my ssh key password).

ssh bast3002.wikimedia.org works

You don't need access to tin (I'll update the wikipage), try ssh releases1001.eqiad.wmnet and then check that you can write to /srv/org/wikimedia/releases/wikidiff2?

In T202475#4539129, @Legoktm wrote:

You don't need access to tin (I'll update the wikipage), try ssh releases1001.eqiad.wmnet and then check that you can write to /srv/org/wikimedia/releases/wikidiff2?

Works, I can connect and I seem to have write rights in that directory, thanks \o/.

Addshore moved this task from Watching 👀 to Closing ✔️ on the User-Addshore board.Aug 29 2018, 7:40 AM

releases.wikimedia.org has 2 backends, releases1001 and releases2001, so one in eqiad and one in codfw and both are active.

The contents of /srv/org/wikimedia/releases are rsynced from $active_server to $passive_server by puppet code in profile::releases::mediawiki.

What is defined as active/passive server is in Hiera in common.yaml as releases_server and releases_server_failover.

So you are doing right uploading it to releases1001.. it will then be synced to the other server.

It is possible though that one day we switch what is the active server for maintenance, datacenter switch-over or a failure. In that case you would upload to releases2001.

WMDE-Fisch mentioned this in T211014: Requesting access to deployment for Christoph Jauera (WMDE-Fisch).Dec 3 2018, 2:25 PM

WMDE-Fisch mentioned this in T250362: Requesting access to analytics-wmde-users for Christoph Jauera.Apr 16 2020, 10:06 AM

Maintenance_bot removed a project: Patch-For-Review.Apr 16 2020, 10:10 AM

WMDE-Fisch mentioned this in T295781: Requesting access to analytics-privatedata-users for Christoph Jauera.Nov 16 2021, 3:44 PM

WMDE-leszek mentioned this in T358578: Add WMDE staff who have signed the NDA with the WMF to the WMF-NDA phabricator policy group.Feb 27 2024, 12:55 PM