Page MenuHomePhabricator

Requesting access to stats machines/ores hosts hosts for Andy Craze
Closed, ResolvedPublicRequest

Description

Username: accraze
Full name: Andy Craze
SSH public key:

Also needs to be in the statistics-privatedata-users, wikidev, and ores-admin groups

Details

Related Gerrit Patches:

Event Timeline

ACraze created this task.Jun 20 2019, 5:31 PM
Restricted Application added a project: Operations. · View Herald TranscriptJun 20 2019, 5:31 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript

I support this request. Andy will be working with us on ORES and other Scoring-platform-team stuff. We ran into this issue today when I was walking Andy through our deployment process.

@ACraze will also need access to the analytics cluster. (E.g., stat1007.eqiad.wmnet)

This is related to T225956: Grant LDAP access to accraze. They should have been merged into one ticket.

jijiki added subscribers: Ottomata, elukey.
jijiki triaged this task as Normal priority.Jun 24 2019, 5:40 PM
Nuria added a subscriber: Nuria.Jun 24 2019, 5:43 PM

Approved.

@Halfak I'm assuming you want statistics-privatedata-users for stat1006 and analytics-privatedata-users group in order to access Hadoop etc, yes?

Oh, there is no shell account for this user yet? I think that does need SRE approval. Please see: https://wikitech.wikimedia.org/wiki/Production_shell_access#Requesting_access

Also found https://office.wikimedia.org/wiki/Technology/Onboarding which may (or may not) be helpful. :)

Nuria added a comment.Jun 24 2019, 6:36 PM

It is probably agood idea to create onboarding docs for team now @Halfak as there is probably couple more hires in the near term

Yes. This is the ticket for requesting shell access. I believe it is tagged as described at https://wikitech.wikimedia.org/wiki/Production_shell_access#Requesting_access Is there something we missed?

Ottomata added a subscriber: jijiki.EditedJun 24 2019, 7:10 PM

I think it is done ok. The description with the later comment about analytics servers caused some confusion with SRE.

@jijiki I think this can be done. Not sure if SRE needs to approve officially.

As for which groups, I'm not sure which is correct for 'deployment hosts'. @Halfak can you edit description to include which analytics groups you need?
https://wikitech.wikimedia.org/wiki/Analytics/Data_access#Access_Groups

Thanks!

Halfak updated the task description. (Show Details)Jun 24 2019, 7:45 PM
Halfak updated the task description. (Show Details)Jun 24 2019, 9:08 PM
jbond added a subscriber: jbond.Jun 25 2019, 10:10 AM

Change 518953 had a related patch set uploaded (by Jbond; owner: John Bond):
[operations/puppet@production] Production shell: create shell account for accraze

https://gerrit.wikimedia.org/r/518953

Nuria renamed this task from Requesting access to deployment hosts for Andy Craze to Requesting access to stats machines hosts for Andy Craze.Jun 26 2019, 5:44 PM
Nuria renamed this task from Requesting access to stats machines hosts for Andy Craze to Requesting access to stats machines/ores hosts hosts for Andy Craze.

I think @ACraze needs to be added also to NDA group so he can gain access to analytics tools such us turnilo/superset

I don't believe that "nda" is a unix group. He has already been added to the nda ldap group. See T225956: Grant LDAP access to accraze

jbond added a comment.Jun 26 2019, 7:48 PM

I don't believe that "nda" is a unix group. He has already been added to the nda ldap group. See T225956: Grant LDAP access to accraze

Small correction, they have been added to the wmf group (as they are staff) which has all the permissions of the nda group

for the other group permissions (statistics-privatedata-users, wikidev, and ores-admin) and shell, im still looking for a +1

Change 518953 merged by Jbond:
[operations/puppet@production] Production shell: create shell account for accraze

https://gerrit.wikimedia.org/r/518953

jbond added a comment.EditedJun 26 2019, 8:00 PM

thanks @Ottomata i have merged now will wait for confirmation that all access is enabled before closing.

Approved.

@Nuria i just wanted to confirm that i took this as approval for access to statistics-privatedata-users. I just want to double check this is still valid or is access to turnilo sufficient?

cheers

Nuria added a comment.Jun 26 2019, 9:09 PM

@jbond for tunilo i believe wmf-nda is needed

@jbond for tunilo i believe wmf-nda is needed

ack, ill double check with @MoritzMuehlenhoff

Adding to cn=wmf is fine and can always be done right away (the staff status covers the NDA angle).

Adding to the statistics-privatedata-users shell groups needs the approval of Nuria and for ores-admins of Aaron. In addition to that there's a waiting period of three days to give people the chance to raise concerns, but that date has passed. And given that Nuria and Aaron approved on task, we're good to merge :-)

Thanks all :)

@Nuria I have checked with moritz and cn=wmf should be all that is required for access to turnilo.

@ACraze I have checked the logs on turnilo.wikimedia.org and comparing it to our ldap data would suggest that you entered an incorrect password

http 401 in turnilo

2019-06-26T21:00:21   GET     http://turnilo.wikimedia.org/    accraze
2019-06-26T21:00:27    GET     http://turnilo.wikimedia.org/    accraze

ldap password failures

pwdFailureTime: 20190626210021.624388Z
pwdFailureTime: 20190626210027.240695Z

You should be able to reset your password via wikitech. Please let me know if you are still seeing issues after a password reset.

Ahh ok, I'm able to get in to turnilo now, thanks!

jbond closed this task as Resolved.Jun 27 2019, 5:35 PM
jbond claimed this task.

great, i think this is done now so closing please re open if there is still an issue

Looks like we forgot 'deployment' and 'deploy-services' groups. I've filed T228191: Add accraze to deployment and deploy-service groups. to add those too.