Username: accraze
Full name: Andy Craze
SSH public key:
Also needs to be in the statistics-privatedata-users, wikidev, and ores-admin groups
• ACraze | |
Jun 20 2019, 5:31 PM |
F29607697: id_ed25519.pub | |
Jun 20 2019, 5:31 PM |
Username: accraze
Full name: Andy Craze
SSH public key:
Also needs to be in the statistics-privatedata-users, wikidev, and ores-admin groups
Subject | Repo | Branch | Lines +/- | |
---|---|---|---|---|
Production shell: create shell account for accraze | operations/puppet | production | +11 -2 |
Status | Subtype | Assigned | Task | ||
---|---|---|---|---|---|
Resolved | Halfak | T226416 Onboard Andy Craze -- Accounts and access | |||
Resolved | Request | jbond | T226204 Requesting access to stats machines/ores hosts hosts for Andy Craze | ||
Resolved | jcrespo | T240243 Add accraze to analytics-privatedata-users |
I support this request. Andy will be working with us on ORES and other Machine-Learning-Team stuff. We ran into this issue today when I was walking Andy through our deployment process.
@ACraze will also need access to the analytics cluster. (E.g., stat1007.eqiad.wmnet)
This is related to T225956: Grant LDAP access to accraze. They should have been merged into one ticket.
@Halfak I'm assuming you want statistics-privatedata-users for stat1006 and analytics-privatedata-users group in order to access Hadoop etc, yes?
Oh, there is no shell account for this user yet? I think that does need SRE approval. Please see: https://wikitech.wikimedia.org/wiki/Production_shell_access#Requesting_access
Also found https://office.wikimedia.org/wiki/Technology/Onboarding which may (or may not) be helpful. :)
This is from our team but also probably of help: https://wikitech.wikimedia.org/wiki/Analytics/Team/Onboarding#Getting_permits
It is probably agood idea to create onboarding docs for team now @Halfak as there is probably couple more hires in the near term
Yes. This is the ticket for requesting shell access. I believe it is tagged as described at https://wikitech.wikimedia.org/wiki/Production_shell_access#Requesting_access Is there something we missed?
I think it is done ok. The description with the later comment about analytics servers caused some confusion with SRE.
@jijiki I think this can be done. Not sure if SRE needs to approve officially.
As for which groups, I'm not sure which is correct for 'deployment hosts'. @Halfak can you edit description to include which analytics groups you need?
https://wikitech.wikimedia.org/wiki/Analytics/Data_access#Access_Groups
Thanks!
Change 518953 had a related patch set uploaded (by Jbond; owner: John Bond):
[operations/puppet@production] Production shell: create shell account for accraze
I think @ACraze needs to be added also to NDA group so he can gain access to analytics tools such us turnilo/superset
I don't believe that "nda" is a unix group. He has already been added to the nda ldap group. See T225956: Grant LDAP access to accraze
Small correction, they have been added to the wmf group (as they are staff) which has all the permissions of the nda group
for the other group permissions (statistics-privatedata-users, wikidev, and ores-admin) and shell, im still looking for a +1
Change 518953 merged by Jbond:
[operations/puppet@production] Production shell: create shell account for accraze
thanks @Ottomata i have merged now will wait for confirmation that all access is enabled before closing.
@Nuria i just wanted to confirm that i took this as approval for access to statistics-privatedata-users. I just want to double check this is still valid or is access to turnilo sufficient?
cheers
Adding to cn=wmf is fine and can always be done right away (the staff status covers the NDA angle).
Adding to the statistics-privatedata-users shell groups needs the approval of Nuria and for ores-admins of Aaron. In addition to that there's a waiting period of three days to give people the chance to raise concerns, but that date has passed. And given that Nuria and Aaron approved on task, we're good to merge :-)
@Nuria I have checked with moritz and cn=wmf should be all that is required for access to turnilo.
@ACraze I have checked the logs on turnilo.wikimedia.org and comparing it to our ldap data would suggest that you entered an incorrect password
http 401 in turnilo
2019-06-26T21:00:21 GET http://turnilo.wikimedia.org/ accraze 2019-06-26T21:00:27 GET http://turnilo.wikimedia.org/ accraze
ldap password failures
pwdFailureTime: 20190626210021.624388Z pwdFailureTime: 20190626210027.240695Z
You should be able to reset your password via wikitech. Please let me know if you are still seeing issues after a password reset.
Looks like we forgot 'deployment' and 'deploy-services' groups. I've filed T228191: Add accraze to deployment and deploy-service groups. to add those too.