Page MenuHomePhabricator

Requesting access to restricted production access and analytics-privatedata-users for Nahid Sultan
Closed, ResolvedPublicRequest

Description

  • Wikitech username: NahidSultan
  • Preferred shell username: nsultan
  • Email address: nsultan at wikimedia.org

SSH Key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDW3i1gYK4dE2KhqeFFYG99fESZDzajQ3HDb15hD0t+nOACpRqn8XH gXwRecjY5fLl1prwCwbgYEJnWLOZ1xWjmZgfJe2gdGhE4P26y9ekKcRKbm466MKKKlKg87oOI7m8CVR9bnd JCPz86X95+upABqaDiWCKgCMYf3f5UcOO64TgUfpGY0ltlPZHTfQ/ BhGsUzWR5o9DZPxBHWwYz1oQBjvpFiYD8pPG7ZSav3V1dMwoN5Cyr6fxevMzuRLTq+TOgPwW39DQTh1AExn cvjSjJJyTPhiXtg0/gZvNlyhkuKlQYjQCglPmrfkpztXlsHDU4DRK/jYm/ a6tGpCft7VlEN36XdTZ15Hsgf7tC9uWm7DAM057Tll2tKWjRYnrP9dmVcP9M9wiuNmdrDK6FQJzvXkpfNDP CCWTWiJu4VP0DY3mM7CSLMj5XqGHIuIjAclIXlGuMA8jtzfceRK1GuPmVylhWFALKvC5aemTQ81d47hQ08j GIQP4zhpjWqi9uUcVavtRD31GJNLRYi1CnoO1r5SaWaoPXcJ6RZycOkA9kR82uhaf5iOWuAlmHNmTPTG4gJ FPR5jwt1S2fonNRMEB57UEckCxNxGorvAj/WEgJ0EEg/ zXMiMok16i+Chwyoy8G5sJGuCdw5HNPAUV7l2edULBkpUDxA/lAdhwM91uSOQ== nahid@DESKTOPF9O9HU4

I'd like to request access for @Nahid to what I believe will be the restricted group and analytics-privatedata-users (the same that I have). Trust and Safety has had a number of workflows requiring shell access and private analytics logs (hadoop). He is a member of the T&S Operations team alongside @jrbs, I, and other collaborators. Also, Nahid had a previous exposure to the technical infrastructure of the Foundation through his volunteer experience as a steward.

Specifically some of the workflows he needs to be able to do (and I believe needs this access for):

  • Run maintenance scripts (mwmaint servers) to:
    • To remove 2FA for users who have lost their backup codes (after identity verification)
    • To add or reset user email addresses when locked out of their account (again after identity verification)
    • To permanently remove illegal images from the servers
  • Lookup private information such as user email addresses for legal or T&S investigations (such as urgent threats of harm or court orders).
  • Query webserver logs for private information such as IPs which have viewed certain pages (usually court orders)

Nahid has already signed L3. @JanWMF is our people manager and I'll have him comment here in support. As always please let me know if any issues or questions.

SRE Clinic Duty Confirmation Checklist for Access Requests

This checklist should be used on all access requests to ensure that all steps are covered, including expansion to existing access. Please double check the step has been completed before checking it off.

This section is to be confirmed and completed by a member of the SRE team.

  • - User has signed the L3 Acknowledgement of Wikimedia Server Access Responsibilities Document.
  • - User has a valid NDA on file with WMF legal. (This can be checked by Operations via the NDA tracking sheet & is included in all WMF Staff/Contractor hiring.)
  • - User has provided the following: wikitech username, preferred shell username, email address, and full reasoning for access (including what commands and/or tasks they expect to perform)
  • - User has provided a public SSH key. This ssh key pair should only be used for WMF cluster access, and not share with any other service (this includes not sharing with WMCS access, no shared keys.)
  • - access request (or expansion) has sign off of WMF sponsor/manager (sponser for volunteers, manager for wmf staff)
  • - non-sudo requests: 3 business day wait must pass with no objections being noted on the task
  • - Patchset for access request

For additional details regarding access request requirements, please see https://wikitech.wikimedia.org/wiki/Requesting_shell_access

Event Timeline

Restricted Application added a project: Operations. · View Herald TranscriptJul 2 2020, 12:54 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
ssingh claimed this task.Jul 2 2020, 1:07 PM
ssingh updated the task description. (Show Details)Jul 2 2020, 3:45 PM
ssingh updated the task description. (Show Details)Jul 2 2020, 5:43 PM
ssingh added a subscriber: Nuria.Jul 2 2020, 7:23 PM

@Nuria: This requires your approval for the analytics-privatedata-users part. Thank you.

jcrespo triaged this task as High priority.Jul 6 2020, 9:55 AM
Dzahn reassigned this task from ssingh to Nuria.Jul 9 2020, 5:38 PM
Dzahn added a subscriber: ssingh.
Nuria added a comment.Jul 16 2020, 2:56 PM

sorry I missed this, is @Nahid a full time WMF employee?

Nuria added a comment.Jul 16 2020, 2:58 PM

Approved on my end, let's add @Nahid to ldap wmf group as well

CDanis claimed this task.Jul 16 2020, 3:00 PM

thanks! will do so today

CDanis reassigned this task from CDanis to Nahid.Jul 16 2020, 5:50 PM

Hi Nahid,

Sorry to trouble you, but can you create another Wikitech account that is associated with your wikimedia.org email address? Or you could update User:NahidSultan (which now has an outlook.com personal email) to point to your Wikimedia email address.

We ask this of WMF staff because it makes tracking offboarding much easier for us.

Thanks!

Nahid added a comment.Jul 16 2020, 6:04 PM

Hi Nahid,

Sorry to trouble you, but can you create another Wikitech account that is associated with your wikimedia.org email address? Or you could update User:NahidSultan (which now has an outlook.com personal email) to point to your Wikimedia email address.

We ask this of WMF staff because it makes tracking offboarding much easier for us.

Thanks!

Hey Chris, Done. I've added my Wikimedia email address to the existing Wikitech account. Thank you for looking into this.

Change 613228 had a related patch set uploaded (by CDanis; owner: CDanis):
[operations/puppet@production] admin: shell access + analytics access for nsultan@

https://gerrit.wikimedia.org/r/613228

Change 613228 merged by CDanis:
[operations/puppet@production] admin: shell access + analytics access for nsultan@

https://gerrit.wikimedia.org/r/613228

CDanis closed this task as Resolved.Jul 16 2020, 6:37 PM

Thanks Nahid!

I've granted access for you, although I realized as I was working on this that your shell username need to be be your originally-chosen-at-Wikitech-account-creation nahidunlimited instead of nsultan as listed in this ticket. That's because changing that username on an existing account is very tricky.

If you'd prefer using nsultan as your shell username, please create a new Wikitech account and re-open this ticket, and we'll take care of that.

If you're fine with things as-is, no action required and your access will be live within half an hour.

Change 613280 had a related patch set uploaded (by CDanis; owner: CDanis):
[operations/puppet@production] admin: add kerberos for nsultan

https://gerrit.wikimedia.org/r/613280

Change 613280 merged by CDanis:
[operations/puppet@production] admin: add kerberos for nsultan

https://gerrit.wikimedia.org/r/613280

Ah -- one last thing -- you should have an email in your inbox with a temporary Kerberos password. Please follow the instructions in it and set your own password there soon.

Hello,

Thanks again for the patch. While he can access the stats server (stat1005.eqiad.wmnet), Nahid is not able to access the maintenance server.

You'll find the link to the configuration file and relevant ssh logs (only accessible to WMF) https://docs.google.com/document/d/1DhrYJfZ9Ng150drHfJisWryTUtZCY7MJs3HmOMetCos/edit

Indeed, nahidunlimited is only in analytics-privatedata-users group, not in restricted. For the restricted part, I don't see an approval here through :).

Nuria added a comment.Jul 27 2020, 5:00 PM

@sguebo_WMF since you are requesting access to data and no data is on that listed server I do not think access to the server in question is needed. What do you plan to use the maintenance server for?

@sguebo_WMF since you are requesting access to data and no data is on that listed server I do not think access to the server in question is needed. What do you plan to use the maintenance server for?

Trust and Safety's job is to help to reset 2FA, passwords nad similar, which is done via the maint server. By the way, Samuel wrote I'd like to request access for @Nahid to what I believe will be the restricted group and analytics-privatedata-users (the same that I have). in his request.

Nuria added a comment.Jul 27 2020, 5:33 PM

Trust and Safety's job is to help to reset 2FA, passwords and similar, which is done via the maint server

I see, that would need a different ticket and different set of approvals (sorry this sounds bureaucratic but those functions have little to do with querying data which is what belonging to analytics-privatedata-users group grants)

Dzahn reopened this task as Open.Jul 27 2020, 5:35 PM
Dzahn removed Nahid as the assignee of this task.
Dzahn added a subscriber: Dzahn.Jul 27 2020, 5:37 PM

Hi, reopening the ticket to get this done.

Trust and Safety's job is to help to reset 2FA, passwords nad similar, which is done via the maint server.

Could you list the commands? I think we want to create a group specific to this purpose that is separate from access to private logs on mwlog.

jrbs added a comment.Jul 27 2020, 5:46 PM

Hi, reopening the ticket to get this done.

Trust and Safety's job is to help to reset 2FA, passwords nad similar, which is done via the maint server.

Could you list the commands? I think we want to create a group specific to this purpose that is separate from access to private logs on mwlog.

Generally we use the maint server to run:

  • sql commands against various databases
  • extensions/OATHAuth/maintenance/disableOATHAuthForUser.php
  • resetUserEmail.php

I personally also use the eraseArchivedFile.php script to remove sensitive imagery, though Nahid will not be involved in that workflow. I also have write access to the SQL databases generally for votewiki stuff, since the extension is a little janky and sometimes requires direct writes to the tables.

Change 616568 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] admins: add nahidunlimited to restricted group

https://gerrit.wikimedia.org/r/616568

Or perhaps implement resetUserEmail.php in MW interface, which would reduce the need for mwmaint access. Disabling OATH is already possible via the UI.

Dzahn added a comment.Jul 27 2020, 8:07 PM

Hi, reopening the ticket to get this done.

Trust and Safety's job is to help to reset 2FA, passwords nad similar, which is done via the maint server.

Could you list the commands? I think we want to create a group specific to this purpose that is separate from access to private logs on mwlog.

Generally we use the maint server to run:

  • sql commands against various databases
  • extensions/OATHAuth/maintenance/disableOATHAuthForUser.php
  • resetUserEmail.php

I personally also use the eraseArchivedFile.php script to remove sensitive imagery, though Nahid will not be involved in that workflow. I also have write access to the SQL databases generally for votewiki stuff, since the extension is a little janky and sometimes requires direct writes to the tables.

Thank you for adding more detail. In the interest of unblocking this for you I added a patch to add you to "restricted" as originally requested, nevertheless.

Change 616568 merged by Herron:
[operations/puppet@production] admins: add nahidunlimited to restricted group

https://gerrit.wikimedia.org/r/616568

Change 616606 had a related patch set uploaded (by Herron; owner: Herron):
[operations/puppet@production] admins: add nahidunlimited to restricted group

https://gerrit.wikimedia.org/r/616606

herron added a subscriber: herron.Jul 27 2020, 8:58 PM

Change 616568 merged by Herron:
[operations/puppet@production] admins: add nahidunlimited to restricted group

https://gerrit.wikimedia.org/r/616568

^^ this was reverted by me due to confusion about what approvals are still outstanding for this request. re-uploaded https://gerrit.wikimedia.org/r/616606

herron added subscribers: thcipriani, greg.EditedJul 27 2020, 9:45 PM

Hi @thcipriani, @greg, could you please review the portion of this request about adding user nahidunlimited to group restricted, and give a thumbs up if approved?

Will move forward with merging https://gerrit.wikimedia.org/r/616606 after approval. Thanks in advance!

Hi @thcipriani, @greg, could you please review the portion of this request about adding user nahidunlimited to group restricted, and give a thumbs up if approved?

Will move forward with merging https://gerrit.wikimedia.org/r/616606 after approval. Thanks in advance!

thumbs-up: makes sense to me for mwlog data

Thanks! Moving forward with this now

Change 616606 merged by Herron:
[operations/puppet@production] admins: add nahidunlimited to restricted group

https://gerrit.wikimedia.org/r/616606

herron closed this task as Resolved.Jul 27 2020, 11:59 PM
herron claimed this task.

The patch adding nahidunlimited to group restricted has been merged, and the updated group membership will be live within the next 30 minutes.

I'll transition this to resolved now, but if any follow up is needed please do not hesitate to re-open. Thanks!

Thank you all kindly for taking the time to resolve this issue. works fine now :)