Page MenuHomePhabricator
Create Task
Maniphest T251349

Request for srv/phab/phabricator/bin/bulk make-silent --id * command via SSH for moving tasks quarterly
Closed, ResolvedPublic
Actions

Description

As someone doing program management, I want a way to move tasks in batch each quarter without notifying lots of people, and which doesn't rely on another team or person not on the requesting team to execute.

Detail:

Some teams I work with change workboards every quarter. E.g. "Kanban 2019-20 Q4". They make these Milestones to facilitate ease-of-use on their backlogs. When the quarter turns over, the remaining tasks get moved from one quarterly board to another. On a normal Phab account, this triggers a lot of notifications for people subscribed to those tasks.

In the past, there was @Phabricator_maintenance for moving tasks silently, but per T216867, that account no longer functions properly. In a typical, non-time-sensitive scenario, the workaround has been to request a CLI bulk edit from RelEng. This workaround is also why fixing the account has not been a priority.

However, my particular use-case needs to have someone familiar with the work present, in order to quickly restore tasks to the right columns on the new board. This is especially true when using Milestones, as the board are mutually exclusive (with typical tags, the request can be processed and then the restoration can happen later, by using the old board for reference and/or as a stopgap). If there is a lag between the execution of the request and this restoration, a team's process is disrupted.

(Ideally, Phabricator would simply recognize columns on the new board, and move the tasks automagically, but this functionality doesn't exist).

If I could run the command myself via SSH, I could effectively execute my own silent batch edits. As currently CLI access is defined by phabricator-admin in puppet's data.yaml, this would likely need to be a separate new group just for permissions to run the srv/phab/phabricator/bin/bulk make-silent --id * command.

Details

SubjectRepoBranchLines +/-
admin: Fix my typo, s/ssh-keys/ssh_keys/.operations/puppetproduction+2 -1
admin: Create shell account for mbinder and add to phabricator-bulk-manageroperations/puppetproduction+9 -2
admins: new admin group to manage bulk jobs on Phabricatoroperations/puppetproduction+8 -0
Customize query in gerrit

Related Objects

Event Timeline

MBinder_WMF created this task.Apr 28 2020, 9:33 PM
Restricted Application added a project: SRE. · View Herald TranscriptApr 28 2020, 9:33 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
MBinder_WMF mentioned this in T216867: @Phabricator_maintenance is sending email notifications.Apr 28 2020, 9:34 PM
Dzahn claimed this task.Apr 29 2020, 5:27 AM
gerritbot added a comment.Apr 29 2020, 6:38 AM

Change 593166 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] admins: new admin group to manage bulk jobs on Phabricator

https://gerrit.wikimedia.org/r/593166

gerritbot added a project: Patch-For-Review.Apr 29 2020, 6:38 AM
Dzahn triaged this task as Medium priority.Apr 29 2020, 7:04 AM
Dzahn added a comment.Apr 29 2020, 7:31 AM

https://gerrit.wikimedia.org/r/c/operations/puppet/+/593166 has been created.

Please also see the comments on there.

MBinder_WMF added a comment.May 8 2020, 8:24 PM

Thanks for moving this along. Please let me know if I can help with anything. :)

gerritbot added a comment.May 13 2020, 11:10 AM

Change 593166 merged by Dzahn:
[operations/puppet@production] admins: new admin group to manage bulk jobs on Phabricator

https://gerrit.wikimedia.org/r/593166

Dzahn added a comment.May 13 2020, 11:30 AM
In T251349#6119971, @MBinder_WMF wrote:

Thanks for moving this along. Please let me know if I can help with anything. :)

Hi Max! I have now created a new shell admin group called phabricator-bulk-manager that allows members to run the command /srv/phab/phabricator/bin/bulk make-silent --id * with sudo.

This group is applied to the puppet role::phabricator. This means currently the hosts called phab1001.eqiad.wmnet and phab2001.codfw.wmnet of which phab1001 is currently the "active"/production one and you should use that to run the command.

The next missing step is now to create a user for you and add it to that group.

For this we need an SSH public key from you. Please create a new keypair and paste the public part here on the ticket.

There are docs how to do it at: https://wikitech.wikimedia.org/wiki/Production_access#Access_Request_Process

Also take a look at the page above in general. It tells you how to prepare your SSH config to be able to jump via one of the bastion hosts to a server behind them, in this case the phab servers.

Further, please read and sign the [[ L3 | Acknowledgement of Wikimedia Server Access Responsibilities ]].

Maintenance_bot removed a project: Patch-For-Review.May 13 2020, 12:10 PM
MBinder_WMF added a comment.May 15 2020, 5:37 PM

id_ed25519.pub141 BDownload

Public key (generated today) attached :)

gerritbot added a comment.May 20 2020, 7:27 PM

Change 597605 had a related patch set uploaded (by RLazarus; owner: RLazarus):
[operations/puppet@production] admin: Create shell account for mbinder and add to phabricator-bulk-manager

https://gerrit.wikimedia.org/r/597605

gerritbot added a project: Patch-For-Review.May 20 2020, 7:27 PM
gerritbot added a comment.May 20 2020, 7:31 PM

Change 597605 merged by RLazarus:
[operations/puppet@production] admin: Create shell account for mbinder and add to phabricator-bulk-manager

https://gerrit.wikimedia.org/r/597605

RLazarus subscribed.May 20 2020, 7:48 PM

Hi @MBinder_WMF! I've created your shell account and added it to the group that @Dzahn created for you. I just ran puppet on bast4002 (your nearest bastion) and both Phab hosts, so you should be able to test your access now by sshing to phab1001.eqiad.wmnet, after following the Setting_up_your_SSH_config steps in the page that Daniel linked.

Give it a try now, and if you have any trouble getting connected, let me know and we'll get you sorted out.

Maintenance_bot removed a project: Patch-For-Review.May 20 2020, 8:10 PM
Dzahn reassigned this task from Dzahn to MBinder_WMF.May 21 2020, 8:01 AM
Dzahn subscribed.

Thanks for taking care of this @RLazarus I can confirm Max's user exists on the Phabricator prod server, is in the new group and that group has the sudo privileges to run the requested comment.

@MBinder_WMF Please use phab1001.eqiad.wmnet and let us know if it works for you.

gerritbot added a comment.May 21 2020, 4:59 PM

Change 597830 had a related patch set uploaded (by RLazarus; owner: RLazarus):
[operations/puppet@production] admin: Fix my typo, s/ssh-keys/ssh_keys/.

https://gerrit.wikimedia.org/r/597830

gerritbot added a project: Patch-For-Review.May 21 2020, 4:59 PM
gerritbot added a comment.May 21 2020, 5:02 PM

Change 597830 merged by RLazarus:
[operations/puppet@production] admin: Fix my typo, s/ssh-keys/ssh_keys/.

https://gerrit.wikimedia.org/r/597830

RLazarus added a comment.May 21 2020, 5:04 PM

@MBinder_WMF On the offchance you'd already tried logging into phab1001, and it didn't work, but you hadn't gotten around to saying anything yet -- that was because of my mistake, just fixed it, so try again. :)

Otherwise do still give it a shot and let us know. Thanks!

Maintenance_bot removed a project: Patch-For-Review.May 21 2020, 5:11 PM
MBinder_WMF added a comment.May 21 2020, 7:49 PM

Thanks! Will investigate tomorrow, I hope. Currently swamped by a (virtual) offsite. :)

MBinder_WMF added a comment.May 26 2020, 8:24 PM

Thanks for your patience on this. I can SSH into

bastion.wmflabs.org

with user

mbinder

I am unable to SSH into

phab1001.eqiad.wmnet

presumably because the config is looking locally for

/Users/mbinder/.ssh/prod.key

(due to line)

IdentityFile ~/.ssh/prod.key

but no such file exists. Should I instead point to the private key I generated (per https://wikitech.wikimedia.org/wiki/Production_access#Generating_your_SSH_key)? Just wanted to be extra explicit and careful since A) this stuff is delicate, and B) my knowledge is limited. :)

RLazarus added a comment.May 26 2020, 8:27 PM
In T251349#6166850, @MBinder_WMF wrote:

Should I instead point to the private key I generated (per https://wikitech.wikimedia.org/wiki/Production_access#Generating_your_SSH_key)?

Exactly this, and thanks for double-checking.

You probably want that key to live in ~/.ssh if it doesn't already, but you can either rename that file to prod.key or update IdentityFile to point to the existing filename, either way is fine. Make sure to update it under both the bastion and *.wmnet Host entries.

MBinder_WMF added a comment.May 27 2020, 10:08 PM

I can confirm that changing those lines in the config to match the private key file name let me log in. Thanks for your help!

ayounsi closed this task as Resolved.May 28 2020, 8:07 AM
ayounsi reassigned this task from MBinder_WMF to RLazarus.
MBinder_WMF mentioned this in T291141: Updating mbinder's keys for phabricator-bulk-manager.Sep 16 2021, 12:32 AM
MBinder_WMF mentioned this in T374582: Production access has been approved but not able to log in, access was a long time ago so it's a new problem.Sep 11 2024, 10:26 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits