Page MenuHomePhabricator

Requesting access to analytics cluster for Martin Gerlach
Closed, ResolvedPublicRequest

Description

I joined the Research Team as Research Scientist. Registration is part of onboarding with Jospeh and Andrew from Analytics team.


Full name: Martin Gerlach
Wikitech/LDAP username: mgerlach
Desired shell username: mgerlach

Martin should be added to the wmf LDAP group if he isn't already in it.

Ssh public key:

ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINj/yFpJoyyIYy8DaRkA92YOQbsZyNh/l3OfQSezZ5t6 martin@nitram

Martin will need to be in the following posix groups:

analytics-privatedata-users
researchers

Martin will also need access to Analytics UI tools, including Superset, Turnilo and Hue. Analytics to provide these once shell access has been established.


@leila to approve access.

SRE Clinic Duty Checklist for Access Requests

Most requirements are outlined on https://wikitech.wikimedia.org/wiki/Requesting_shell_access

This checklist should be used on all access requests to ensure that all steps are covered. This includes expansion to access. Please do not check off items on the list below unless you are in Ops and have confirmed the step.

  • User has signed the L3 Acknowledgement of Wikimedia Server Access Responsibilities Document.
  • User has a valid NDA on file with WMF legal. (This can be checked by Operations via the NDA tracking sheet & is included in all WMF Staff/Contractor hiring.)
  • User has provided the following: wikitech username, preferred shell username, email address, and full reasoning for access (including what commands and/or tasks they expect to perform.
  • User has provided a public SSH key. This ssh key pair should only be used for WMF cluster access, and not share with any other service (this includes not sharing with WMCS access, no shared keys.)
  • access request (or expansion) has sign off of WMF sponsor/manager (sponser for volunteers, manager for wmf staff)
  • non-sudo requests: 3 business day wait must pass with no objections being noted on the task
  • Patchset for access request

Details

Related Gerrit Patches:

Event Timeline

MGerlach created this task.Sep 12 2019, 8:45 AM
Restricted Application added a project: Operations. · View Herald TranscriptSep 12 2019, 8:45 AM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Ottomata renamed this task from Requesting access to RESOURCE for MARTIN GERLACH to Requesting access to analytics cluster for Martin Gerlach.Sep 12 2019, 1:33 PM
Ottomata removed Ottomata as the assignee of this task.
Ottomata updated the task description. (Show Details)
Ottomata added a project: Analytics.
Ottomata updated the task description. (Show Details)
Ottomata added a subscriber: leila.
Ottomata added a subscriber: Ottomata.
leila added a comment.Sep 12 2019, 3:37 PM

I approve. thanks!

Nuria added a subscriber: Nuria.Sep 12 2019, 4:11 PM

Approved on my end as well.

herron updated the task description. (Show Details)Sep 17 2019, 6:10 PM

Change 537508 had a related patch set uploaded (by Herron; owner: Herron):
[operations/puppet@production] admin: add mgerlach to analytics-privatedata-users, researchers

https://gerrit.wikimedia.org/r/537508

Change 537508 merged by Herron:
[operations/puppet@production] admin: add mgerlach to analytics-privatedata-users, researchers

https://gerrit.wikimedia.org/r/537508

herron closed this task as Resolved.Sep 17 2019, 7:43 PM
herron claimed this task.
herron updated the task description. (Show Details)
herron added a subscriber: herron.

Hi Martin, this access is in place now. If any follow up is needed please don't hesitate to re-open. Thanks!

MGerlach reopened this task as Open.EditedSep 18 2019, 10:20 AM

Thanks,
I can ssh into production servers.
However, I cannot access SWAP following this documentation [1]. It seems that I havent been added to the wmf-LDAP group (as requested above), according to this.
Could you add me such that I have SWAP-access? Sorry if I am missing something.

[1] Specifically, entering credentials of my developer account (using the shell username) I get the response 'invalid username/password'

elukey added a subscriber: elukey.Sep 18 2019, 12:20 PM

@MGerlach done! Please take a moment to review https://wikitech.wikimedia.org/wiki/LDAP/Groups#wmf_group, since your account is now able to see a lot of sensitive material. Use all these new powers with responsibility :)

MGerlach closed this task as Resolved.Sep 18 2019, 1:41 PM

@elukey thanks, works now. Closing this taks.

MoritzMuehlenhoff reopened this task as Open.Sep 19 2019, 8:46 AM

@MGerlach : You're using the same key for production SSH access and Cloud VPS, which is insecure as Cloud VPS allows SSH agent forwarding, see https://wikitech.wikimedia.org/wiki/Production_shell_access#Generating_your_SSH_key

Please generate a separate ed25519 SSH key for the production access. We also have some wikitech documentation about running separate SSH agents: https://wikitech.wikimedia.org/wiki/Managing_multiple_SSH_agents

MGerlach closed this task as Resolved.Sep 19 2019, 9:25 AM

@MoritzMuehlenhoff Added separate key for Cloud VPS.

@MoritzMuehlenhoff opening this again since I cannot access the cluster anymore, e.g. via 'ssh mgerlach@stat1007.eqiad.wmnet'
This happended after I reinstalled ubuntu (and everything else) on my wmf-laptop. I kept all the ssh-config files and keys which worked before (all content from the .ssh-folder).

I now get an error: 'sign_and_send_pubkey: signing failed: agent refused operation' and am being asked about my password. I dont remember which password was needed but none of my wiki-related passwords worked (in particular LDAP).

I also tried to generate a new ssh-key pair (and changing the ssh-config file to include those keys) [1]. I dont get the previous warning but am still asked for a password for which none of my options seem to work.

What am I missing here?

  • why do the previously generated kys not work anymore? I even checked on my private laptop on which I had set up the access initially (before I received the wmf-laptop) and I can still access the cluster.
  • which password is associated with the access to the cluster?

Thanks for any help

[1] my config looks like this

Host bast
    User mgerlach
    HostName bast3002.wikimedia.org
    IdentityFile ~/.ssh/id_ed25519
    ForwardAgent no
    IdentitiesOnly yes

Host *.wmnet
    User mgerlach
    ProxyCommand ssh -W %h:%p bast
    IdentityFile ~/.ssh/id_ed25519
    ForwardAgent no
    IdentitiesOnly yes

Try running

ssh-add ~/.ssh/id_ed25519

It will ask you for the passphrase of our SSH key. After running doing that, can you retry logging into stat1007?

That solved it. Thanks.