This task should track the requests to create Kerberos principals from users.
Description
Details
Status | Subtype | Assigned | Task | ||
---|---|---|---|---|---|
Restricted Task | |||||
Resolved | elukey | T211836 Enable Security (stronger authentication and data encryption) for the Analytics Hadoop cluster and its dependent services | |||
Resolved | elukey | T237269 Prepare the Hadoop Analytics cluster for Kerberos | |||
Resolved | elukey | T237605 Create kerberos principals for users |
Event Timeline
elukey@krb1001:~$ sudo manage_principals.py create dcausse --email_address=dcausse@wikimedia.org Principal successfully created. Successfully sent email to dcausse@wikimedia.org
Done! Please check your inbox :)
elukey@krb1001:~$ sudo manage_principals.py create dr0ptp4kt --email_address=abaso@wikimedia.org Principal successfully created. Successfully sent email to abaso@wikimedia.org
Please check your inbox :)
Requesting credentials for myself, my user info is:
sudo manage_principals.py create awight --email_address=adam.wight@wikimedia.de
elukey@krb1001:~$ sudo manage_principals.py create awight --email_address=adam.wight@wikimedia.de Principal successfully created. Successfully sent email to adam.wight@wikimedia.de
Done! :)
elukey@krb1001:~$ sudo manage_principals.py create tjones --email_address=tjones@wikimedia.org Principal successfully created. Successfully sent email to tjones@wikimedia.org
Done! please check your inbox :)
discovery-analytics: We run analytics jobs (submit to oozie, etc) from this user. The upcoming airflow installation will also submit our jobs as this user. I suppose send this to my email as well? Otherwise maybe discovery-private@lists.wikimedia.org would work, but that is far from private and subscribed by many across the org.
I am aware of the analytics-search system user, and for that I have already created a keytab (basically a file with user+password that only the owner can read) on stat1007 (and all systemd timers will use it as soon as we enable kerberos, no action needed from your side). Is it the user that you mentioned? If so, I think that we'd just need to create a keytab for an-airflow1001 right? (the keytabs are host-specific).
Indeed i meant analytics-search. We will indeed need a keytab for an-airflow1001, I'm also not quite clear on oozie, iiuc it will run from an-coord1001 and will somehow need to become the users in question. Is that all handled at submit time from the keys on stat1007, or does something else need to be done?
Oozie will act as proxy, so once proven your identity it will run on behalf of your principal. It is only a matter of submitting the oozie jobs using the analytics-search crendentials from stat1007 for example. You can use the kerberos-run-command, and example in https://wikitech.wikimedia.org/wiki/Analytics/Systems/Kerberos/UserGuide#Run_a_recurrent_job_via_Cron_or_similar_without_kinit_every_day
Let me know if it is clear or it more doc needs to be added! I'll make sure to deploy a keytab on an-airflow1001
elukey@krb1001:~$ sudo manage_principals.py create mgerlach --email_address=mgerlach@wikimedia.org Principal successfully created. Successfully sent email to mgerlach@wikimedia.org
Done :)
Hi! Can I have access too please? My username is mirrys
@tizianopiccardi you might want to request this too.
elukey@krb1001:~$ sudo manage_principals.py create mirrys --email_address=mredi@wikimedia.org Principal successfully created. Successfully sent email to mredi@wikimedia.org
Done! :)
elukey@krb1001:~$ sudo manage_principals.py create piccardi --email_address=tiziano.piccardi@epfl.ch Principal successfully created. Successfully sent email to tiziano.piccardi@epfl.ch
Done! :)
elukey@krb1001:~$ sudo manage_principals.py create jiji --email_address=emouzeli@wikimedia.org Principal successfully created. Successfully sent email to emouzeli@wikimedia.org
Done!
Hello, My name is Amir and I'm an alcoholic, I mean software engineer. I work as a developer at WMDE in wikidata team and I use hadoop data on daily basis from stat100*. My shell name is ladsgroup.
elukey@krb1001:~$ sudo manage_principals.py create ladsgroup --email_address=amir.sarabadani@wikimedia.de Principal successfully created. Successfully sent email to amir.sarabadani@wikimedia.de
Done!
Hi! Here's my request for the new creds for stat100* and notebook100*, please. Username: andyrussg. Thanks so much for working on this!!!!! :)
Hi! here's my request for Kerberos credentials for Hadoop access on stat100X and notebook100X. My username is ejegg.
elukey@krb1001:~$ sudo manage_principals.py create ejegg --email_address=eeggleston@wikimedia.org Principal successfully created. Successfully sent email to eeggleston@wikimedia.org
Done!
elukey@krb1001:~$ sudo manage_principals.py create andyrussg --email_address=agreen@wikimedia.org Principal successfully created. Successfully sent email to agreen@wikimedia.org
Done!
I'd like to request creds for the engineers on my team as we'll (hopefully) be using hadoop a lot more soon. Usernames: accraze and kevinbazira
Ping @kevinbazira and @ACraze
Hi! I would also like to request Kerberos credentials for stat100x and notebook100x machines. My username is jkumalah.
I too am requesting Kerberos credentials for the stat and notebook machines. My username is mstyles
Created
elukey@krb1001:~$ sudo manage_principals.py create halfak --email_address=ahalfaker@wikimedia.org Principal successfully created. Successfully sent email to ahalfaker@wikimedia.org elukey@krb1001:~$ sudo manage_principals.py create kevinbazira --email_address=kbazira@wikimedia.org Principal successfully created. Successfully sent email to kbazira@wikimedia.org
@Halfak user accraze seems not to be only in statistics-privatedata-users and not in analytics-privatedata-users, is it on purpose? The former group should not be used to access Hadoop in theory..
elukey@krb1001:~$ sudo manage_principals.py create jkumalah --email_address=jkumalah@wikimedia.org Principal successfully created. Successfully sent email to jkumalah@wikimedia.org
Done! :)
elukey@krb1001:~$ sudo manage_principals.py create mstyles --email_address=mstyles@wikimedia.org Principal successfully created. Successfully sent email to mstyles@wikimedia.org
Done!
elukey@krb1001:~$ sudo manage_principals.py create accraze --email_address=acraze@wikimedia.org Principal successfully created. Successfully sent email to acraze@wikimedia.org
Done!
Done!
elukey@krb1001:~$ sudo manage_principals.py create tgr --email_address=gtisza@wikimedia.org Principal successfully created. Successfully sent email to gtisza@wikimedia.org
I would like to request Kerberos credentials for the stat and notebook machines.
Username: dedcode
I would like to retain my ability to access Hadoop from the stat* hosts. My shell name is bd808.
elukey@krb1001:~$ sudo manage_principals.py create dedcode --email_address=ddifallah@wikimedia.org Principal successfully created. Successfully sent email to ddifallah@wikimedia.org
elukey@krb1001:~$ sudo manage_principals.py create bd808 --email_address=bdavis@wikimedia.org Principal successfully created. Successfully sent email to bdavis@wikimedia.org
Done!
elukey@krb1001:~$ sudo manage_principals.py create mmiller --email_address=mmiller@wikimedia.org Principal successfully created. Successfully sent email to mmiller@wikimedia.org
Done!
I would like to retain my ability to access Hadoop from the stat* hosts 🙃 My shell name is gilles
elukey@krb1001:~$ sudo manage_principals.py create gilles --email_address=gdubuc@wikimedia.org Principal successfully created. Successfully sent email to gdubuc@wikimedia.org
Done!
Hi,
I'll need a password, too. I use hive on stat1007. My username there is amire80, and the email begins with aaharoni and ends with the WMF domain.
Hi! I need a password as well for stat1007 so that I can continue to access Hive. My username there is sukhe and my email is ssingh@. Thanks!
elukey@krb1001:~$ sudo manage_principals.py create amire80 --email_address=aaharoni@wikimedia.org Principal successfully created. Successfully sent email to aaharoni@wikimedia.org
elukey@krb1001:~$ sudo manage_principals.py create sukhe --email_address=ssingh@wikimedia.org Principal successfully created. Successfully sent email to ssingh@wikimedia.org
Done!
Hi. Looks like need one as well for Hive from krinkle@stat100x .
(Pasting the error here to aid future Phabricator-searching users)
Exception in thread "main" java.lang.RuntimeException: java.io.IOException: Failed on local exception: java.io.IOException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]; Host Details : local host is: …
In a brilliant move, I have already forgotten which password I set and did not write it down. What's the procedure to initiate a password reset?
@elukey With https://gerrit.wikimedia.org/r/#/c/operations/puppet/+/559104/ merged, could backfill the entries for all the Kerberos users created so far (and keep it updated for all credentials going forward)?
Change 559765 had a related patch set uploaded (by Muehlenhoff; owner: Muehlenhoff):
[operations/puppet@production] Support password changes in manage_principals (WIP)
elukey@krb1001:~$ sudo manage_principals.py create krinkle --email_address=ttijhof@wikimedia.org Principal successfully created. Successfully sent email to ttijhof@wikimedia.org
Done!
Change 560378 had a related patch set uploaded (by Elukey; owner: Elukey):
[operations/puppet@production] admin: Backfill kerberos settings to data.yaml
As workaround I did:
elukey@krb1001:~$ sudo manage_principals.py delete gilles elukey@krb1001:~$ sudo manage_principals.py create gilles --email_address=gdubuc@wikimedia.org Principal successfully created. Successfully sent email to gdubuc@wikimedia.org
@Gilles you should be able now to re-init your account :)
Change 560378 merged by Elukey:
[operations/puppet@production] admin: Backfill kerberos settings to data.yaml
Please don't request anymore any Kerberos identify in this task, but file a new one like described in https://wikitech.wikimedia.org/wiki/Analytics/Systems/Kerberos/UserGuide#Get_a_password_for_Kerberos
Change 559765 abandoned by Muehlenhoff:
[operations/puppet@production] Support password changes in manage_principals (WIP)
Reason:
Obsoleted by different patch