Page MenuHomePhabricator
Create Task
Maniphest T238425

Read access for phabricator-admins (aklapper) to Phabricator production database to run SELECT queries
Closed, ResolvedPublic
Actions

Description

Probably makes sense, given some stuff I'd like to work on / analyze.

Use case examples:

  • I could query myself who's been most active setting priorities in T235153: List of recent most active Phab "Priority" field setters
  • I could query myself for column names used on team/group project workboards, to analyze patterns for standardization ("freezer", "icebox", "no capacity", etc) so meanings are more obvious to team outsiders

For my existing permissions, search for my shell user name aklapper in https://phabricator.wikimedia.org/source/operations-puppet/browse/production/modules/admin/data/data.yaml

I signed L3 a while ago.

Details

SubjectRepoBranchLines +/-
phabricator: limit mysql access for admins to production realmoperations/puppetproduction+9 -7
phabricator: write my.cnf for db access into each admin home diroperations/puppetproduction+16 -0
Customize query in gerrit

Related Objects

Event Timeline

Aklapper created this task.Nov 15 2019, 5:45 PM
Restricted Application added a project: SRE. · View Herald TranscriptNov 15 2019, 5:45 PM
Dzahn subscribed.Nov 15 2019, 7:27 PM

+1. We talked about this and in the past i have often ran queries for Andre for things like community metrics.

Dzahn added a project: DBA.Nov 15 2019, 7:39 PM
Dzahn added a comment.EditedNov 15 2019, 7:44 PM

@DBA fyi. I suggest i can puppetize that Andre gets a my.cnf written to his home dir somewhere with the existing "metrics_user" from the class "passwords::mysql::phabricator".

That's the user i also use to run queries like this. It matches the purpose because metrics is what we are getting here. Of course we do NOT want to use the "app_user" or "manifest_user" and i want to point out they are already separate. It's not like there is just a single phab mysql user.

This way you don't have to create any new GRANTs and i can resolve it without changes on the DB side. (edit: well... replace "somewhere" with "phab server").

Dzahn claimed this task.Nov 15 2019, 7:52 PM
Dzahn triaged this task as Medium priority.
Dzahn renamed this task from Read access for aklapper to Phabricator production database to run SELECT queries to Read access for phabricator-admins (aklapper) to Phabricator production database to run SELECT queries.Nov 15 2019, 8:57 PM
gerritbot added a comment.Nov 15 2019, 9:07 PM

Change 551268 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] phabricator: write my.cnf for db access into each admin home dir

https://gerrit.wikimedia.org/r/551268

gerritbot added a project: Patch-For-Review.Nov 15 2019, 9:10 PM
Aklapper added a comment.Nov 16 2019, 6:57 PM

Dzahn rightfully pointed out that Phabricator uses quite some DBs. If I had to limit, my list would probably be:

| phabricator_conpherence  |
| phabricator_differential |
| phabricator_file         |
| phabricator_herald       |
| phabricator_maniphest    |
| phabricator_policy       |
| phabricator_project      |
| phabricator_user         |

Not sure about these:

| phabricator_badges       |
| phabricator_spaces       |
Marostegui moved this task from Triage to Blocked external/Not db team on the DBA board.Nov 18 2019, 5:52 AM
Marostegui subscribed.

The user @Dzahn suggests to use I believe it is phstats, which only has access to these databases:

phabricator_differential
phabricator_user
phabricator_project
phabricator_maniphest
Aklapper added a comment.Nov 18 2019, 11:46 AM

That's also my understanding of the minimum "core databases" I'd need. So let's go with those four (plus principle of least privilege).
Could still expand as/if use cases pop up.

Dzahn moved this task from Untriaged to SRE Meeting Review on the SRE-Access-Requests board.Nov 18 2019, 9:02 PM
Dzahn moved this task from SRE Meeting Review to In Discussion on the SRE-Access-Requests board.
Dzahn added a comment.Nov 18 2019, 11:14 PM

@Aklapper Given that Phabricator uses multiple databases, do you just need the "phabricator_maniphest"

In T238425#5670176, @Marostegui wrote:

The user @Dzahn suggests to use I believe it is phstats, which only has access to these databases:

Yes, that's correct. The variable $metrics_user is set to "phstats".

In T238425#5671202, @Aklapper wrote:

That's also my understanding of the minimum "core databases" I'd need. So let's go with those four (plus principle of least privilege).

Ok, great. That makes it easier. Doing that.

gerritbot added a comment.Nov 20 2019, 11:57 PM

Change 551268 merged by Dzahn:
[operations/puppet@production] phabricator: write my.cnf for db access into each admin home dir

https://gerrit.wikimedia.org/r/551268

Dzahn added a comment.Nov 21 2019, 12:03 AM
[phab1001:/home/aklapper] $ mysql
ERROR 2002 (HY000): Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2)
[phab1001:/home/aklapper] $ sudo su aklapper
aklapper@phab1001:~$ mysql
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 5455428
Server version: 10.1.39-MariaDB MariaDB Server

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [phabricator_maniphest]>

@Aklapper See above. Puppet has written a .my.cnf into your home (and that of Greg) now and if i run "mysql" i can't connect but if i become you first and then just run "mysql" i am straight on the phabricator_maniphest DB.

Dzahn added a comment.Nov 21 2019, 12:05 AM

You can switch to the other databases we idenitified with "use" after you connected. For example the "_user" db is accessible but "_herald" is not, as expected:

MariaDB [phabricator_maniphest]> use phabricator_herald;
ERROR 1044 (42000): Access denied for user 'phstats'@'10.64.16.8' to database 'phabricator_herald'
MariaDB [phabricator_maniphest]> use phabricator_user;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
Dzahn closed this task as Resolved.Nov 21 2019, 12:09 AM

Let me know if this works for you.

Maintenance_bot removed a project: Patch-For-Review.Nov 21 2019, 12:10 AM
Aklapper added a comment.Nov 21 2019, 3:36 AM

@Dzahn: Uh yay! Works! Thanks so much! <3

gerritbot added a comment.Dec 6 2019, 5:30 PM

Change 555551 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] phabricator: limit mysql access for admins to production realm

https://gerrit.wikimedia.org/r/555551

gerritbot added a project: Patch-For-Review.Dec 6 2019, 5:30 PM
gerritbot added a comment.Dec 6 2019, 5:32 PM

Change 555551 merged by Dzahn:
[operations/puppet@production] phabricator: limit mysql access for admins to production realm

https://gerrit.wikimedia.org/r/555551

Maintenance_bot removed a project: Patch-For-Review.Dec 6 2019, 6:11 PM
Aklapper mentioned this in T248905: Add aklapper to analytics-privatedata-users.Mar 30 2020, 6:50 PM
Aklapper mentioned this in T324205: mariadb: grant user 'phstats' additional select on phabricator_search db.Dec 1 2022, 1:49 PM
Aklapper mentioned this in T344513: mariadb: grant user 'phstats' additional select on phabricator_repository DB.Aug 18 2023, 6:33 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL