Page MenuHomePhabricator
Create Task
Maniphest T237605

Create kerberos principals for users
Closed, ResolvedPublic5 Estimated Story Points
Actions

Description

This task should track the requests to create Kerberos principals from users.

Details

SubjectRepoBranchLines +/-
Support password changes in manage_principals (WIP)operations/puppetproduction+45 -4
admin: Backfill kerberos settings to data.yamloperations/puppetproduction+46 -0
Customize query in gerrit

Related Objects
Search...

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes
dcausse subscribed.Nov 26 2019, 9:52 AM

I'd need access as well, username: dcausse
Thanks!

dcausse added a subscriber: TJones.Nov 26 2019, 9:53 AM
elukey added a comment.Nov 26 2019, 10:40 AM
In T237605#5692512, @dcausse wrote:

I'd need access as well, username: dcausse
Thanks!

elukey@krb1001:~$ sudo manage_principals.py create dcausse --email_address=dcausse@wikimedia.org
Principal successfully created.
Successfully sent email to dcausse@wikimedia.org

Done! Please check your inbox :)

Pcoombe unsubscribed.Nov 26 2019, 11:51 AM
dr0ptp4kt subscribed.Nov 26 2019, 12:41 PM

Access requested for me - dr0ptp4kt

elukey added a comment.Nov 26 2019, 12:44 PM
In T237605#5693131, @dr0ptp4kt wrote:

Access requested for me - dr0ptp4kt

elukey@krb1001:~$ sudo manage_principals.py create dr0ptp4kt --email_address=abaso@wikimedia.org
Principal successfully created.
Successfully sent email to abaso@wikimedia.org

Please check your inbox :)

awight subscribed.Nov 26 2019, 1:25 PM

Requesting credentials for myself, my user info is:

sudo manage_principals.py create awight --email_address=adam.wight@wikimedia.de
elukey added a comment.Nov 26 2019, 1:28 PM
In T237605#5693281, @awight wrote:

Requesting credentials for myself, my user info is:

sudo manage_principals.py create awight --email_address=adam.wight@wikimedia.de
elukey@krb1001:~$ sudo manage_principals.py create awight --email_address=adam.wight@wikimedia.de
Principal successfully created.
Successfully sent email to adam.wight@wikimedia.de

Done! :)

TJones added a comment.Nov 26 2019, 3:41 PM

I'd also like to request access (tjones@wikimedia.org). Thanks!

elukey added a comment.EditedNov 26 2019, 4:00 PM
In T237605#5693788, @TJones wrote:

I'd also like to request access (tjones@wikimedia.org). Thanks!

elukey@krb1001:~$ sudo manage_principals.py create tjones --email_address=tjones@wikimedia.org
Principal successfully created.
Successfully sent email to tjones@wikimedia.org

Done! please check your inbox :)

EBernhardson added a comment.Nov 26 2019, 4:07 PM

discovery-analytics: We run analytics jobs (submit to oozie, etc) from this user. The upcoming airflow installation will also submit our jobs as this user. I suppose send this to my email as well? Otherwise maybe discovery-private@lists.wikimedia.org would work, but that is far from private and subscribed by many across the org.

I am aware of the analytics-search system user, and for that I have already created a keytab (basically a file with user+password that only the owner can read) on stat1007 (and all systemd timers will use it as soon as we enable kerberos, no action needed from your side). Is it the user that you mentioned? If so, I think that we'd just need to create a keytab for an-airflow1001 right? (the keytabs are host-specific).

Indeed i meant analytics-search. We will indeed need a keytab for an-airflow1001, I'm also not quite clear on oozie, iiuc it will run from an-coord1001 and will somehow need to become the users in question. Is that all handled at submit time from the keys on stat1007, or does something else need to be done?

elukey added a comment.Nov 26 2019, 4:15 PM
In T237605#5693906, @EBernhardson wrote:

discovery-analytics: We run analytics jobs (submit to oozie, etc) from this user. The upcoming airflow installation will also submit our jobs as this user. I suppose send this to my email as well? Otherwise maybe discovery-private@lists.wikimedia.org would work, but that is far from private and subscribed by many across the org.

I am aware of the analytics-search system user, and for that I have already created a keytab (basically a file with user+password that only the owner can read) on stat1007 (and all systemd timers will use it as soon as we enable kerberos, no action needed from your side). Is it the user that you mentioned? If so, I think that we'd just need to create a keytab for an-airflow1001 right? (the keytabs are host-specific).

Indeed i meant analytics-search. We will indeed need a keytab for an-airflow1001, I'm also not quite clear on oozie, iiuc it will run from an-coord1001 and will somehow need to become the users in question. Is that all handled at submit time from the keys on stat1007, or does something else need to be done?

Oozie will act as proxy, so once proven your identity it will run on behalf of your principal. It is only a matter of submitting the oozie jobs using the analytics-search crendentials from stat1007 for example. You can use the kerberos-run-command, and example in https://wikitech.wikimedia.org/wiki/Analytics/Systems/Kerberos/UserGuide#Run_a_recurrent_job_via_Cron_or_similar_without_kinit_every_day
Let me know if it is clear or it more doc needs to be added! I'll make sure to deploy a keytab on an-airflow1001

TJones unsubscribed.Nov 26 2019, 10:04 PM
MGerlach subscribed.Nov 28 2019, 1:56 PM

I would also like to request access. username: mgerlach
Thanks.

elukey added a comment.Nov 28 2019, 2:14 PM
In T237605#5699960, @MGerlach wrote:

I would also like to request access. username: mgerlach
Thanks.

elukey@krb1001:~$ sudo manage_principals.py create mgerlach --email_address=mgerlach@wikimedia.org
Principal successfully created.
Successfully sent email to mgerlach@wikimedia.org

Done :)

MGerlach unsubscribed.Nov 28 2019, 2:20 PM
Miriam added subscribers: tizianopiccardi, Miriam.Nov 28 2019, 6:03 PM

Hi! Can I have access too please? My username is mirrys

@tizianopiccardi you might want to request this too.

elukey added a comment.Nov 28 2019, 6:49 PM
In T237605#5700493, @Miriam wrote:

Hi! Can I have access too please? My username is mirrys

elukey@krb1001:~$ sudo manage_principals.py create mirrys --email_address=mredi@wikimedia.org
Principal successfully created.
Successfully sent email to mredi@wikimedia.org

Done! :)

awight unsubscribed.Nov 29 2019, 7:15 AM
Miriam added a comment.Nov 29 2019, 9:41 AM
In T237605#5700591, @elukey wrote:
In T237605#5700493, @Miriam wrote:

Hi! Can I have access too please? My username is mirrys

elukey@krb1001:~$ sudo manage_principals.py create mirrys --email_address=mredi@wikimedia.org
Principal successfully created.
Successfully sent email to mredi@wikimedia.org

Done! :)

Thanks!!

tizianopiccardi added a comment.Nov 29 2019, 1:27 PM
In T237605#5700591, @elukey wrote:
In T237605#5700493, @Miriam wrote:

Hi! Can I have access too please? My username is mirrys

elukey@krb1001:~$ sudo manage_principals.py create mirrys --email_address=mredi@wikimedia.org
Principal successfully created.
Successfully sent email to mredi@wikimedia.org

Done! :)

Hi Luca, I need it too! Thank you

Username: piccardi
Email: tiziano.piccardi@epfl.ch

elukey added a comment.Nov 29 2019, 1:36 PM
In T237605#5701535, @tizianopiccardi wrote:

Hi Luca, I need it too! Thank you

Username: piccardi
Email: tiziano.piccardi@epfl.ch

elukey@krb1001:~$ sudo manage_principals.py create piccardi --email_address=tiziano.piccardi@epfl.ch
Principal successfully created.
Successfully sent email to tiziano.piccardi@epfl.ch

Done! :)

jijiki subscribed.Dec 2 2019, 10:32 AM

@elukey Hey luca, I think I will need one too :) Thank you very much

elukey added a comment.Dec 2 2019, 10:40 AM
In T237605#5704521, @jijiki wrote:

@elukey Hey luca, I think I will need one too :) Thank you very much

elukey@krb1001:~$ sudo manage_principals.py create jiji --email_address=emouzeli@wikimedia.org
Principal successfully created.
Successfully sent email to emouzeli@wikimedia.org

Done!

Ladsgroup signed these changes with MFA.Dec 2 2019, 6:42 PM
Ladsgroup subscribed.

Hello, My name is Amir and I'm an alcoholic, I mean software engineer. I work as a developer at WMDE in wikidata team and I use hadoop data on daily basis from stat100*. My shell name is ladsgroup.

elukey added a comment.Dec 2 2019, 7:08 PM
In T237605#5706229, @Ladsgroup wrote:

Hello, My name is Amir and I'm an alcoholic, I mean software engineer. I work as a developer at WMDE in wikidata team and I use hadoop data on daily basis from stat100*. My shell name is ladsgroup.

elukey@krb1001:~$ sudo manage_principals.py create ladsgroup --email_address=amir.sarabadani@wikimedia.de
Principal successfully created.
Successfully sent email to amir.sarabadani@wikimedia.de

Done!

AndyRussG subscribed.Dec 4 2019, 5:01 PM

Hi! Here's my request for the new creds for stat100* and notebook100*, please. Username: andyrussg. Thanks so much for working on this!!!!! :)

Ejegg subscribed.Dec 4 2019, 5:15 PM

Hi! here's my request for Kerberos credentials for Hadoop access on stat100X and notebook100X. My username is ejegg.

elukey added a comment.Dec 4 2019, 5:32 PM
In T237605#5712992, @Ejegg wrote:

Hi! here's my request for Kerberos credentials for Hadoop access on stat100X and notebook100X. My username is ejegg.

elukey@krb1001:~$ sudo manage_principals.py create ejegg  --email_address=eeggleston@wikimedia.org
Principal successfully created.
Successfully sent email to eeggleston@wikimedia.org

Done!

elukey added a comment.Dec 4 2019, 5:41 PM
In T237605#5712943, @AndyRussG wrote:

Hi! Here's my request for the new creds for stat100* and notebook100*, please. Username: andyrussg. Thanks so much for working on this!!!!! :)

elukey@krb1001:~$ sudo manage_principals.py create andyrussg  --email_address=agreen@wikimedia.org
Principal successfully created.
Successfully sent email to agreen@wikimedia.org

Done!

Halfak subscribed.Dec 4 2019, 9:00 PM

I need creds for stat100*. My username is halfak

lexnasser unsubscribed.Dec 4 2019, 9:01 PM
Halfak added subscribers: kevinbazira, ACraze.Dec 4 2019, 9:01 PM

I'd like to request creds for the engineers on my team as we'll (hopefully) be using hadoop a lot more soon. Usernames: accraze and kevinbazira

Ping @kevinbazira and @ACraze

Ejegg unsubscribed.Dec 4 2019, 10:41 PM
jkumalah subscribed.Dec 6 2019, 6:52 PM

Hi! I would also like to request Kerberos credentials for stat100x and notebook100x machines. My username is jkumalah.

Mstyles subscribed.Dec 6 2019, 7:43 PM

I too am requesting Kerberos credentials for the stat and notebook machines. My username is mstyles

elukey added a comment.Dec 9 2019, 8:53 AM
In T237605#5713678, @Halfak wrote:

I need creds for stat100*. My username is halfak

In T237605#5713682, @Halfak wrote:

I'd like to request creds for the engineers on my team as we'll (hopefully) be using hadoop a lot more soon. Usernames: accraze and kevinbazira

Ping @kevinbazira and @ACraze

Created

elukey@krb1001:~$ sudo manage_principals.py create halfak  --email_address=ahalfaker@wikimedia.org
Principal successfully created.
Successfully sent email to ahalfaker@wikimedia.org
elukey@krb1001:~$ sudo manage_principals.py create kevinbazira  --email_address=kbazira@wikimedia.org
Principal successfully created.
Successfully sent email to kbazira@wikimedia.org

@Halfak user accraze seems not to be only in statistics-privatedata-users and not in analytics-privatedata-users, is it on purpose? The former group should not be used to access Hadoop in theory..

elukey added a comment.Dec 9 2019, 8:54 AM
In T237605#5719102, @jkumalah wrote:

Hi! I would also like to request Kerberos credentials for stat100x and notebook100x machines. My username is jkumalah.

elukey@krb1001:~$ sudo manage_principals.py create jkumalah --email_address=jkumalah@wikimedia.org
Principal successfully created.
Successfully sent email to jkumalah@wikimedia.org

Done! :)

elukey added a comment.Dec 9 2019, 8:55 AM
In T237605#5719213, @Mstyles wrote:

I too am requesting Kerberos credentials for the stat and notebook machines. My username is mstyles

elukey@krb1001:~$ sudo manage_principals.py create mstyles --email_address=mstyles@wikimedia.org
Principal successfully created.
Successfully sent email to mstyles@wikimedia.org

Done!

Halfak added a comment.Dec 9 2019, 5:49 PM

@elukey, @ACraze not being in analytics-privatedata-users seems like an oversight. I'll check on that and come back to re-request when we've got it squared.

MoritzMuehlenhoff added a comment.Dec 13 2019, 7:01 AM

JFTR, I also created myself a "jmm" principal in the prod setup.

elukey added a comment.Dec 13 2019, 8:14 AM
In T237605#5724934, @Halfak wrote:

@elukey, @ACraze not being in analytics-privatedata-users seems like an oversight. I'll check on that and come back to re-request when we've got it squared.

elukey@krb1001:~$ sudo manage_principals.py create accraze --email_address=acraze@wikimedia.org
Principal successfully created.
Successfully sent email to acraze@wikimedia.org

Done!

Tgr subscribed.Dec 16 2019, 7:12 AM

I'd also like to keep my stat100* access. Username is tgr.

elukey added a comment.Dec 16 2019, 7:15 AM
In T237605#5743381, @Tgr wrote:

I'd also like to keep my stat100* access. Username is tgr.

Done!

elukey@krb1001:~$ sudo manage_principals.py create tgr --email_address=gtisza@wikimedia.org
Principal successfully created.
Successfully sent email to gtisza@wikimedia.org
DED subscribed.Dec 16 2019, 2:43 PM

I would like to request Kerberos credentials for the stat and notebook machines.
Username: dedcode

MMiller_WMF subscribed.Dec 16 2019, 6:06 PM

Hello, I think I'll need these credentials to use Hue and run Hive queries.

bd808 subscribed.Dec 16 2019, 11:22 PM

I would like to retain my ability to access Hadoop from the stat* hosts. My shell name is bd808.

elukey added a comment.Dec 17 2019, 9:30 AM
In T237605#5744591, @DED wrote:

I would like to request Kerberos credentials for the stat and notebook machines.
Username: dedcode

elukey@krb1001:~$ sudo manage_principals.py create dedcode --email_address=ddifallah@wikimedia.org
Principal successfully created.
Successfully sent email to ddifallah@wikimedia.org
In T237605#5746448, @bd808 wrote:

I would like to retain my ability to access Hadoop from the stat* hosts. My shell name is bd808.

elukey@krb1001:~$ sudo manage_principals.py create bd808 --email_address=bdavis@wikimedia.org
Principal successfully created.
Successfully sent email to bdavis@wikimedia.org

Done!

elukey added a comment.Dec 17 2019, 9:31 AM
In T237605#5745319, @MMiller_WMF wrote:

Hello, I think I'll need these credentials to use Hue and run Hive queries.

elukey@krb1001:~$ sudo manage_principals.py create mmiller --email_address=mmiller@wikimedia.org
Principal successfully created.
Successfully sent email to mmiller@wikimedia.org

Done!

Gilles signed these changes with MFA.Dec 17 2019, 10:48 AM
Gilles subscribed.

I would like to retain my ability to access Hadoop from the stat* hosts 🙃 My shell name is gilles

elukey added a comment.Dec 17 2019, 10:54 AM
In T237605#5747192, @Gilles wrote:

I would like to retain my ability to access Hadoop from the stat* hosts 🙃 My shell name is gilles

elukey@krb1001:~$ sudo manage_principals.py create gilles --email_address=gdubuc@wikimedia.org
Principal successfully created.
Successfully sent email to gdubuc@wikimedia.org

Done!

MMiller_WMF unsubscribed.Dec 18 2019, 6:00 AM
Amire80 subscribed.Dec 19 2019, 5:58 PM

Hi,

I'll need a password, too. I use hive on stat1007. My username there is amire80, and the email begins with aaharoni and ends with the WMF domain.

ssingh subscribed.Dec 19 2019, 6:02 PM

Hi! I need a password as well for stat1007 so that I can continue to access Hive. My username there is sukhe and my email is ssingh@. Thanks!

elukey added a comment.EditedDec 19 2019, 6:31 PM
In T237605#5754842, @Amire80 wrote:

Hi,

I'll need a password, too. I use hive on stat1007. My username there is amire80, and the email begins with aaharoni and ends with the WMF domain.

elukey@krb1001:~$ sudo manage_principals.py create amire80 --email_address=aaharoni@wikimedia.org
Principal successfully created.
Successfully sent email to aaharoni@wikimedia.org
In T237605#5754854, @ssingh wrote:

Hi! I need a password as well for stat1007 so that I can continue to access Hive. My username there is sukhe and my email is ssingh@. Thanks!

elukey@krb1001:~$ sudo manage_principals.py create sukhe --email_address=ssingh@wikimedia.org
Principal successfully created.
Successfully sent email to ssingh@wikimedia.org

Done!

Krinkle subscribed.Dec 19 2019, 10:01 PM

Hi. Looks like need one as well for Hive from krinkle@stat100x .

(Pasting the error here to aid future Phabricator-searching users)

Exception in thread "main" java.lang.RuntimeException: java.io.IOException: Failed on local exception: java.io.IOException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]; Host Details : local host is:  …
Gilles added a comment.Dec 20 2019, 10:54 AM

In a brilliant move, I have already forgotten which password I set and did not write it down. What's the procedure to initiate a password reset?

MoritzMuehlenhoff added a comment.Dec 20 2019, 11:29 AM

@elukey With https://gerrit.wikimedia.org/r/#/c/operations/puppet/+/559104/ merged, could backfill the entries for all the Kerberos users created so far (and keep it updated for all credentials going forward)?

gerritbot added a comment.Dec 20 2019, 11:29 AM

Change 559765 had a related patch set uploaded (by Muehlenhoff; owner: Muehlenhoff):
[operations/puppet@production] Support password changes in manage_principals (WIP)

https://gerrit.wikimedia.org/r/559765

gerritbot added a project: Patch-For-Review.Dec 20 2019, 11:29 AM
elukey added a comment.Dec 23 2019, 9:34 AM
In T237605#5755474, @Krinkle wrote:

Hi. Looks like need one as well for Hive from krinkle@stat100x .

(Pasting the error here to aid future Phabricator-searching users)

Exception in thread "main" java.lang.RuntimeException: java.io.IOException: Failed on local exception: java.io.IOException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]; Host Details : local host is:  …
elukey@krb1001:~$ sudo manage_principals.py create krinkle --email_address=ttijhof@wikimedia.org
Principal successfully created.
Successfully sent email to ttijhof@wikimedia.org

Done!

gerritbot added a comment.Dec 23 2019, 9:47 AM

Change 560378 had a related patch set uploaded (by Elukey; owner: Elukey):
[operations/puppet@production] admin: Backfill kerberos settings to data.yaml

https://gerrit.wikimedia.org/r/560378

elukey added a comment.Dec 23 2019, 10:15 AM
In T237605#5756730, @Gilles wrote:

In a brilliant move, I have already forgotten which password I set and did not write it down. What's the procedure to initiate a password reset?

As workaround I did:

elukey@krb1001:~$ sudo manage_principals.py delete gilles
elukey@krb1001:~$ sudo manage_principals.py create gilles --email_address=gdubuc@wikimedia.org
Principal successfully created.
Successfully sent email to gdubuc@wikimedia.org

@Gilles you should be able now to re-init your account :)

gerritbot added a comment.Dec 23 2019, 10:20 AM

Change 560378 merged by Elukey:
[operations/puppet@production] admin: Backfill kerberos settings to data.yaml

https://gerrit.wikimedia.org/r/560378

elukey added a comment.Dec 23 2019, 10:33 AM

Please don't request anymore any Kerberos identify in this task, but file a new one like described in https://wikitech.wikimedia.org/wiki/Analytics/Systems/Kerberos/UserGuide#Get_a_password_for_Kerberos

elukey set the point value for this task to 5.Dec 23 2019, 10:33 AM
elukey moved this task from In Progress to Done on the Analytics-Kanban board.
Amire80 unsubscribed.Dec 23 2019, 10:36 AM
chasemp closed this task as Resolved.Dec 23 2019, 4:40 PM
chasemp mentioned this in T241370: Kerberos password for rush.
chasemp subscribed.
In T237605#5760370, @elukey wrote:

Please don't request anymore any Kerberos identify in this task, but file a new one like described in https://wikitech.wikimedia.org/wiki/Analytics/Systems/Kerberos/UserGuide#Get_a_password_for_Kerberos

sbassett mentioned this in T242242: Kerberos credentials for sbassett.Jan 8 2020, 5:17 PM
gerritbot added a comment.May 7 2021, 9:54 AM

Change 559765 abandoned by Muehlenhoff:

[operations/puppet@production] Support password changes in manage_principals (WIP)

Reason:

Obsoleted by different patch

https://gerrit.wikimedia.org/r/559765

Maintenance_bot removed a project: Patch-For-Review.May 7 2021, 10:11 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits