Page MenuHomePhabricator

Frdev1001 server and mysql access
Closed, ResolvedPublic

Description

Hi there, could I get access to the frdev1001 server and access to mysql, specifically the pgehres & civicrm databases? Thank you!

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 8 2018, 5:13 PM
Krenair edited subscribers, added: Krenair; removed: Wikimedia-Fundraising.

pgehres hasn't worked here for years. anyway, adding this to SRE-Access-Requests and shifting the fundraising project from subscribers to tags

Restricted Application added a project: Operations. · View Herald TranscriptOct 8 2018, 5:24 PM
Dzahn added a subscriber: Dzahn.Oct 9 2018, 3:22 PM

Hi @jkim_wikimedia

We will need a few things to follow-up with your access request. Could you please:

  • add a short justification (just a few words) what the access is needed for
  • add your manager to this ticket and have them approve the request
  • create a SSH keypair and paste the public key here
  • read L3 and sign it

Thank you and best regards,

Daniel

pgehres hasn't worked here for years

He left a database, named in his honour . :)

Hi @Dzahn

Thanks for helping with this!

  • Access is needed for me to track stats for fundraising emails
  • @CaitVirtue could you approve?
  • Could you advise on how to create a SSH keypair...
  • L3 signed

Thanks!

  • Could you advise on how to create a SSH keypair...

take a look at man ssh-keygen - you should end up with something like ssh-keygen -t ed25519 -C "jkim@wikimedia.org frack"

I'm relaying an email from Lisa:

Lisa Gruwell
Thu, Oct 11, 6:13 PM (14 hours ago)
to Jerry, Caitlin, me

Yes, approved.

On Thu, Oct 11, 2018 at 11:27 AM Jerry Kim <jkim@wikimedia.org> wrote:
Hey Lisa,

Could I get your approval for access to the Frdev1000 server and mysql? I'll be using this to track stats for MG&E emails so we can keep a better record of email performance.

Thank you!

Jerry Kim

Dzahn added a comment.Oct 12 2018, 3:58 PM

Hi @jkim_wikimedia

there is one more thing, besides the SSH key, that we will need.

Please go to Wikitech wiki and create a user there:

https://wikitech.wikimedia.org/w/index.php?title=Special:CreateAccount&returnto=Main+Page

And once done let us know which user name you picked for the "UNIX shell username" (or just the email you used to register).

Thanks!

Dzahn triaged this task as Medium priority.Oct 12 2018, 3:58 PM

@Jgreen @cwdent Could you advise how access requests for FRACK are usually handled from here? Do you also match UID from an LDAP user? Is it going to need a puppet change (in which repo?) Would you handle them directly or should they be like any other prod access request and handled by ops on duty?

Dzahn assigned this task to cwdent.Oct 12 2018, 4:39 PM

Hi @Dzahn ! My user name is 'jkim'. Still working on the SSH key...

Hi @jkim_wikimedia - sorry for the confusion, I'll be making this account for you. Do you have a yubikey?

Hey @cwdent , could you help me with the SSH key? I have my yubikey handy. Thx!

@jkim_wikimedia these are the basic instructions for making an ssh key: https://wikitech.wikimedia.org/wiki/Production_shell_access#Generating_your_SSH_key

Once that is done you can paste the public key (ending with .pub) on this task along with the output of the yubikey and we can get you set up!

Hey @cwdent, here's the public key: /Users/jkim/.ssh/id_rsa.pub

What is the output of the yubikey? -_-

@jkim_wikimedia If you plug it into your laptop and touch the button it will spit out some text. The first 12 characters are your key's ID and the rest is a one-time-use password.

DStrine moved this task from Triage to FR-Ops on the Fundraising-Backlog board.Oct 15 2018, 7:03 PM

@jkim_wikimedia thanks! As far as the public key I need the actual contents of the file which you can see by typing:

cat /Users/jkim/.ssh/id_rsa.pub

It will be a large block of text.

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC+ItHLDwXZYoK8b3LEff1bM6UydLGFXMCprg+LVLkwDR4fQFSEMNMLAsdNoXnGmr6ZNC/CnCOxRcbYpk+AEpx1gx4U0ZQfsvhPzyaLL1P809MxFgF89QPVFvoB2ZlkGjVm1t2JIY57lDFzTvzwiWHHtvtkFU6BCITnBV0NWk8/7LnEC6dD4WBoe26zaOmQf5m0/znMq+B+7T7IE0RLk08vkUn17nXUn5x2r98paT1iuYv7DRyOFHBf9Y4naOKO4AYWp79VI/V98Nugeahw7FnUR3yd/11FAXAY8PR7sf4zytjLeVz/IQpzoLuHzCpDkCFSH5Cxw5jbUBqGIHeE//AC0wmS3M89M4RXFLEQkjz69L0Dd/uZhHDrePBgvUh0FeqM+iD54m2BF0uPYhXupNsmtGAixrZdMaFWmDcL3BA9Oby+tAiehOgftefg5OWArbWhtUKkHRWh+upTSJCMFVgNQTnDDWT+SPk8PNE61Cy9wrp8hi40BNKXd1rli0PEtZl+gX82e8ZNbU3SD0bsPVavMZUHQr/IdMD1r7dw83M9tYEN5dfDw2fjcb6mJzuA6lOzeTlE2ZB2rABHLlNNOmqJ0YOnHvD1JQggCJtNLS2FNRMd6QPp7hjRZT/nn/FhUwI5utwvotQDjdQif+VkNAY/SZqWVFbmG4Q6QTWvmCDZ2w== jkim@wikimedia.org

@jkim_wikimedia thanks, I now have enough info to make the accounts and will find time in the next day or two.

[frack::puppet::private] 35f24cf add jkim user
cwdent added a comment.EditedOct 18 2018, 3:07 AM
[frack::puppet] b856bf6 add jkim user

@jkim_wikimedia ok, you are all set up with a shell account on frdev1001 and mysql access.

In order to log in you will need to set up your ssh config: https://wikitech.wikimedia.org/wiki/Fundraising/tech/ssh_config

Then you can type

ssh frdev1001

to log in and

mysql

to access the database.

Hey @cwdent, am i doing something wrong here?

@jkim_wikimedia it looks like the file isn't there. I am not personally knowledgeable about Apple computers but I have edited the instructions to add the commands that would work in Linux, hopefully they are the same:

https://wikitech.wikimedia.org/wiki/Fundraising/tech/ssh_config

Let me know if that does it!

I'm removing SRE-Access-Requests here, as this request applies to frtech.

If it's easier to walk through via hangouts, let me know. Sorry :(

Dzahn added a comment.EditedOct 30 2018, 8:18 PM

@jkim_wikimedia No worries, screenshots like this are helpful and we can use them to make better docs for the next time. So you made a new file called "config" inside that new directory called .ssh. That's all good. But then it looks like contents of that file are also the commands that you typed to do this. I'm not sure how that happened, but what you want is copy/paste the part that starts after "The file should look more or less like this" into the text editor and then save it.

Start at "Host frbast.wikimedia.org" and copy the 2 host blocks into your new config file and then save. By the way, you can use any other text editor for this as well, you don't have to use TextEdit.

Thanks @Dzahn ! Does this look good?

Jgreen added a comment.Nov 2 2018, 7:49 PM

Thanks @Dzahn ! Does this look good?

Almost! Just need to adjust the two spots that say "your_username_here" to "jkim" and you should be good to go.

Jgreen added a comment.Nov 2 2018, 8:09 PM

Done!

Now you should be able to "ssh frdev1001" from a terminal on your Mac or whatever. Your SSH client will connect through a
bastion server (frbast) to the reporting server (frdev1001).

The first time you connect:

  1. You'll be asked to authorize frbast's host key, enter 'yes' when asked.

The authenticity of host 'frbast (208.80.155.8)' can't be
established. ECDSA key fingerprint is SHA256:KFDL0dZ/YAKzQRw4oqVBPGELoLaNHBc3yyotcJ6rywM.
No matching host key fingerprint found in DNS.
Are you sure you want to continue connecting (yes/no)?

  1. Then you'll be prompted for a password, press your Yubikey here.
  1. Next you're asked to authorize frdev1001's host key, again enter 'yes'.

The authenticity of host 'frdev1001 (<no hostip for proxy command>)' can't be established.
ECDSA key fingerprint is SHA256:TXnPkkzSigtrVId7gisg2vd51vhSUArrkpAlntJlzps.
No matching host key fingerprint found in DNS.
Are you sure you want to continue connecting (yes/no)?

Finally you get a prompt indicating successful connection: (your username)@frdev1001:~$

After you verify a host's key, your client should never ask again for that host. If it does something is wrong, the connection can't be trusted, and you need to stop and check in with Fundraising Tech. You will be prompted
for the Yubikey password every time you connect, however.

Also, as a reminder it is imperative that you contact Fundraising Tech ASAP if either your laptop or Yubikey is lost, stolen, or otherwise compromised so we can prevent unauthorized access.

cwdent closed this task as Resolved.Nov 20 2018, 8:58 PM

@jkim_wikimedia cleaning house, please re-open if you need help.

Dwisehaupt moved this task from Triage to Done on the fundraising-tech-ops board.Feb 13 2020, 9:43 PM