Hi @Samwalton9, as far as I know for Superset access only the shell access is not required. I'm CC'ing @Nuria for signoff on Superset access itself.

as far as I know for Superset access only the shell access is not required

Oh, sure, it wasn't clear to me if the 'shell access' question was about whether I already had a shell account or needed access :)

Hi Sam,

Looks like you already have an account on wikitech (Samwalton), so I've given that account membership in the wmf group. You should have Superset access with it now.

(I don't believe @Nuria's signoff is necessary for access, rather simply that she receive a notification of new users.)

Change 591177 had a related patch set uploaded (by CDanis; owner: CDanis):
[operations/puppet@production] admin: add samwalton to ldap_only_users

https://gerrit.wikimedia.org/r/591177

Change 591177 merged by CDanis:
[operations/puppet@production] admin: add samwalton to ldap_only_users

https://gerrit.wikimedia.org/r/591177

Sam,

Which username did you use? Can you confirm that logging into Wikitech
itself works?

Thanks!

I log into Wikitech using Samwalton9, which works as expected. I've tried both Samwalton9 and samwalton on Superset.

Ah, sorry, I hadn't realized you had multiple wikitech accounts. There's also a Samwalton (not samwalton) on wikitech. The uppercased one is the one I added to the wmf group (since that's the one I found using your WMF email address as the key).

Make sure you can log into wikitech using Samwalton, and then those same credentials should work for superset (just note the capitalization in the username).

Do you want to retain both wikitech accounts? (I've also asked around some other SREs if we have any usual policies here.)

For reference, here's the set of groups and permissions and other data about each wikitech account:

https://tools.wmflabs.org/ldap/user/samwalton9
https://tools.wmflabs.org/ldap/user/samwalton

Oh, yep, the fun that comes with the overlaps of your volunteer and staff accounts :)

samwalton9 is the ideal account to have set here, since that's the login I use for Horizon. Is that OK?

AIUI, we aren't generally in the business of giving wmf access for volunteer accounts, since that becomes too hard to track for offboarding procedures.

That makes sense, I'll use my staff account then.

I'm a little confused about that, though, since I can't find any Wikitech login details for my staff account. https://tools.wmflabs.org/ldap/user/samwalton implies I should have a User:Samwalton at Wikitech, but that account (https://wikitech.wikimedia.org/wiki/User:Samwalton) doesn't exist. I tried resetting the password on it but received nothing.

This looks like a legit bug. The user samwalton is definitely in LDAP ( using ldapsearch on mwmaint1002) and it's even listed as member of various toolforge groups and project-bastion. It should not be possible to be the case while the user is also "not registered" on Wikitech. Adding @bd808

In T250189#6084077, @Dzahn wrote:

This looks like a legit bug. The user samwalton is definitely in LDAP ( using ldapsearch on mwmaint1002) and it's even listed as member of various toolforge groups and project-bastion. It should not be possible to be the case while the user is also "not registered" on Wikitech. Adding @bd808

This has been possible for nearly four years. T144710: Create Wikitech/LDAP accounts via a new user friendly guided workflow added the ability to create new Wikimedia Developer accounts via Striker. Striker asks Wikitech to help validate some bits (TitleBlacklist, etc), but then creates the account directly in the LDAP directory. MediaWiki's MediaWiki-extensions-LdapAuthentication integration does not poll LDAP for accounts. Instead local MediaWiki accounts are created ad hoc when an authentication check against LDAP succeeds and no matching local user is found. There are actually numerically many Developer accounts in LDAP which are not local users on Wikitech.

Hm. I have no idea what my password is for that account - is there somewhere I can reset it?

In T250189#6088157, @Samwalton9 wrote:

Hm. I have no idea what my password is for that account - is there somewhere I can reset it?

You can use https://wikitech.wikimedia.org/wiki/Special:PasswordReset

Per the above, I don't have a Wikitech account, just an LDAP login, so the Wikitech password reset form won't work.

You should be able to log in and change your password at
https://toolsadmin.wikimedia.org/profile/settings/accounts/

Oh perfect, that was the domain I needed for my password manager to locate the right login details for me 😁 Confirmed I have access to Superset with that login.

In T250189#6089282, @CDanis wrote:

I also updated SRE's docs with some of what @bd808 said, as I don't think that was widely understood on the SRE team.

One related thing to this that should be documented somewhere is the attachLdapUser.php maintenance script which lives in MediaWiki-extensions-OpenStackManager. This script can be used to force creation of a local Wikitech user account for any Developer account in the LDAP directory that does not have one. It was invented as a bandaid for T174469: LDAP account that is not attached on wikitech has no means for password reset so that a user who has lost their password can use Special:PasswordReset to get a new one even if they had not previously attached their account to Wikitech by logging in.