Requesting access to view EventLogging data for Co_WMDE
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	CorinnaHillebrand_WMDE
	Oct 2 2019, 12:40 PM

Description

Hello,
I'm a new employee at Wikimedia Deutschland. In order to be able to analyze the outcome of our fundraising campaigns I would like to request access to view EventLogging data .

Full name: Corinna Hillebrand
Ldap User: https://tools.wmflabs.org/ldap/user/cohi
Groups requested: researchers & analytics-users per T202072#4514570

Please let me know if there is any information missing to grant the permission.

---edit---
desired shell username: cohi
public key:

wikimedia_prod.pub757 BDownload

L3: signed
NDA: signed (on October 21, 2019)
wikitech name: Corinna Hillebrand

SRE Clinic Duty Checklist for Access Requests

Most requirements are outlined on https://wikitech.wikimedia.org/wiki/Requesting_shell_access

This checklist should be used on all access requests to ensure that all steps are covered. This includes expansion to access. Please do not check off items on the list below unless you are in Ops and have confirmed the step.

User has signed the L3 Acknowledgement of Wikimedia Server Access Responsibilities Document.
User has a valid NDA on file with WMF legal. (This can be checked by Operations via the NDA tracking sheet & is included in all WMF Staff/Contractor hiring.)
User has provided the following: wikitech username, preferred shell username, email address, and full reasoning for access (including what commands and/or tasks they expect to perform.
User has provided a public SSH key. This ssh key pair should only be used for WMF cluster access, and not share with any other service (this includes not sharing with WMCS access, no shared keys.)
access request (or expansion) has sign off of WMF sponsor/manager (sponser for volunteers, manager for wmf staff)
non-sudo requests: 3 business day wait must pass with no objections being noted on the task
Patchset for access request

Details

	Subject	Repo	Branch	Lines +/-
	admin: add cohi to analytics-privatedata-users	operations/puppet	production	+1 -1
	admin: add cohi to researchers and analytics-users	operations/puppet	production	+12 -2

Customize query in gerrit

Related Objects

Mentioned In: T358578: Add WMDE staff who have signed the NDA with the WMF to the WMF-NDA phabricator policy group
Mentioned Here: T202072: Requesting Access to view EventLogging data for gabriel-wmde / gbirke

Event Timeline

CorinnaHillebrand_WMDE created this task.Oct 2 2019, 12:40 PM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 2 2019, 12:40 PM

herron updated the task description. (Show Details)Oct 10 2019, 3:53 PM

Hello, @CorinnaHillebrand_WMDE, could you please review and sign the L3 Acknowledgement of Wikimedia Server Access Responsibilities Document, update the task description with your desired shell username and SSH public key (must be a unique key only to be used in wmf production), and coordinate a comment of approval on this task from your manager?

Thanks in advance!

herron moved this task from Untriaged to Awaiting User Input on the SRE-Access-Requests board.Oct 10 2019, 3:58 PM

CorinnaHillebrand_WMDE updated the task description. (Show Details)Oct 14 2019, 12:47 PM

CorinnaHillebrand_WMDE updated the task description. (Show Details)

As an Engineering Manager at WMDE I endorse this request.

@CorinnaHillebrand_WMDE please sign the L3 Acknowledgement of Wikimedia Server Access Responsibilities Document, as well as the NDA. Also, please provide your wikitech name in the task description.

jijiki triaged this task as Medium priority.Oct 14 2019, 2:28 PM

CorinnaHillebrand_WMDE updated the task description. (Show Details)Oct 14 2019, 2:32 PM

I signed the L3 and provided my wikitech name in the task description.
What next steps are necessary for me to be able to sign the NDA?

@RStallman-legalteam Could you please send the NDA to @CorinnaHillebrand_WMDE (email address visible in https://tools.wmflabs.org/ldap/user/cohi)? I believe she has not signed the NDA with the WMF yet. Thanks!

Dzahn moved this task from Awaiting User Input to Manager/NDA Approval/Confirmation on the SRE-Access-Requests board.Oct 17 2019, 11:07 PM

Dzahn assigned this task to RStallman-legalteam.Oct 18 2019, 5:28 PM

CorinnaHillebrand_WMDE updated the task description. (Show Details)Oct 21 2019, 8:28 AM

NDA is signed and on file, Fine to proceed to the next steps.

Best,
Rachel

Dzahn reassigned this task from RStallman-legalteam to colewhite.Oct 22 2019, 9:56 PM

colewhite updated the task description. (Show Details)Oct 22 2019, 10:08 PM

Change 545409 had a related patch set uploaded (by Cwhite; owner: Cwhite):
[operations/puppet@production] admin: add cohi to researchers and analytics-users

https://gerrit.wikimedia.org/r/545409

gerritbot added a project: Patch-For-Review.Oct 22 2019, 10:21 PM

colewhite updated the task description. (Show Details)Oct 22 2019, 10:22 PM

Change 545409 merged by Cwhite:
[operations/puppet@production] admin: add cohi to researchers and analytics-users

https://gerrit.wikimedia.org/r/545409

Hi Corinna!

I've deployed the necessary changes and added you to the group researchers and analytics-users. Please let me know if you encounter any related issue.

colewhite closed this task as Resolved.Oct 22 2019, 11:34 PM

Maintenance_bot removed a project: Patch-For-Review.Oct 23 2019, 12:10 AM

Hi @colewhite,
I encountered an issue indeed. I'm able to connect to the bastion host bast3004.wikimedia.org without a problem.
But I tried to connect via ssh to stat1007.eqiad.wmnet and got prompted "Password:" again and again without being able to finally connect.
Do you know how to solve this?

My ssh config:

Host bast
    User cohi
    HostName bast3004.wikimedia.org
    IdentityFile ~/.ssh/wikimedia_prod
    ForwardAgent no
    IdentitiesOnly yes

# Proxy all connections to internal servers through the bastion host
Host *.wmnet
    User cohi
    ProxyCommand ssh -W %h:%p bast
    IdentityFile ~/.ssh/wikimedia_prod
    ForwardAgent no
    IdentitiesOnly yes

When running
$ ssh -v cohi@stat1007.eqiad.wmnet
I get...

OpenSSH_7.6p1 Ubuntu-4ubuntu0.3, OpenSSL 1.0.2n  7 Dec 2017
debug1: Reading configuration data /home/cohi/.ssh/config
debug1: /home/cohi/.ssh/config line 10: Applying options for *.wmnet
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Executing proxy command: exec ssh -W stat1007.eqiad.wmnet:22 bast
debug1: permanently_drop_suid: 1001
debug1: identity file /home/cohi/.ssh/wikimedia_prod type 0
debug1: key_load_public: No such file or directory
debug1: identity file /home/cohi/.ssh/wikimedia_prod-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4p1 Debian-10+deb9u4
debug1: match: OpenSSH_7.4p1 Debian-10+deb9u4 pat OpenSSH* compat 0x04000000
debug1: Authenticating to stat1007.eqiad.wmnet:22 as 'cohi'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256@libssh.org
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:XKU3X2nmubvvw8Ip9pLv3KczEVRRmJQCMh4e5Ts5xEg
debug1: Host 'stat1007.eqiad.wmnet' is known and matches the ECDSA host key.
debug1: Found key in /home/cohi/.ssh/known_hosts:6
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering public key: RSA SHA256:NPaDU3w3dW3Gb7vl/d7SUlSM48mdMBqmjxcKc0j8m6Q /home/cohi/.ssh/wikimedia_prod
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Next authentication method: keyboard-interactive
Password: 
debug1: Authentications that can continue: publickey,keyboard-interactive
Password: 
debug1: Authentications that can continue: publickey,keyboard-interactive
Password: 
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: No more authentication methods to try.
cohi@stat1007.eqiad.wmnet: Permission denied (publickey,keyboard-interactive).

Hi Corinna!

stat1007 is a private data statistics node and I believe access is controlled by statistics-privatedata-users.

@Nuria, would it be approriate to expand @CorinnaHillebrand_WMDE's access to statistcs-privatedata-users?

colewhite reopened this task as Open.Dec 2 2019, 8:39 PM

@colewhite group is analytics-private-data-users, as long as NDA is in place this sounds fine.

Change 554163 had a related patch set uploaded (by Cwhite; owner: Cwhite):
[operations/puppet@production] admin: add cohi to analytics-privatedata-users

https://gerrit.wikimedia.org/r/554163

gerritbot added a project: Patch-For-Review.Dec 2 2019, 9:56 PM

Change 554163 merged by Cwhite:
[operations/puppet@production] admin: add cohi to analytics-privatedata-users

https://gerrit.wikimedia.org/r/554163

Maintenance_bot removed a project: Patch-For-Review.Dec 2 2019, 10:12 PM

The necessary changes have been deployed. Please let me know if you encounter any related issue.

colewhite closed this task as Resolved.Dec 3 2019, 12:19 AM

WMDE-leszek mentioned this in T358578: Add WMDE staff who have signed the NDA with the WMF to the WMF-NDA phabricator policy group.Feb 27 2024, 12:55 PM

Requesting access to view EventLogging data for Co_WMDEClosed, ResolvedPublicActions

Description

Details

Related Objects

Event Timeline

Requesting access to view EventLogging data for Co_WMDE
Closed, ResolvedPublic
Actions