Page MenuHomePhabricator

Requesting access to centralauth database for Jennifer Wang
Closed, ResolvedPublicRequest

Description

Requestor provided information and prerequisites

This section is to be completed by the individual requesting access.

  • Wikitech username: jenniferwang
  • Preferred shell username: jiawang
  • Email address: jwang@wikimedia.org
  • Ssh public key (must be dedicated key for wmf production): ~jwang/.SSH/id_rsa.pub
  • Requested group membership: I apply for the access to centralauth database. Not sure which group it belongs to. BTW, I have product access already (https://phabricator.wikimedia.org/T242496)
  • Reason for access: I am a data analyst for AHT team. I need the access to query centralauth database.
  • Name of approving party (hiring manager for WMF staff): Kate Zimmerman, Niharika Kohli
  • Requestor -- Please Acknowledge that you have read and signed the L3 Wikimedia Server Access Responsibilities document:
  • Requestor -- Please coordinate obtaining a comment of approval on this task from the approving party.

SRE Clinic Duty Confirmation Checklist for Access Requests

This checklist should be used on all access requests to ensure that all steps are covered, including expansion to existing access. Please double check the step has been completed before checking it off.

This section is to be confirmed and completed by a member of the SRE team.

  • - User has signed the L3 Acknowledgement of Wikimedia Server Access Responsibilities Document.
  • - User has a valid NDA on file with WMF legal. (This can be checked by Operations via the NDA tracking sheet & is included in all WMF Staff/Contractor hiring.)
  • - User has provided the following: wikitech username, preferred shell username, email address, and full reasoning for access (including what commands and/or tasks they expect to perform)
  • - User has provided a public SSH key. This ssh key pair should only be used for WMF cluster access, and not share with any other service (this includes not sharing with WMCS access, no shared keys.)
  • - access request (or expansion) has sign off of WMF sponsor/manager (sponser for volunteers, manager for wmf staff)
  • - non-sudo requests: 3 business day wait must pass with no objections being noted on the task
  • - Patchset for access request

For additional details regarding access request requirements, please see https://wikitech.wikimedia.org/wiki/Requesting_shell_access

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald Transcript
ema triaged this task as Medium priority.Jun 23 2020, 9:10 AM

Hi @jwang, to carry on with your access request we need some additional information:

  • as per point 3 of the checklist, what sort of commands and/or tasks do you expect to perform?
  • we need the contents of your ssh public key, not the filename
  • sign off on this ticket from your manager

Thanks!

@ema, thanks for your review. Here are the additional info. Feel free to let me know if you need anything from me.

  • as per point 3 of the checklist, what sort of commands and/or tasks do you expect to perform?

command I want to perform:
First:
%ssh deployment.eqiad.wmnet
Then:
%sql centralauth

  • we need the contents of your ssh public key, not the filename

ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFpYzzNQaWunmpWx6X7+9kKECizTwJFxk5pndfHjZgJq jwang@Jennifers-MBP.corp.wikimedia.org

  • sign off on this ticket from your manager

    @kzimmerman, during the 1on1 with Niharika, she asked me to get permission and access to central data base. Can you signoff?

I am a data analyst for AHT team. I need the access to query centralauth database

With that short access request description, this looks to me that you don't need access to the production database, but to the analytics copy? Sorry if I am wrong, I am not familiar with the work of your team, I am only going with the information you provided on this request.

If that is true, analytics-privatedata-users or researchers are the groups you request, to generate analytics on a read only copy of production databases, including centralauth.

If you need deployment access to read and modify the production database (e.g. to deploy new mediawiki features), then you need a mediawiki deployment user.

First one needs analytics ok, and second releng team's ok.

Once that the request is clarified, aside from the above approval, you will need still your manager's ok, which was pending.

Hi,

I only need read only permission. I have already been in analytics-privatedata-users group. But I failed to ssh deployment.eqiad.wmnet. Not sure what's missing.

Thanks,
Jennifer

@jcrespo You got it right. Jennifer needs access to the analytics copy. To give a little more context here, centralauth has a localuser table that has a mapping of user's global_id and local_id which we need to be able to de-duplicate users.

If that is true, analytics-privatedata-users or researchers are the groups you request, to generate analytics on a read only copy of production databases, including centralauth.

It is likely that @jwang is already part of one or both of these groups. Is there a way to confirm that?

It is likely that @jwang is already part of one or both of these groups. Is there a way to confirm that?

Indeed, I can see the user is already as part of analytics-privatedata-users. I believe in that case no extra grant is needed (please correct me).

The issue seems a confusion on how to access- which I agree it is confusing looking at the existing documentation: https://wikitech.wikimedia.org/wiki/Analytics/Systems/MariaDB .

As such, the access is not through deployment.eqiad.wmnet (which is for mediawiki and other service deployment and related actions), but through stats servers:

stat100[4,6,7] are the ones with access to the MariaDB data. To access the mariadb replicas, one can do (in your case):

analytics-mysql centralauth

e.g.

ssh stat1007.eqiad.wmnet "analytics-mysql centralauth --print-target"
dbstore1003.eqiad.wmnet:3317

I double checked access and I was able to access mysql with the existing account:

root@stat1007# su - jiawang
jiawang@stat1007:~$ analytics-mysql centralauth
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 1183109
Server version: 10.4.13-MariaDB MariaDB Server

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql:research@dbstore1003.eqiad.wmnet [centralauth]> Bye

It is part of my job to assist people if they have issues accessing granted resources. Feel free to replay here or on IRC for further assistance.

jwang claimed this task.

@jcrespo With your suggested method, I can access to centralauth now. Thank you!