Page MenuHomePhabricator
Create Task
Maniphest T214740

Provide access to testreduce* databases on scandium + revoke from ruthenium
Closed, ResolvedPublic
Actions

Description

Ref T201366#4908125

In order to use scandium, we need access to those databases from scandium. Once you provide access, and we test this on scandium, we'll update this ticket and you could revoke access on ruthenium.

Specifically, the databases are testreduce_0715 and testreduce_vd

Details

ProjectBranchLines +/-Subject
operations/puppetproduction+2 -18production-m5.sql.erb: Revoke access to testreduce from ruthenium
operations/puppetproduction+25 -27mariadb: Style fixes for scandium grants
operations/puppetproduction+24 -0mariadb: Grant m5 access to testreduce databases to scandium
Customize query in gerrit

Related Objects
Search...

StatusSubtypeAssignedTask
Unknown Object (Task)
Unknown Object (Task)
 ResolvedDzahnT201366 rack/setup/install scandium.eqiad.wmnet (parsoid test box)
 ResolvedssastryT214740 Provide access to testreduce* databases on scandium + revoke from ruthenium

Event Timeline

ssastry created this task.Jan 25 2019, 10:55 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 25 2019, 10:55 PM
ssastry added a parent task: T201366: rack/setup/install scandium.eqiad.wmnet (parsoid test box).Jan 25 2019, 10:55 PM
ssastry updated the task description. (Show Details)
Marostegui moved this task from Triage to In progress on the DBA board.Jan 26 2019, 3:15 AM
Marostegui added a subscriber: Marostegui.

@ssastry just to make sure we have all the data we need here, so it is easier, faster and we can avoid mistakes, can you confirm the following info:

  • Access needed to m5 (I can see those databases live there)
  • username required: testreduce
  • From: scandium (10.64.48.94)
  • GRANTS needed (currents grants are:)
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, ALTER, CREATE TEMPORARY TABLES ON `testreduce`.* TO 'testreduce'@'10.64.16.155'      
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, ALTER, CREATE TEMPORARY TABLES ON `testreduce_vd`.* TO 'testreduce'@'10.64.16.155'   
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, ALTER, CREATE TEMPORARY TABLES ON `testreduce_0715`.* TO 'testreduce'@'10.64.16.155'

There is no testreduce database, so I guess that one can be deleted.

ssastry added a comment.Jan 26 2019, 12:28 PM
In T214740#4910657, @Marostegui wrote:

@ssastry just to make sure we have all the data we need here, so it is easier, faster and we can avoid mistakes, can you confirm the following info:

  • Access needed to m5 (I can see those databases live there)
  • username required: testreduce
  • From: scandium (10.64.48.94)
  • GRANTS needed (currents grants are:)
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, ALTER, CREATE TEMPORARY TABLES ON `testreduce`.* TO 'testreduce'@'10.64.16.155'      
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, ALTER, CREATE TEMPORARY TABLES ON `testreduce_vd`.* TO 'testreduce'@'10.64.16.155'   
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, ALTER, CREATE TEMPORARY TABLES ON `testreduce_0715`.* TO 'testreduce'@'10.64.16.155'

There is no testreduce database, so I guess that one can be deleted.

That is correct. Thanks!

gerritbot added a subscriber: gerritbot.Jan 31 2019, 11:54 AM

Change 487348 had a related patch set uploaded (by Jcrespo; owner: Jcrespo):
[operations/puppet@production] mariadb: Grant m5 access to testreduce databases to scandium

https://gerrit.wikimedia.org/r/487348

gerritbot added a project: Patch-For-Review.Jan 31 2019, 11:54 AM
gerritbot added a comment.Jan 31 2019, 11:56 AM

Change 487348 merged by Jcrespo:
[operations/puppet@production] mariadb: Grant m5 access to testreduce databases to scandium

https://gerrit.wikimedia.org/r/487348

gerritbot added a comment.Jan 31 2019, 12:08 PM

Change 487349 had a related patch set uploaded (by Jcrespo; owner: Jcrespo):
[operations/puppet@production] mariadb: Style fixes for scandium grants

https://gerrit.wikimedia.org/r/487349

gerritbot added a comment.Jan 31 2019, 12:09 PM

Change 487349 merged by Jcrespo:
[operations/puppet@production] mariadb: Style fixes for scandium grants

https://gerrit.wikimedia.org/r/487349

Stashbot added a subscriber: Stashbot.Jan 31 2019, 12:12 PM

Mentioned in SAL (#wikimedia-operations) [2019-01-31T12:12:11Z] <jynus> apply new grants to m5-master with replication T214740

jcrespo assigned this task to ssastry.Jan 31 2019, 12:14 PM
jcrespo moved this task from In progress to Blocked external/Not db team on the DBA board.
jcrespo added a subscriber: jcrespo.

Grants applied, systemd restarted on ruthenium successfully, please test and send back when we can remove the old grants.

jcrespo triaged this task as Medium priority.Jan 31 2019, 12:14 PM
ssastry added a comment.Feb 3 2019, 12:03 AM
In T214740#4920221, @jcrespo wrote:

Grants applied, systemd restarted on ruthenium successfully, please test and send back when we can remove the old grants.

Tested. Looks good to me. Please wait for https://gerrit.wikimedia.org/r/c/operations/puppet/+/486423 to apply and revoke access from ruthenium.

ssastry added a comment.Feb 6 2019, 4:40 AM
In T214740#4922899, @ssastry wrote:
In T214740#4920221, @jcrespo wrote:

Grants applied, systemd restarted on ruthenium successfully, please test and send back when we can remove the old grants.

Tested. Looks good to me. Please wait for https://gerrit.wikimedia.org/r/c/operations/puppet/+/486423 to apply and revoke access from ruthenium.

You can revoke access from ruthenium now.

gerritbot added a comment.Feb 6 2019, 6:24 AM

Change 488238 had a related patch set uploaded (by Marostegui; owner: Marostegui):
[operations/puppet@production] production-m5.sql.erb: Revoke access to testreduce from ruthenium

https://gerrit.wikimedia.org/r/488238

gerritbot added a comment.Feb 6 2019, 10:39 AM

Change 488238 merged by Marostegui:
[operations/puppet@production] production-m5.sql.erb: Revoke access to testreduce from ruthenium

https://gerrit.wikimedia.org/r/488238

Stashbot added a comment.Feb 6 2019, 10:41 AM

Mentioned in SAL (#wikimedia-operations) [2019-02-06T10:41:24Z] <marostegui> Revoke access to testreduce from ruthenium on m5 - https://phabricator.wikimedia.org/T214740

Marostegui closed this task as Resolved.Feb 6 2019, 10:45 AM

Grants revoked:

root@db1073.eqiad.wmnet[(none)]> show grants for 'ssastry'@'10.64.16.151';
ERROR 1141 (42000): There is no such grant defined for user 'ssastry' on host '10.64.16.151'
root@db1073.eqiad.wmnet[(none)]> show grants for 'testreduce'@'10.64.16.151';
ERROR 1141 (42000): There is no such grant defined for user 'testreduce' on host '10.64.16.151'

The access from scandium is still there:

root@db1073.eqiad.wmnet[(none)]> show grants for 'ssastry'@'10.64.48.94';
+------------------------------------------------------------------------------------------------------------------+
| Grants for ssastry@10.64.48.94                                                                                   |
+------------------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'ssastry'@'10.64.48.94' IDENTIFIED BY PASSWORD '*xx' |
| GRANT SELECT, INSERT, UPDATE, DELETE, ALTER ON `testreduce_vd`.* TO 'ssastry'@'10.64.48.94'                      |
| GRANT SELECT, INSERT, UPDATE, DELETE, ALTER ON `testreduce_0715`.* TO 'ssastry'@'10.64.48.94'                    |
+------------------------------------------------------------------------------------------------------------------+
3 rows in set (0.00 sec)

root@db1073.eqiad.wmnet[(none)]> show grants for 'testreduce'@'10.64.48.94';
+-----------------------------------------------------------------------------------------------------------------------------------------+
| Grants for testreduce@10.64.48.94                                                                                                       |
+-----------------------------------------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'testreduce'@'10.64.48.94' IDENTIFIED BY PASSWORD '*xx'                     |
| GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, ALTER, CREATE TEMPORARY TABLES ON `testreduce`.* TO 'testreduce'@'10.64.48.94'      |
| GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, ALTER, CREATE TEMPORARY TABLES ON `testreduce_vd`.* TO 'testreduce'@'10.64.48.94'   |
| GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, ALTER, CREATE TEMPORARY TABLES ON `testreduce_0715`.* TO 'testreduce'@'10.64.48.94' |
+-----------------------------------------------------------------------------------------------------------------------------------------+
4 rows in set (0.00 sec)
Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL