Page MenuHomePhabricator

Provide access to testreduce* databases on scandium + revoke from ruthenium
Closed, ResolvedPublic

Description

Ref T201366#4908125

In order to use scandium, we need access to those databases from scandium. Once you provide access, and we test this on scandium, we'll update this ticket and you could revoke access on ruthenium.

Specifically, the databases are testreduce_0715 and testreduce_vd

Event Timeline

ssastry created this task.Jan 25 2019, 10:55 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 25 2019, 10:55 PM
Marostegui moved this task from Triage to In progress on the DBA board.Jan 26 2019, 3:15 AM
Marostegui added a subscriber: Marostegui.

@ssastry just to make sure we have all the data we need here, so it is easier, faster and we can avoid mistakes, can you confirm the following info:

  • Access needed to m5 (I can see those databases live there)
  • username required: testreduce
  • From: scandium (10.64.48.94)
  • GRANTS needed (currents grants are:)
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, ALTER, CREATE TEMPORARY TABLES ON `testreduce`.* TO 'testreduce'@'10.64.16.155'      
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, ALTER, CREATE TEMPORARY TABLES ON `testreduce_vd`.* TO 'testreduce'@'10.64.16.155'   
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, ALTER, CREATE TEMPORARY TABLES ON `testreduce_0715`.* TO 'testreduce'@'10.64.16.155'

There is no testreduce database, so I guess that one can be deleted.

@ssastry just to make sure we have all the data we need here, so it is easier, faster and we can avoid mistakes, can you confirm the following info:

  • Access needed to m5 (I can see those databases live there)
  • username required: testreduce
  • From: scandium (10.64.48.94)
  • GRANTS needed (currents grants are:)
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, ALTER, CREATE TEMPORARY TABLES ON `testreduce`.* TO 'testreduce'@'10.64.16.155'      
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, ALTER, CREATE TEMPORARY TABLES ON `testreduce_vd`.* TO 'testreduce'@'10.64.16.155'   
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, ALTER, CREATE TEMPORARY TABLES ON `testreduce_0715`.* TO 'testreduce'@'10.64.16.155'

There is no testreduce database, so I guess that one can be deleted.

That is correct. Thanks!

Change 487348 had a related patch set uploaded (by Jcrespo; owner: Jcrespo):
[operations/puppet@production] mariadb: Grant m5 access to testreduce databases to scandium

https://gerrit.wikimedia.org/r/487348

Change 487348 merged by Jcrespo:
[operations/puppet@production] mariadb: Grant m5 access to testreduce databases to scandium

https://gerrit.wikimedia.org/r/487348

Change 487349 had a related patch set uploaded (by Jcrespo; owner: Jcrespo):
[operations/puppet@production] mariadb: Style fixes for scandium grants

https://gerrit.wikimedia.org/r/487349

Change 487349 merged by Jcrespo:
[operations/puppet@production] mariadb: Style fixes for scandium grants

https://gerrit.wikimedia.org/r/487349

Mentioned in SAL (#wikimedia-operations) [2019-01-31T12:12:11Z] <jynus> apply new grants to m5-master with replication T214740

jcrespo assigned this task to ssastry.Jan 31 2019, 12:14 PM
jcrespo moved this task from In progress to Blocked external/Not db team on the DBA board.
jcrespo added a subscriber: jcrespo.

Grants applied, systemd restarted on ruthenium successfully, please test and send back when we can remove the old grants.

jcrespo triaged this task as Normal priority.Jan 31 2019, 12:14 PM

Grants applied, systemd restarted on ruthenium successfully, please test and send back when we can remove the old grants.

Tested. Looks good to me. Please wait for https://gerrit.wikimedia.org/r/c/operations/puppet/+/486423 to apply and revoke access from ruthenium.

Grants applied, systemd restarted on ruthenium successfully, please test and send back when we can remove the old grants.

Tested. Looks good to me. Please wait for https://gerrit.wikimedia.org/r/c/operations/puppet/+/486423 to apply and revoke access from ruthenium.

You can revoke access from ruthenium now.

Change 488238 had a related patch set uploaded (by Marostegui; owner: Marostegui):
[operations/puppet@production] production-m5.sql.erb: Revoke access to testreduce from ruthenium

https://gerrit.wikimedia.org/r/488238

Change 488238 merged by Marostegui:
[operations/puppet@production] production-m5.sql.erb: Revoke access to testreduce from ruthenium

https://gerrit.wikimedia.org/r/488238

Mentioned in SAL (#wikimedia-operations) [2019-02-06T10:41:24Z] <marostegui> Revoke access to testreduce from ruthenium on m5 - https://phabricator.wikimedia.org/T214740

Marostegui closed this task as Resolved.Feb 6 2019, 10:45 AM

Grants revoked:

root@db1073.eqiad.wmnet[(none)]> show grants for 'ssastry'@'10.64.16.151';
ERROR 1141 (42000): There is no such grant defined for user 'ssastry' on host '10.64.16.151'
root@db1073.eqiad.wmnet[(none)]> show grants for 'testreduce'@'10.64.16.151';
ERROR 1141 (42000): There is no such grant defined for user 'testreduce' on host '10.64.16.151'

The access from scandium is still there:

root@db1073.eqiad.wmnet[(none)]> show grants for 'ssastry'@'10.64.48.94';
+------------------------------------------------------------------------------------------------------------------+
| Grants for ssastry@10.64.48.94                                                                                   |
+------------------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'ssastry'@'10.64.48.94' IDENTIFIED BY PASSWORD '*xx' |
| GRANT SELECT, INSERT, UPDATE, DELETE, ALTER ON `testreduce_vd`.* TO 'ssastry'@'10.64.48.94'                      |
| GRANT SELECT, INSERT, UPDATE, DELETE, ALTER ON `testreduce_0715`.* TO 'ssastry'@'10.64.48.94'                    |
+------------------------------------------------------------------------------------------------------------------+
3 rows in set (0.00 sec)

root@db1073.eqiad.wmnet[(none)]> show grants for 'testreduce'@'10.64.48.94';
+-----------------------------------------------------------------------------------------------------------------------------------------+
| Grants for testreduce@10.64.48.94                                                                                                       |
+-----------------------------------------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'testreduce'@'10.64.48.94' IDENTIFIED BY PASSWORD '*xx'                     |
| GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, ALTER, CREATE TEMPORARY TABLES ON `testreduce`.* TO 'testreduce'@'10.64.48.94'      |
| GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, ALTER, CREATE TEMPORARY TABLES ON `testreduce_vd`.* TO 'testreduce'@'10.64.48.94'   |
| GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, ALTER, CREATE TEMPORARY TABLES ON `testreduce_0715`.* TO 'testreduce'@'10.64.48.94' |
+-----------------------------------------------------------------------------------------------------------------------------------------+
4 rows in set (0.00 sec)