Page MenuHomePhabricator
Create Task
Maniphest T238306

Add system user analytics-privatedata to the anaytics-privatedata-users group
Closed, ResolvedPublic5 Estimated Story Points
Actions

Description

This task aims to add a system user called analytics-privatedata to the analytics-privatedata-users POSIX group. This user will be useful when Kerberos will be enabled, since researchers/analysts/etc.. will need a way to run authenticated recurrent jobs (like crons) without the need to kinit manually every 24h.

This is a interim compromise to avoid impacting users with Kerberos too much, that may eventually be deprecated in favor of something better and more granular.

The idea is the following:

  • a user authenticates with kinit (and password) when logging in into a stat/notebook host
  • a user in analytics-privatedata-users will also be able to sudo as analytics-privatedata to kinit with a keytab (that doesn't require a password) stored on some stat/notebook hosts, but only in some use cases (like executing a cron for 3 days to test something etc..)

Details

SubjectRepoBranchLines +/-
admin: add analytics-privatedata system useroperations/puppetproduction+10 -1
kerberos: add syslog logging to kerberos-run-command.pyoperations/puppetproduction+60 -26
Customize query in gerrit

Related Objects
Search...

Event Timeline

elukey created this task.Nov 14 2019, 9:37 AM
Restricted Application added a project: SRE. · View Herald TranscriptNov 14 2019, 9:37 AM
gerritbot added a comment.Nov 14 2019, 9:50 AM

Change 550814 had a related patch set uploaded (by Elukey; owner: Elukey):
[operations/puppet@production] admin: add analytics-privatedata system user

https://gerrit.wikimedia.org/r/550814

gerritbot added a project: Patch-For-Review.Nov 14 2019, 9:50 AM
elukey mentioned this in T237269: Prepare the Hadoop Analytics cluster for Kerberos.Nov 14 2019, 5:46 PM
fdans moved this task from Incoming to Radar on the Analytics board.Nov 14 2019, 6:26 PM
crusnov triaged this task as Medium priority.Nov 18 2019, 4:52 PM
Dzahn moved this task from Untriaged to In Discussion on the SRE-Access-Requests board.Nov 18 2019, 9:03 PM
Dzahn moved this task from In Discussion to SRE Meeting Review on the SRE-Access-Requests board.
elukey added a comment.Nov 19 2019, 10:26 AM

During the SRE meeting no strong opposition to this task was raised, but it was suggested that logging kerberos-run-command usage in a log file could be good to track down people misusing the tool in the future.

gerritbot added a comment.Nov 19 2019, 11:13 AM

Change 551794 had a related patch set uploaded (by Elukey; owner: Elukey):
[operations/puppet@production] kerberos: add syslog logging to kerberos-run-command.py

https://gerrit.wikimedia.org/r/551794

gerritbot added a comment.Nov 20 2019, 8:12 AM

Change 551794 merged by Elukey:
[operations/puppet@production] kerberos: add syslog logging to kerberos-run-command.py

https://gerrit.wikimedia.org/r/551794

mforns moved this task from Next Up to In Progress on the Analytics-Kanban board.Nov 25 2019, 5:35 PM
gerritbot added a comment.Nov 25 2019, 6:17 PM

Change 550814 merged by Elukey:
[operations/puppet@production] admin: add analytics-privatedata system user

https://gerrit.wikimedia.org/r/550814

Maintenance_bot removed a project: Patch-For-Review.Nov 26 2019, 11:53 AM
elukey moved this task from In Progress to Done on the Analytics-Kanban board.Nov 26 2019, 1:52 PM
elukey set the point value for this task to 5.
jbond closed this task as Resolved.Nov 27 2019, 11:57 AM
jbond subscribed.

I think this is complete but please reopen if there are still outstanding tasks

Aklapper edited projects, added Analytics-Radar; removed Analytics.Jun 10 2020, 6:44 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits