Page MenuHomePhabricator

Create kerberos principals for users
Closed, ResolvedPublic5 Estimated Story Points

Description

This task should track the requests to create Kerberos principals from users.

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes

I'd like to request two credentials for hadoop access:

ebernhardson: typical personal usage, ebernhardson@wikimedia.org

elukey@krb1001:~$ sudo manage_principals.py create ebernhardson --email_address=ebernhardson@wikimedia.org
Principal successfully created.
Successfully sent email to ebernhardson@wikimedia.org

discovery-analytics: We run analytics jobs (submit to oozie, etc) from this user. The upcoming airflow installation will also submit our jobs as this user. I suppose send this to my email as well? Otherwise maybe discovery-private@lists.wikimedia.org would work, but that is far from private and subscribed by many across the org.

I am aware of the analytics-search system user, and for that I have already created a keytab (basically a file with user+password that only the owner can read) on stat1007 (and all systemd timers will use it as soon as we enable kerberos, no action needed from your side). Is it the user that you mentioned? If so, I think that we'd just need to create a keytab for an-airflow1001 right? (the keytabs are host-specific).

Like so many others, I'd like to request my credentials for access on stat100x and notebook100x. My username is nettrom. I'll keep an eye out on my Gmail spam folder as well, cheers! :)

elukey@krb1001:~$ sudo manage_principals.py create nettrom --email_address=mwang@wikimedia.org
Principal successfully created.
Successfully sent email to mwang@wikimedia.org

Done! Please check you inbox :)

I'd need access as well, username: dcausse
Thanks!

dcausse added a subscriber: TJones.Nov 26 2019, 9:53 AM

I'd need access as well, username: dcausse
Thanks!

elukey@krb1001:~$ sudo manage_principals.py create dcausse --email_address=dcausse@wikimedia.org
Principal successfully created.
Successfully sent email to dcausse@wikimedia.org

Done! Please check your inbox :)

Pcoombe removed a subscriber: Pcoombe.Nov 26 2019, 11:51 AM

Access requested for me - dr0ptp4kt

Access requested for me - dr0ptp4kt

elukey@krb1001:~$ sudo manage_principals.py create dr0ptp4kt --email_address=abaso@wikimedia.org
Principal successfully created.
Successfully sent email to abaso@wikimedia.org

Please check your inbox :)

awight added a subscriber: awight.Nov 26 2019, 1:25 PM

Requesting credentials for myself, my user info is:

sudo manage_principals.py create awight --email_address=adam.wight@wikimedia.de

Requesting credentials for myself, my user info is:

sudo manage_principals.py create awight --email_address=adam.wight@wikimedia.de
elukey@krb1001:~$ sudo manage_principals.py create awight --email_address=adam.wight@wikimedia.de
Principal successfully created.
Successfully sent email to adam.wight@wikimedia.de

Done! :)

I'd also like to request access (tjones@wikimedia.org). Thanks!

elukey added a comment.EditedNov 26 2019, 4:00 PM

I'd also like to request access (tjones@wikimedia.org). Thanks!

elukey@krb1001:~$ sudo manage_principals.py create tjones --email_address=tjones@wikimedia.org
Principal successfully created.
Successfully sent email to tjones@wikimedia.org

Done! please check your inbox :)

discovery-analytics: We run analytics jobs (submit to oozie, etc) from this user. The upcoming airflow installation will also submit our jobs as this user. I suppose send this to my email as well? Otherwise maybe discovery-private@lists.wikimedia.org would work, but that is far from private and subscribed by many across the org.

I am aware of the analytics-search system user, and for that I have already created a keytab (basically a file with user+password that only the owner can read) on stat1007 (and all systemd timers will use it as soon as we enable kerberos, no action needed from your side). Is it the user that you mentioned? If so, I think that we'd just need to create a keytab for an-airflow1001 right? (the keytabs are host-specific).

Indeed i meant analytics-search. We will indeed need a keytab for an-airflow1001, I'm also not quite clear on oozie, iiuc it will run from an-coord1001 and will somehow need to become the users in question. Is that all handled at submit time from the keys on stat1007, or does something else need to be done?

discovery-analytics: We run analytics jobs (submit to oozie, etc) from this user. The upcoming airflow installation will also submit our jobs as this user. I suppose send this to my email as well? Otherwise maybe discovery-private@lists.wikimedia.org would work, but that is far from private and subscribed by many across the org.

I am aware of the analytics-search system user, and for that I have already created a keytab (basically a file with user+password that only the owner can read) on stat1007 (and all systemd timers will use it as soon as we enable kerberos, no action needed from your side). Is it the user that you mentioned? If so, I think that we'd just need to create a keytab for an-airflow1001 right? (the keytabs are host-specific).

Indeed i meant analytics-search. We will indeed need a keytab for an-airflow1001, I'm also not quite clear on oozie, iiuc it will run from an-coord1001 and will somehow need to become the users in question. Is that all handled at submit time from the keys on stat1007, or does something else need to be done?

Oozie will act as proxy, so once proven your identity it will run on behalf of your principal. It is only a matter of submitting the oozie jobs using the analytics-search crendentials from stat1007 for example. You can use the kerberos-run-command, and example in https://wikitech.wikimedia.org/wiki/Analytics/Systems/Kerberos/UserGuide#Run_a_recurrent_job_via_Cron_or_similar_without_kinit_every_day
Let me know if it is clear or it more doc needs to be added! I'll make sure to deploy a keytab on an-airflow1001

TJones removed a subscriber: TJones.Nov 26 2019, 10:04 PM

I would also like to request access. username: mgerlach
Thanks.

I would also like to request access. username: mgerlach
Thanks.

elukey@krb1001:~$ sudo manage_principals.py create mgerlach --email_address=mgerlach@wikimedia.org
Principal successfully created.
Successfully sent email to mgerlach@wikimedia.org

Done :)

MGerlach removed a subscriber: MGerlach.Nov 28 2019, 2:20 PM

Hi! Can I have access too please? My username is mirrys

@tizianopiccardi you might want to request this too.

Hi! Can I have access too please? My username is mirrys

elukey@krb1001:~$ sudo manage_principals.py create mirrys --email_address=mredi@wikimedia.org
Principal successfully created.
Successfully sent email to mredi@wikimedia.org

Done! :)

awight removed a subscriber: awight.Nov 29 2019, 7:15 AM

Hi! Can I have access too please? My username is mirrys

elukey@krb1001:~$ sudo manage_principals.py create mirrys --email_address=mredi@wikimedia.org
Principal successfully created.
Successfully sent email to mredi@wikimedia.org

Done! :)

Thanks!!

Hi! Can I have access too please? My username is mirrys

elukey@krb1001:~$ sudo manage_principals.py create mirrys --email_address=mredi@wikimedia.org
Principal successfully created.
Successfully sent email to mredi@wikimedia.org

Done! :)

Hi Luca, I need it too! Thank you

Username: piccardi
Email: tiziano.piccardi@epfl.ch

Hi Luca, I need it too! Thank you

Username: piccardi
Email: tiziano.piccardi@epfl.ch

elukey@krb1001:~$ sudo manage_principals.py create piccardi --email_address=tiziano.piccardi@epfl.ch
Principal successfully created.
Successfully sent email to tiziano.piccardi@epfl.ch

Done! :)

jijiki added a subscriber: jijiki.Dec 2 2019, 10:32 AM

@elukey Hey luca, I think I will need one too :) Thank you very much

@elukey Hey luca, I think I will need one too :) Thank you very much

elukey@krb1001:~$ sudo manage_principals.py create jiji --email_address=emouzeli@wikimedia.org
Principal successfully created.
Successfully sent email to emouzeli@wikimedia.org

Done!

Ladsgroup signed these changes with MFA.Dec 2 2019, 6:42 PM
Ladsgroup added a subscriber: Ladsgroup.

Hello, My name is Amir and I'm an alcoholic, I mean software engineer. I work as a developer at WMDE in wikidata team and I use hadoop data on daily basis from stat100*. My shell name is ladsgroup.

elukey added a comment.Dec 2 2019, 7:08 PM

Hello, My name is Amir and I'm an alcoholic, I mean software engineer. I work as a developer at WMDE in wikidata team and I use hadoop data on daily basis from stat100*. My shell name is ladsgroup.

elukey@krb1001:~$ sudo manage_principals.py create ladsgroup --email_address=amir.sarabadani@wikimedia.de
Principal successfully created.
Successfully sent email to amir.sarabadani@wikimedia.de

Done!

Hi! Here's my request for the new creds for stat100* and notebook100*, please. Username: andyrussg. Thanks so much for working on this!!!!! :)

Ejegg added a subscriber: Ejegg.Dec 4 2019, 5:15 PM

Hi! here's my request for Kerberos credentials for Hadoop access on stat100X and notebook100X. My username is ejegg.

elukey added a comment.Dec 4 2019, 5:32 PM

Hi! here's my request for Kerberos credentials for Hadoop access on stat100X and notebook100X. My username is ejegg.

elukey@krb1001:~$ sudo manage_principals.py create ejegg  --email_address=eeggleston@wikimedia.org
Principal successfully created.
Successfully sent email to eeggleston@wikimedia.org

Done!

elukey added a comment.Dec 4 2019, 5:41 PM

Hi! Here's my request for the new creds for stat100* and notebook100*, please. Username: andyrussg. Thanks so much for working on this!!!!! :)

elukey@krb1001:~$ sudo manage_principals.py create andyrussg  --email_address=agreen@wikimedia.org
Principal successfully created.
Successfully sent email to agreen@wikimedia.org

Done!

Halfak added a subscriber: Halfak.Dec 4 2019, 9:00 PM

I need creds for stat100*. My username is halfak

I'd like to request creds for the engineers on my team as we'll (hopefully) be using hadoop a lot more soon. Usernames: accraze and kevinbazira

Ping @kevinbazira and @ACraze

Ejegg removed a subscriber: Ejegg.Dec 4 2019, 10:41 PM

Hi! I would also like to request Kerberos credentials for stat100x and notebook100x machines. My username is jkumalah.

Mstyles added a subscriber: Mstyles.Dec 6 2019, 7:43 PM

I too am requesting Kerberos credentials for the stat and notebook machines. My username is mstyles

elukey added a comment.Dec 9 2019, 8:53 AM

I need creds for stat100*. My username is halfak

I'd like to request creds for the engineers on my team as we'll (hopefully) be using hadoop a lot more soon. Usernames: accraze and kevinbazira

Ping @kevinbazira and @ACraze

Created

elukey@krb1001:~$ sudo manage_principals.py create halfak  --email_address=ahalfaker@wikimedia.org
Principal successfully created.
Successfully sent email to ahalfaker@wikimedia.org
elukey@krb1001:~$ sudo manage_principals.py create kevinbazira  --email_address=kbazira@wikimedia.org
Principal successfully created.
Successfully sent email to kbazira@wikimedia.org

@Halfak user accraze seems not to be only in statistics-privatedata-users and not in analytics-privatedata-users, is it on purpose? The former group should not be used to access Hadoop in theory..

elukey added a comment.Dec 9 2019, 8:54 AM

Hi! I would also like to request Kerberos credentials for stat100x and notebook100x machines. My username is jkumalah.

elukey@krb1001:~$ sudo manage_principals.py create jkumalah --email_address=jkumalah@wikimedia.org
Principal successfully created.
Successfully sent email to jkumalah@wikimedia.org

Done! :)

elukey added a comment.Dec 9 2019, 8:55 AM

I too am requesting Kerberos credentials for the stat and notebook machines. My username is mstyles

elukey@krb1001:~$ sudo manage_principals.py create mstyles --email_address=mstyles@wikimedia.org
Principal successfully created.
Successfully sent email to mstyles@wikimedia.org

Done!

Halfak added a comment.Dec 9 2019, 5:49 PM

@elukey, @ACraze not being in analytics-privatedata-users seems like an oversight. I'll check on that and come back to re-request when we've got it squared.

JFTR, I also created myself a "jmm" principal in the prod setup.

@elukey, @ACraze not being in analytics-privatedata-users seems like an oversight. I'll check on that and come back to re-request when we've got it squared.

elukey@krb1001:~$ sudo manage_principals.py create accraze --email_address=acraze@wikimedia.org
Principal successfully created.
Successfully sent email to acraze@wikimedia.org

Done!

Tgr added a subscriber: Tgr.Dec 16 2019, 7:12 AM

I'd also like to keep my stat100* access. Username is tgr.

I'd also like to keep my stat100* access. Username is tgr.

Done!

elukey@krb1001:~$ sudo manage_principals.py create tgr --email_address=gtisza@wikimedia.org
Principal successfully created.
Successfully sent email to gtisza@wikimedia.org
DED added a subscriber: DED.Dec 16 2019, 2:43 PM

I would like to request Kerberos credentials for the stat and notebook machines.
Username: dedcode

Hello, I think I'll need these credentials to use Hue and run Hive queries.

bd808 added a subscriber: bd808.Dec 16 2019, 11:22 PM

I would like to retain my ability to access Hadoop from the stat* hosts. My shell name is bd808.

I would like to request Kerberos credentials for the stat and notebook machines.
Username: dedcode

elukey@krb1001:~$ sudo manage_principals.py create dedcode --email_address=ddifallah@wikimedia.org
Principal successfully created.
Successfully sent email to ddifallah@wikimedia.org

I would like to retain my ability to access Hadoop from the stat* hosts. My shell name is bd808.

elukey@krb1001:~$ sudo manage_principals.py create bd808 --email_address=bdavis@wikimedia.org
Principal successfully created.
Successfully sent email to bdavis@wikimedia.org

Done!

Hello, I think I'll need these credentials to use Hue and run Hive queries.

elukey@krb1001:~$ sudo manage_principals.py create mmiller --email_address=mmiller@wikimedia.org
Principal successfully created.
Successfully sent email to mmiller@wikimedia.org

Done!

Gilles signed these changes with MFA.Dec 17 2019, 10:48 AM
Gilles added a subscriber: Gilles.

I would like to retain my ability to access Hadoop from the stat* hosts 🙃 My shell name is gilles

I would like to retain my ability to access Hadoop from the stat* hosts 🙃 My shell name is gilles

elukey@krb1001:~$ sudo manage_principals.py create gilles --email_address=gdubuc@wikimedia.org
Principal successfully created.
Successfully sent email to gdubuc@wikimedia.org

Done!

Hi,

I'll need a password, too. I use hive on stat1007. My username there is amire80, and the email begins with aaharoni and ends with the WMF domain.

ssingh added a subscriber: ssingh.Dec 19 2019, 6:02 PM

Hi! I need a password as well for stat1007 so that I can continue to access Hive. My username there is sukhe and my email is ssingh@. Thanks!

elukey added a comment.EditedDec 19 2019, 6:31 PM

Hi,

I'll need a password, too. I use hive on stat1007. My username there is amire80, and the email begins with aaharoni and ends with the WMF domain.

elukey@krb1001:~$ sudo manage_principals.py create amire80 --email_address=aaharoni@wikimedia.org
Principal successfully created.
Successfully sent email to aaharoni@wikimedia.org

Hi! I need a password as well for stat1007 so that I can continue to access Hive. My username there is sukhe and my email is ssingh@. Thanks!

elukey@krb1001:~$ sudo manage_principals.py create sukhe --email_address=ssingh@wikimedia.org
Principal successfully created.
Successfully sent email to ssingh@wikimedia.org

Done!

Hi. Looks like need one as well for Hive from krinkle@stat100x .

(Pasting the error here to aid future Phabricator-searching users)

Exception in thread "main" java.lang.RuntimeException: java.io.IOException: Failed on local exception: java.io.IOException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]; Host Details : local host is:  …

In a brilliant move, I have already forgotten which password I set and did not write it down. What's the procedure to initiate a password reset?

@elukey With https://gerrit.wikimedia.org/r/#/c/operations/puppet/+/559104/ merged, could backfill the entries for all the Kerberos users created so far (and keep it updated for all credentials going forward)?

Change 559765 had a related patch set uploaded (by Muehlenhoff; owner: Muehlenhoff):
[operations/puppet@production] Support password changes in manage_principals (WIP)

https://gerrit.wikimedia.org/r/559765

Hi. Looks like need one as well for Hive from krinkle@stat100x .

(Pasting the error here to aid future Phabricator-searching users)

Exception in thread "main" java.lang.RuntimeException: java.io.IOException: Failed on local exception: java.io.IOException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]; Host Details : local host is:  …
elukey@krb1001:~$ sudo manage_principals.py create krinkle --email_address=ttijhof@wikimedia.org
Principal successfully created.
Successfully sent email to ttijhof@wikimedia.org

Done!

Change 560378 had a related patch set uploaded (by Elukey; owner: Elukey):
[operations/puppet@production] admin: Backfill kerberos settings to data.yaml

https://gerrit.wikimedia.org/r/560378

In a brilliant move, I have already forgotten which password I set and did not write it down. What's the procedure to initiate a password reset?

As workaround I did:

elukey@krb1001:~$ sudo manage_principals.py delete gilles
elukey@krb1001:~$ sudo manage_principals.py create gilles --email_address=gdubuc@wikimedia.org
Principal successfully created.
Successfully sent email to gdubuc@wikimedia.org

@Gilles you should be able now to re-init your account :)

Change 560378 merged by Elukey:
[operations/puppet@production] admin: Backfill kerberos settings to data.yaml

https://gerrit.wikimedia.org/r/560378


Please don't request anymore any Kerberos identify in this task, but file a new one like described in https://wikitech.wikimedia.org/wiki/Analytics/Systems/Kerberos/UserGuide#Get_a_password_for_Kerberos


elukey set the point value for this task to 5.Dec 23 2019, 10:33 AM
elukey moved this task from In Progress to Done on the Analytics-Kanban board.
Amire80 removed a subscriber: Amire80.Dec 23 2019, 10:36 AM
chasemp closed this task as Resolved.Dec 23 2019, 4:40 PM
chasemp added a subscriber: chasemp.

Please don't request anymore any Kerberos identify in this task, but file a new one like described in https://wikitech.wikimedia.org/wiki/Analytics/Systems/Kerberos/UserGuide#Get_a_password_for_Kerberos