Page MenuHomePhabricator

Requesting access to machines [stat1004, stat1005 (now stat1007), and stat1006] and groups for iflorez
Closed, ResolvedPublicRequest

Description

Wikitech username: Iflorez
preferred shell username: iflorez
developer access username / Instance shell account name in preferences: iflorez
Full name: Irene Florez

REQUEST: I will need access to stat1004, stat1005 (now stat1007), and stat1006 and to be added to these groups: wikidev, analytics-privatedata-users, and researchers (and wmf or nda groups, if not already, as those are required for Hue).

REASONING: I am supporting the Partnerships & Global Reach team with data analysis on the GLOW project. I will be analyzing data coming out of the GLOW project, and will need server access to a) develop an evaluation framework and b) analyze|evaluate|report on performance.

VERIFICATION: @georgina will be overseeing this work (and the data analysis portion can be verified by @kzimmerman and @mpopov while Kate is away) I'm a WMF data analyst contractor. I have signed the Acknowledgement of Wikimedia Server Access Responsibilities. I have an NDA filed with legal. Also, note: The NDA indicates access to stat1005 and can be updated with the new name for that machine, stat1007, if needed.

Thank you!

ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOqMsQAdABxLhrBi2MoGHqkrNEOMJXePZXwTAnuGu//O iflorez@LoanerWMF1954

Event Timeline

Iflorez created this task.May 16 2019, 11:59 PM
Restricted Application added a project: Operations. · View Herald TranscriptMay 16 2019, 11:59 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Iflorez updated the task description. (Show Details)May 17 2019, 12:00 AM

We need manager sign-off, and @RStallman-legalteam should verify here that the appropriate NDA has been signed and is on file.

Thanks for opening this ticket! I confirm that the NDA is signed and on file.

We need manager sign-off

Pinging @georgina

I'm Irene's manager and I approve the request. Thanks everyone!

Dzahn added a subscriber: Dzahn.EditedMay 17 2019, 10:46 PM

(and wmf and nda groups, if not already, as those are required for Hue).

Normally this is an OR, and all logins i am aware of are configured to allow "either WMF or NDA". We use the WMF group for employees and the NDA group for volunteers and external contractors with an NDA. I see you have a @wikimedia.org email address though it doesn't follow the usual naming scheme. Are you an employee?

edit: nevermind, i see "WMF data analyst contractor".

That explanation is helpful. Thank you!

need access to stat1004, stat1005 (now stat1007), and stat1006

Access is never based on individual host names, only on groups.

But i can confirm that:

  • stat1004: analytics-privatedata-users has access
  • stat1005: none of the requested groups has access but as you already said it was replaced by stat1007
  • stat1006: researchers has access
  • stat1007: analytics-privatedata-users has access

and to be added to these groups:

  • wikidev: This is kind of a meta group that you should be automatically be added to without specifically having to add you.
  • analytics-privatedata-users: Yes, added in the patch i uploaded.
  • and researchers : Yes, same as above.
  • and wmf and nda groups: We will add you after the code change is merged to avoid getting warning emails about an inconsistency between admin groups and LDAP groups
Dzahn triaged this task as Normal priority.May 17 2019, 11:50 PM

Change 510985 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] admins: add shell account and admin groups for iflorez

https://gerrit.wikimedia.org/r/510985

Iflorez updated the task description. (Show Details)May 20 2019, 3:27 PM
Iflorez updated the task description. (Show Details)May 20 2019, 4:11 PM

Hello,
I'm reading through the shell access notes and see that an Ed25519 SSH key is the recommended key for secure access.
I've updated this phab ticket's description with a new Ed25519 SSH key, which replaces a 2048 bit RSA SSH key. Please let me know if I should take further steps. Your feedback is appreciated. Thank you!

Dzahn claimed this task.May 20 2019, 5:04 PM
Dzahn added a subscriber: Nuria.

@Nuria Hi, do you approve of this access request?

Dzahn added a comment.May 20 2019, 8:03 PM

Hello,
I'm reading through the shell access notes and see that an Ed25519 SSH key is the recommended key for secure access.
I've updated this phab ticket's description with a new Ed25519 SSH key, which replaces a 2048 bit RSA SSH key. Please let me know if I should take further steps. Your feedback is appreciated. Thank you!

Hi Irene, thanks for doing that. I updated the patch accordingly.

Iflorez updated the task description. (Show Details)May 21 2019, 5:49 PM

Updated the ticket to include a capitalized I in the Wikitech username.

The correct Wikitech username is: Iflorez

Dzahn added a comment.May 21 2019, 7:45 PM

Thanks @Iflorez for attention to detail. So the full story is that's all one LDAP user but there are different fields:

cn: Iflorez
sn: Iflorez
uid: iflorez

The non-capitalized version will become your shell user, as requested, and we match you by the UID number (21341) so we got the right user. P.S. I think the only thing that currently keeps us from resolving this ticket is that we need approval from @Nuria

Dzahn reassigned this task from Dzahn to Nuria.May 21 2019, 7:47 PM
Nuria added a comment.May 21 2019, 9:13 PM

We need to legal to please confirm NDA status plus also an expiration date for access for @Iflorez.

Signed NDA confirmed. Contract is through May 31, 2020.

Dzahn added a comment.May 21 2019, 9:38 PM

Updating patch to include expiry_date May 31, 2020. Who should be expiry_contact? Nuria?

Volans added a subscriber: Volans.May 23 2019, 11:46 PM

@Dzahn I guess @georgina would be more appropriate, the expiration contact should be related to the contractors point of contact, not the group's owner.

Dzahn added a comment.May 24 2019, 5:21 PM

@Dzahn I guess @georgina would be more appropriate, the expiration contact should be related to the contractors point of contact, not the group's owner.

Done! Added Georgina and expiry data of May 31st 2020.

@Nuria all the pre-requisites are there, is this approved?

Nuria added a comment.May 25 2019, 5:40 AM

Approved, thanks.

Approved, yes. Many thanks.

Change 510985 merged by Volans:
[operations/puppet@production] admins: add shell account and admin groups for iflorez

https://gerrit.wikimedia.org/r/510985

Added @Iflorez to the wmf LDAP group as agreed with @MoritzMuehlenhoff

I've verified with @Iflorez that basic access to bastion and internal hosts works as expected.

Volans closed this task as Resolved.May 28 2019, 4:40 PM
Volans added a subscriber: elukey.

I've asked @elukey to sync the account to HUE as I don't have access myself.

It should be all done, resolving for now. Feel free to re-open if needed.