Page MenuHomePhabricator
Create Task
Maniphest T223496

Requesting access to machines [stat1004, stat1005 (now stat1007), and stat1006] and groups for iflorez
Closed, ResolvedPublicRequest
Actions

Description

Wikitech username: Iflorez
preferred shell username: iflorez
developer access username / Instance shell account name in preferences: iflorez
Full name: Irene Florez

REQUEST: I will need access to stat1004, stat1005 (now stat1007), and stat1006 and to be added to these groups: wikidev, analytics-privatedata-users, and researchers (and wmf or nda groups, if not already, as those are required for Hue).

REASONING: I am supporting the Partnerships & Global Reach team with data analysis on the GLOW project. I will be analyzing data coming out of the GLOW project, and will need server access to a) develop an evaluation framework and b) analyze|evaluate|report on performance.

VERIFICATION: @georgina will be overseeing this work (and the data analysis portion can be verified by @kzimmerman and @mpopov while Kate is away) I'm a WMF data analyst contractor. I have signed the Acknowledgement of Wikimedia Server Access Responsibilities. I have an NDA filed with legal. Also, note: The NDA indicates access to stat1005 and can be updated with the new name for that machine, stat1007, if needed.

Thank you!

ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOqMsQAdABxLhrBi2MoGHqkrNEOMJXePZXwTAnuGu//O iflorez@LoanerWMF1954

Details

SubjectRepoBranchLines +/-
admins: add shell account and admin groups for iflorezoperations/puppetproduction+13 -3
Customize query in gerrit

Related Objects

Event Timeline

Iflorez created this task.May 16 2019, 11:59 PM
Restricted Application added a project: SRE. · View Herald TranscriptMay 16 2019, 11:59 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Iflorez updated the task description. (Show Details)May 17 2019, 12:00 AM
ArielGlenn added subscribers: RStallman-legalteam, ArielGlenn.May 17 2019, 11:24 AM

We need manager sign-off, and @RStallman-legalteam should verify here that the appropriate NDA has been signed and is on file.

ArielGlenn moved this task from Untriaged to Manager/NDA Approval/Confirmation on the SRE-Access-Requests board.May 17 2019, 11:24 AM
RStallman-legalteam added a comment.May 17 2019, 1:59 PM

Thanks for opening this ticket! I confirm that the NDA is signed and on file.

mpopov added a subscriber: georgina.May 17 2019, 4:55 PM
In T223496#5189888, @ArielGlenn wrote:

We need manager sign-off

Pinging @georgina

georgina added a comment.May 17 2019, 5:27 PM

Approved

georgina added a comment.May 17 2019, 5:28 PM

I'm Irene's manager and I approve the request. Thanks everyone!

Dzahn subscribed.EditedMay 17 2019, 10:46 PM

(and wmf and nda groups, if not already, as those are required for Hue).

Normally this is an OR, and all logins i am aware of are configured to allow "either WMF or NDA". We use the WMF group for employees and the NDA group for volunteers and external contractors with an NDA. I see you have a @wikimedia.org email address though it doesn't follow the usual naming scheme. Are you an employee?

edit: nevermind, i see "WMF data analyst contractor".

Iflorez added a comment.May 17 2019, 11:12 PM

That explanation is helpful. Thank you!

Dzahn added a comment.May 17 2019, 11:49 PM

need access to stat1004, stat1005 (now stat1007), and stat1006

Access is never based on individual host names, only on groups.

But i can confirm that:

  • stat1004: analytics-privatedata-users has access
  • stat1005: none of the requested groups has access but as you already said it was replaced by stat1007
  • stat1006: researchers has access
  • stat1007: analytics-privatedata-users has access

and to be added to these groups:

  • wikidev: This is kind of a meta group that you should be automatically be added to without specifically having to add you.
  • analytics-privatedata-users: Yes, added in the patch i uploaded.
  • and researchers : Yes, same as above.
  • and wmf and nda groups: We will add you after the code change is merged to avoid getting warning emails about an inconsistency between admin groups and LDAP groups
Dzahn triaged this task as Medium priority.May 17 2019, 11:50 PM
gerritbot added a comment.May 17 2019, 11:51 PM

Change 510985 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] admins: add shell account and admin groups for iflorez

https://gerrit.wikimedia.org/r/510985

gerritbot added a project: Patch-For-Review.May 17 2019, 11:51 PM
Iflorez updated the task description. (Show Details)May 20 2019, 3:27 PM
Iflorez updated the task description. (Show Details)May 20 2019, 4:11 PM
Iflorez added a comment.May 20 2019, 4:16 PM

Hello,
I'm reading through the shell access notes and see that an Ed25519 SSH key is the recommended key for secure access.
I've updated this phab ticket's description with a new Ed25519 SSH key, which replaces a 2048 bit RSA SSH key. Please let me know if I should take further steps. Your feedback is appreciated. Thank you!

Dzahn claimed this task.May 20 2019, 5:04 PM
Dzahn added a subscriber: Nuria.

@Nuria Hi, do you approve of this access request?

Dzahn added a comment.May 20 2019, 8:03 PM
In T223496#5198297, @Iflorez wrote:

Hello,
I'm reading through the shell access notes and see that an Ed25519 SSH key is the recommended key for secure access.
I've updated this phab ticket's description with a new Ed25519 SSH key, which replaces a 2048 bit RSA SSH key. Please let me know if I should take further steps. Your feedback is appreciated. Thank you!

Hi Irene, thanks for doing that. I updated the patch accordingly.

Iflorez updated the task description. (Show Details)May 21 2019, 5:49 PM
Iflorez added a comment.May 21 2019, 7:04 PM

Updated the ticket to include a capitalized I in the Wikitech username.

The correct Wikitech username is: Iflorez

Dzahn added a comment.May 21 2019, 7:45 PM

Thanks @Iflorez for attention to detail. So the full story is that's all one LDAP user but there are different fields:

cn: Iflorez
sn: Iflorez
uid: iflorez

The non-capitalized version will become your shell user, as requested, and we match you by the UID number (21341) so we got the right user. P.S. I think the only thing that currently keeps us from resolving this ticket is that we need approval from @Nuria

Dzahn reassigned this task from Dzahn to Nuria.May 21 2019, 7:47 PM
Nuria added a comment.May 21 2019, 9:13 PM

We need to legal to please confirm NDA status plus also an expiration date for access for @Iflorez.

RStallman-legalteam added a comment.May 21 2019, 9:22 PM

Signed NDA confirmed. Contract is through May 31, 2020.

Dzahn added a comment.May 21 2019, 9:38 PM

Updating patch to include expiry_date May 31, 2020. Who should be expiry_contact? Nuria?

Volans subscribed.May 23 2019, 11:46 PM

@Dzahn I guess @georgina would be more appropriate, the expiration contact should be related to the contractors point of contact, not the group's owner.

Dzahn added a comment.May 24 2019, 5:21 PM
In T223496#5209502, @Volans wrote:

@Dzahn I guess @georgina would be more appropriate, the expiration contact should be related to the contractors point of contact, not the group's owner.

Done! Added Georgina and expiry data of May 31st 2020.

Volans added a comment.May 24 2019, 5:50 PM

@Nuria all the pre-requisites are there, is this approved?

Nuria added a comment.May 25 2019, 5:40 AM

Approved, thanks.

Nuria added a comment.May 25 2019, 10:15 PM

Approved, yes. Many thanks.

gerritbot added a comment.May 28 2019, 3:41 PM

Change 510985 merged by Volans:
[operations/puppet@production] admins: add shell account and admin groups for iflorez

https://gerrit.wikimedia.org/r/510985

Maintenance_bot removed a project: Patch-For-Review.May 28 2019, 3:52 PM
Volans added a subscriber: MoritzMuehlenhoff.May 28 2019, 4:37 PM

Added @Iflorez to the wmf LDAP group as agreed with @MoritzMuehlenhoff

I've verified with @Iflorez that basic access to bastion and internal hosts works as expected.

Volans closed this task as Resolved.May 28 2019, 4:40 PM
Volans added a subscriber: elukey.

I've asked @elukey to sync the account to HUE as I don't have access myself.

It should be all done, resolving for now. Feel free to re-open if needed.

Iflorez added a comment.Jul 12 2021, 7:10 PM

Hello I've joined the Product Analytics team with @mpopov as my manager. Hooorah!

I believe that I am currently added to these groups:
analytics-privatedata-users, wmf LDAP

And need to also be added to the analytics-product-users group

Thank you!

taavi subscribed.Jul 12 2021, 7:21 PM
In T223496#7206847, @Iflorez wrote:

Hello I've joined the Product Analytics team with @mpopov as my manager. Hooorah!

I believe that I am currently added to these groups:
analytics-privatedata-users, wmf LDAP

And need to also be added to the analytics-product-users group

Thank you!

Hi! Could you please create a new request by following the instructions at https://wikitech.wikimedia.org/wiki/Production_access#Filing_the_request if you need more access. Thanks!

mpopov mentioned this in T286509: Update membership info for iflorez.Jul 12 2021, 7:28 PM

Created new request: T286509

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL