I support this request. Andy will be working with us on ORES and other Machine-Learning-Team stuff. We ran into this issue today when I was walking Andy through our deployment process.

@ACraze will also need access to the analytics cluster. (E.g., stat1007.eqiad.wmnet)

This is related to T225956: Grant LDAP access to accraze. They should have been merged into one ticket.

Approved.

@Halfak I'm assuming you want statistics-privatedata-users for stat1006 and analytics-privatedata-users group in order to access Hadoop etc, yes?

Oh, there is no shell account for this user yet? I think that does need SRE approval. Please see: https://wikitech.wikimedia.org/wiki/Production_shell_access#Requesting_access

Also found https://office.wikimedia.org/wiki/Technology/Onboarding which may (or may not) be helpful. :)

This is from our team but also probably of help: https://wikitech.wikimedia.org/wiki/Analytics/Team/Onboarding#Getting_permits

It is probably agood idea to create onboarding docs for team now @Halfak as there is probably couple more hires in the near term

Yes. This is the ticket for requesting shell access. I believe it is tagged as described at https://wikitech.wikimedia.org/wiki/Production_shell_access#Requesting_access Is there something we missed?

I think it is done ok. The description with the later comment about analytics servers caused some confusion with SRE.

@jijiki I think this can be done. Not sure if SRE needs to approve officially.

As for which groups, I'm not sure which is correct for 'deployment hosts'. @Halfak can you edit description to include which analytics groups you need?
https://wikitech.wikimedia.org/wiki/Analytics/Data_access#Access_Groups

Thanks!

Change 518953 had a related patch set uploaded (by Jbond; owner: John Bond):
[operations/puppet@production] Production shell: create shell account for accraze

https://gerrit.wikimedia.org/r/518953

I think @ACraze needs to be added also to NDA group so he can gain access to analytics tools such us turnilo/superset

I don't believe that "nda" is a unix group. He has already been added to the nda ldap group. See T225956: Grant LDAP access to accraze

let's see: @ACraze can you access http://turnilo.wikimedia.org

In T226204#5286992, @Halfak wrote:

I don't believe that "nda" is a unix group. He has already been added to the nda ldap group. See T225956: Grant LDAP access to accraze

Small correction, they have been added to the wmf group (as they are staff) which has all the permissions of the nda group

for the other group permissions (statistics-privatedata-users, wikidev, and ores-admin) and shell, im still looking for a +1

+1 given!

Change 518953 merged by Jbond:
[operations/puppet@production] Production shell: create shell account for accraze

https://gerrit.wikimedia.org/r/518953

thanks @Ottomata i have merged now will wait for confirmation that all access is enabled before closing.

In T226204#5279611, @Nuria wrote:

Approved.

@Nuria i just wanted to confirm that i took this as approval for access to statistics-privatedata-users. I just want to double check this is still valid or is access to turnilo sufficient?

cheers

@jbond for tunilo i believe wmf-nda is needed

In T226204#5287348, @Nuria wrote:

@jbond for tunilo i believe wmf-nda is needed

ack, ill double check with @MoritzMuehlenhoff

@Nuria I'm not able to access http://turnilo.wikimedia.org

Adding to cn=wmf is fine and can always be done right away (the staff status covers the NDA angle).

Adding to the statistics-privatedata-users shell groups needs the approval of Nuria and for ores-admins of Aaron. In addition to that there's a waiting period of three days to give people the chance to raise concerns, but that date has passed. And given that Nuria and Aaron approved on task, we're good to merge :-)

Thanks all :)

@Nuria I have checked with moritz and cn=wmf should be all that is required for access to turnilo.

@ACraze I have checked the logs on turnilo.wikimedia.org and comparing it to our ldap data would suggest that you entered an incorrect password

http 401 in turnilo

2019-06-26T21:00:21   GET     http://turnilo.wikimedia.org/    accraze
2019-06-26T21:00:27    GET     http://turnilo.wikimedia.org/    accraze

ldap password failures

pwdFailureTime: 20190626210021.624388Z
pwdFailureTime: 20190626210027.240695Z

You should be able to reset your password via wikitech. Please let me know if you are still seeing issues after a password reset.

Ahh ok, I'm able to get in to turnilo now, thanks!

Looks like we forgot 'deployment' and 'deploy-services' groups. I've filed T228191: Add accraze to deployment and deploy-service groups. to add those too.