Page MenuHomePhabricator
Create Task
Maniphest T266791

Requesting access to production shell groups for DNdubane
Closed, ResolvedPublic
Actions

Description

  • Wikitech username: DNdubane
  • Preferred shell username: dumisani
  • Email address: dndubane@wikimedia.org
  • Ssh public key (must be dedicated key for wmf production):
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAjJGjEU/bTRc57QXmiXIvA6ru0xYEgmgFoExwLCpXzP dumisani@MacBook-Pro.local
  • Requested group membership:
wikidev, analytics-privatedata-users, and researchers (and wmf or nda groups, if not already)
  • Reason for access: Data access for the Global Data & Insights team
  • Name of approving party (hiring manager for WMF staff): Sumeet Bodington
  • Requestor -- Please Acknowledge that you have read and signed the L3 Wikimedia Server Access Responsibilities document
  • Requestor -- Please coordinate obtaining a comment of approval on this task from the approving party. Note: Our new Director, Sumeet Boddington, begins Monday Oct. 26th, currently the team is being overseen by our department chief, Janeen Uzzell.

SRE Clinic Duty Confirmation Checklist for Access Requests

This checklist should be used on all access requests to ensure that all steps are covered, including expansion to existing access. Please double check the step has been completed before checking it off.

This section is to be confirmed and completed by a member of the SRE team.

  • - User has signed the L3 Acknowledgement of Wikimedia Server Access Responsibilities Document.
  • - User has a valid NDA on file with WMF legal. (This can be checked by Operations via the NDA tracking sheet & is included in all WMF Staff/Contractor hiring.)
  • - User has provided the following: wikitech username, preferred shell username, email address, and full reasoning for access (including what commands and/or tasks they expect to perform)
  • - User has provided a public SSH key. This ssh key pair should only be used for WMF cluster access, and not share with any other service (this includes not sharing with WMCS access, no shared keys.)
  • - access request (or expansion) has sign off of WMF sponsor/manager (sponser for volunteers, manager for wmf staff)
  • - non-staff requests: 3 business day wait must pass with no objections being noted on the task
  • - Patchset for access request

For additional details regarding access request requirements, please see https://wikitech.wikimedia.org/wiki/Requesting_shell_access

Details

SubjectRepoBranchLines +/-
admin: update dumisani's SSH keyoperations/puppetproduction+1 -1
admin: shell user for Dumisani Ndubane, add to analytics-privatedataoperations/puppetproduction+11 -1
admin: add dumisane to researchersoperations/puppetproduction+1 -1
Customize query in gerrit

Related Objects

Event Timeline

DNdubane_WMF created this task.Oct 29 2020, 2:01 PM
Restricted Application added a project: SRE. · View Herald TranscriptOct 29 2020, 2:01 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
ema triaged this task as Medium priority.Oct 30 2020, 11:07 AM
ema updated the task description. (Show Details)Oct 30 2020, 11:13 AM
ema subscribed.

I couldn't find @DNdubane_WMF's signature on L3, task description updated accordingly.

Dzahn assigned this task to DNdubane_WMF.Oct 30 2020, 10:23 PM
Dzahn moved this task from Untriaged to Awaiting User Input on the SRE-Access-Requests board.
DNdubane_WMF added a subscriber: Dzahn.Nov 9 2020, 12:37 PM

Hi @Dzahn, I have just signed the terms.

jijiki subscribed.Nov 10 2020, 4:53 PM

@DNdubane_WMF going through the list, we will need your manager's approval, thank you!

herron updated the task description. (Show Details)Nov 16 2020, 7:24 PM
herron added subscribers: Ottomata, herron.Nov 16 2020, 7:27 PM

Hi @DNdubane_WMF, could you please coordinate obtaining a comment from your manager approving this request?

Also, looping in @Ottomata for analytics group review/approvals.

herron moved this task from Awaiting User Input to Manager/NDA Approval/Confirmation on the SRE-Access-Requests board.Nov 16 2020, 7:57 PM
Ottomata added a comment.Nov 16 2020, 8:24 PM

Approved. Please also make sure DNdubane is in the wmf LDAP group.

herron changed the task status from Open to Stalled.Nov 19 2020, 3:17 PM
Sbodington closed this task as Resolved.Nov 20 2020, 8:30 PM
Sbodington subscribed.

Approved.

Aklapper reopened this task as Stalled.Nov 21 2020, 6:53 AM

@Sbodington: No.

Aklapper added a comment.EditedNov 21 2020, 7:04 AM

@Sbodington: To explain my previous action: The "Approved" comment in T266791#6637698 initially looked like drive-by vandalism to me.
It was made by a self-created account with zero previous on-wiki activity or Phab activity, thus it is impossible to verify who that account actually belongs to.
Now I ran into T266249#6637266 (a comment by @JAnstee_WMF implying that the account @Sbodington might be staff). If the account @Sbodington belongs to WMF staff, then please follow the onboarding guide and use an official WMF account so staff membership could be verified. Thanks a lot.

Dzahn changed the task status from Stalled to Open.Nov 23 2020, 11:23 PM
Dzahn claimed this task.
Dzahn moved this task from Manager/NDA Approval/Confirmation to Ready To Go on the SRE-Access-Requests board.
Dzahn updated the task description. (Show Details)Nov 25 2020, 4:16 PM
gerritbot added a comment.Nov 25 2020, 4:27 PM

Change 643520 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] admin: create shell user for Dumisani Ndubane

https://gerrit.wikimedia.org/r/643520

gerritbot added a project: Patch-For-Review.Nov 25 2020, 4:27 PM
gerritbot added a comment.Nov 25 2020, 4:30 PM

Change 643521 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] admin: add dumisane to researchers

https://gerrit.wikimedia.org/r/643521

gerritbot added a comment.Nov 25 2020, 6:14 PM

Change 643521 abandoned by Dzahn:
[operations/puppet@production] admin: add dumisane to researchers

Reason:
merged into https://gerrit.wikimedia.org/r/c/operations/puppet/ /643520

https://gerrit.wikimedia.org/r/643521

Dzahn mentioned this in T266249: Requesting access to production shell groups for JAnstee.Nov 25 2020, 6:44 PM
gerritbot added a comment.Nov 25 2020, 8:31 PM

Change 643520 merged by Dzahn:
[operations/puppet@production] admin: shell user for Dumisani Ndubane, add to analytics-privatedata

https://gerrit.wikimedia.org/r/643520

Dzahn reassigned this task from Dzahn to DNdubane_WMF.Nov 25 2020, 8:40 PM

Hi @DNdubane_WMF,

your shell account has been created. See the change above.

I ran puppet (our configuration management system) on 2 hosts, bast1002 and stat1006 to confirm and it created your user.

It is "dumisani" as requested. On all other relevant hosts it will be automatically created within the next 30 min.

You can now setup your access (https://wikitech.wikimedia.org/wiki/Production_access#Setting_up_your_access) and try it out.

Let us know if you run into problems.

Dzahn closed this task as Resolved.Nov 25 2020, 8:40 PM
Dzahn updated the task description. (Show Details)
Dzahn removed a project: Patch-For-Review.
Stashbot added a comment.Nov 25 2020, 8:43 PM

Mentioned in SAL (#wikimedia-operations) [2020-11-25T20:43:33Z] <mutante> LDAP added user duminasi to group wmf (T266791)

Dzahn added a comment.Nov 25 2020, 8:44 PM
In T266791#6625470, @Ottomata wrote:

Approved. Please also make sure DNdubane is in the wmf LDAP group.

Done

Dzahn added a subscriber: elukey.Nov 25 2020, 8:45 PM

after talking with @elukey about group memberships this turned into "just analytics-privatedata-users" as group memberships. The "researchers" group is deprecated and "wikidev" is automatically added.

[stat1006:~] $ id dumisani
uid=27436(dumisani) gid=500(wikidev) groups=500(wikidev),107(render),731(analytics-privatedata-users)
DNdubane_WMF mentioned this in T271845: Request for Kerberos password.Jan 12 2021, 6:23 PM
DNdubane_WMF reopened this task as Open.Jun 8 2021, 1:17 PM
DNdubane_WMF updated the task description. (Show Details)
DNdubane_WMF added a comment.Jun 8 2021, 1:33 PM

I would like to request an update of my public key chain, as I was experiencing an error when I was trying to connect to the STAT6 machine. We figured that it might be that I forgot my passphrase and password.

I have update the new public key above.

Below was the error I was getting:

ssh -v -N stat6 -L 8880:127.0.0.1:8880

OpenSSH_8.1p1, LibreSSL 2.7.3

debug1: Reading configuration data /users/dumisani/.ssh/config
debug1: /users/dumisani/.ssh/config/config line 7: Applying options for *
debug1: /users/dumisani/.ssh/config/config line 45: Applying options for stat6
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh.ssh_config line 47: Applying options for *
debug1: Executing proxy command: exec ssh -a -w stat1006.eqiad.wmnet:22 dumisani@bast4003.wikimedia.org
debug1: identify file /users/dumisani/.ssh/id_ed25519 type 3
debug1: identify file /users/dumisani/.ssh/id_ed25519-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.1

Enter passphrase for key '/Users/dumisani/.ssh/id_ed25519':
Password:
Password:
Password:

dumisani@bast4003.wikimedia.org: Permission denied (publickey,keyboard-interactive).
kex_exchange_identification: Connection closed by remote host

I trust that the above is clear and useful in resolving this issue

Best

elukey added a comment.Jun 8 2021, 1:34 PM

I had a chat with @DNdubane_WMF over slack about this issue, and suggested to reopen the task :)

DNdubane_WMF updated the task description. (Show Details)Jun 8 2021, 1:47 PM
gerritbot added a comment.Jun 8 2021, 1:54 PM

Change 698790 had a related patch set uploaded (by Volans; author: Volans):

[operations/puppet@production] admin: update dumisani's SSH key

https://gerrit.wikimedia.org/r/698790

gerritbot added a project: Patch-For-Review.Jun 8 2021, 1:54 PM
gerritbot added a comment.Jun 8 2021, 2:00 PM

Change 698790 merged by Volans:

[operations/puppet@production] admin: update dumisani's SSH key

https://gerrit.wikimedia.org/r/698790

Volans subscribed.Jun 8 2021, 2:01 PM

New key merged. The change will be distributed within ~30 minutes from now on all affected hosts.
@DNdubane_WMF Please ensure you can connect after the 30 minutes have passed and feel free to resolve this task if it's all good.

DNdubane_WMF closed this task as Resolved.Jun 8 2021, 2:43 PM

Thank you so much for such express service. I am now able to connect!!

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits