Page MenuHomePhabricator
Create Task
Maniphest T232707

Requesting access to analytics cluster for Martin Gerlach
Closed, ResolvedPublicRequest
Actions

Description

I joined the Research Team as Research Scientist. Registration is part of onboarding with Jospeh and Andrew from Analytics team.

Full name: Martin Gerlach
Wikitech/LDAP username: mgerlach
Desired shell username: mgerlach

Martin should be added to the wmf LDAP group if he isn't already in it.

Ssh public key:

ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINj/yFpJoyyIYy8DaRkA92YOQbsZyNh/l3OfQSezZ5t6 martin@nitram

Martin will need to be in the following posix groups:

analytics-privatedata-users
researchers

Martin will also need access to Analytics UI tools, including Superset, Turnilo and Hue. Analytics to provide these once shell access has been established.

@leila to approve access.

SRE Clinic Duty Checklist for Access Requests

Most requirements are outlined on https://wikitech.wikimedia.org/wiki/Requesting_shell_access

This checklist should be used on all access requests to ensure that all steps are covered. This includes expansion to access. Please do not check off items on the list below unless you are in Ops and have confirmed the step.

  • User has signed the L3 Acknowledgement of Wikimedia Server Access Responsibilities Document.
  • User has a valid NDA on file with WMF legal. (This can be checked by Operations via the NDA tracking sheet & is included in all WMF Staff/Contractor hiring.)
  • User has provided the following: wikitech username, preferred shell username, email address, and full reasoning for access (including what commands and/or tasks they expect to perform.
  • User has provided a public SSH key. This ssh key pair should only be used for WMF cluster access, and not share with any other service (this includes not sharing with WMCS access, no shared keys.)
  • access request (or expansion) has sign off of WMF sponsor/manager (sponser for volunteers, manager for wmf staff)
  • non-sudo requests: 3 business day wait must pass with no objections being noted on the task
  • Patchset for access request

Details

SubjectRepoBranchLines +/-
admin: add mgerlach to analytics-privatedata-users, researchersoperations/puppetproduction+11 -2
Customize query in gerrit

Related Objects

Event Timeline

MGerlach created this task.Sep 12 2019, 8:45 AM
Restricted Application added a project: SRE. · View Herald TranscriptSep 12 2019, 8:45 AM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Ottomata renamed this task from Requesting access to RESOURCE for MARTIN GERLACH to Requesting access to analytics cluster for Martin Gerlach.Sep 12 2019, 1:33 PM
Ottomata removed Ottomata as the assignee of this task.
Ottomata updated the task description. (Show Details)
Ottomata added a project: Analytics.
Ottomata updated the task description. (Show Details)
Ottomata added a subscriber: leila.
Ottomata subscribed.
gasserandreas moved this task from Incoming to Event Platform on the Analytics board.Sep 12 2019, 2:12 PM
leila added a comment.Sep 12 2019, 3:37 PM

I approve. thanks!

JAllemandou awarded a token.Sep 12 2019, 4:10 PM
Nuria subscribed.Sep 12 2019, 4:11 PM

Approved on my end as well.

herron updated the task description. (Show Details)Sep 17 2019, 6:10 PM
gerritbot added a comment.Sep 17 2019, 6:19 PM

Change 537508 had a related patch set uploaded (by Herron; owner: Herron):
[operations/puppet@production] admin: add mgerlach to analytics-privatedata-users, researchers

https://gerrit.wikimedia.org/r/537508

gerritbot added a project: Patch-For-Review.Sep 17 2019, 6:19 PM
gerritbot added a comment.Sep 17 2019, 6:49 PM

Change 537508 merged by Herron:
[operations/puppet@production] admin: add mgerlach to analytics-privatedata-users, researchers

https://gerrit.wikimedia.org/r/537508

Maintenance_bot removed a project: Patch-For-Review.Sep 17 2019, 7:10 PM
herron closed this task as Resolved.Sep 17 2019, 7:43 PM
herron claimed this task.
herron updated the task description. (Show Details)
herron subscribed.

Hi Martin, this access is in place now. If any follow up is needed please don't hesitate to re-open. Thanks!

MGerlach reopened this task as Open.EditedSep 18 2019, 10:20 AM

Thanks,
I can ssh into production servers.
However, I cannot access SWAP following this documentation [1]. It seems that I havent been added to the wmf-LDAP group (as requested above), according to this.
Could you add me such that I have SWAP-access? Sorry if I am missing something.

[1] Specifically, entering credentials of my developer account (using the shell username) I get the response 'invalid username/password'

Miriam mentioned this in T199736: Help accessing SWAP for research collaborators.Sep 18 2019, 10:33 AM
elukey subscribed.Sep 18 2019, 12:20 PM

@MGerlach done! Please take a moment to review https://wikitech.wikimedia.org/wiki/LDAP/Groups#wmf_group, since your account is now able to see a lot of sensitive material. Use all these new powers with responsibility :)

MGerlach closed this task as Resolved.Sep 18 2019, 1:41 PM

@elukey thanks, works now. Closing this taks.

MoritzMuehlenhoff reopened this task as Open.Sep 19 2019, 8:46 AM
MoritzMuehlenhoff subscribed.

@MGerlach : You're using the same key for production SSH access and Cloud VPS, which is insecure as Cloud VPS allows SSH agent forwarding, see https://wikitech.wikimedia.org/wiki/Production_shell_access#Generating_your_SSH_key

Please generate a separate ed25519 SSH key for the production access. We also have some wikitech documentation about running separate SSH agents: https://wikitech.wikimedia.org/wiki/Managing_multiple_SSH_agents

MGerlach closed this task as Resolved.Sep 19 2019, 9:25 AM

@MoritzMuehlenhoff Added separate key for Cloud VPS.

MGerlach added a comment.Oct 11 2019, 7:05 AM

@MoritzMuehlenhoff opening this again since I cannot access the cluster anymore, e.g. via 'ssh mgerlach@stat1007.eqiad.wmnet'
This happended after I reinstalled ubuntu (and everything else) on my wmf-laptop. I kept all the ssh-config files and keys which worked before (all content from the .ssh-folder).

I now get an error: 'sign_and_send_pubkey: signing failed: agent refused operation' and am being asked about my password. I dont remember which password was needed but none of my wiki-related passwords worked (in particular LDAP).

I also tried to generate a new ssh-key pair (and changing the ssh-config file to include those keys) [1]. I dont get the previous warning but am still asked for a password for which none of my options seem to work.

What am I missing here?

  • why do the previously generated kys not work anymore? I even checked on my private laptop on which I had set up the access initially (before I received the wmf-laptop) and I can still access the cluster.
  • which password is associated with the access to the cluster?

Thanks for any help

[1] my config looks like this

Host bast
    User mgerlach
    HostName bast3002.wikimedia.org
    IdentityFile ~/.ssh/id_ed25519
    ForwardAgent no
    IdentitiesOnly yes

Host *.wmnet
    User mgerlach
    ProxyCommand ssh -W %h:%p bast
    IdentityFile ~/.ssh/id_ed25519
    ForwardAgent no
    IdentitiesOnly yes
MoritzMuehlenhoff added a comment.Oct 11 2019, 11:20 AM

Try running

ssh-add ~/.ssh/id_ed25519

It will ask you for the passphrase of our SSH key. After running doing that, can you retry logging into stat1007?

MGerlach added a comment.Oct 11 2019, 11:57 AM

That solved it. Thanks.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL