Page MenuHomePhabricator

Requesting access to production shell groups for DNdubane
Closed, ResolvedPublic

Description

  • Wikitech username: DNdubane
  • Preferred shell username: dumisani
  • Email address: dndubane@wikimedia.org
  • Ssh public key (must be dedicated key for wmf production):
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAjJGjEU/bTRc57QXmiXIvA6ru0xYEgmgFoExwLCpXzP dumisani@MacBook-Pro.local
  • Requested group membership:
wikidev, analytics-privatedata-users, and researchers (and wmf or nda groups, if not already)
  • Reason for access: Data access for the Global Data & Insights team
  • Name of approving party (hiring manager for WMF staff): Sumeet Bodington
  • Requestor -- Please Acknowledge that you have read and signed the L3 Wikimedia Server Access Responsibilities document
  • Requestor -- Please coordinate obtaining a comment of approval on this task from the approving party. Note: Our new Director, Sumeet Boddington, begins Monday Oct. 26th, currently the team is being overseen by our department chief, Janeen Uzzell.

SRE Clinic Duty Confirmation Checklist for Access Requests

This checklist should be used on all access requests to ensure that all steps are covered, including expansion to existing access. Please double check the step has been completed before checking it off.

This section is to be confirmed and completed by a member of the SRE team.

  • - User has signed the L3 Acknowledgement of Wikimedia Server Access Responsibilities Document.
  • - User has a valid NDA on file with WMF legal. (This can be checked by Operations via the NDA tracking sheet & is included in all WMF Staff/Contractor hiring.)
  • - User has provided the following: wikitech username, preferred shell username, email address, and full reasoning for access (including what commands and/or tasks they expect to perform)
  • - User has provided a public SSH key. This ssh key pair should only be used for WMF cluster access, and not share with any other service (this includes not sharing with WMCS access, no shared keys.)
  • - access request (or expansion) has sign off of WMF sponsor/manager (sponser for volunteers, manager for wmf staff)
  • - non-staff requests: 3 business day wait must pass with no objections being noted on the task
  • - Patchset for access request

For additional details regarding access request requirements, please see https://wikitech.wikimedia.org/wiki/Requesting_shell_access

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald Transcript
ema triaged this task as Medium priority.Oct 30 2020, 11:07 AM
ema added a subscriber: ema.

I couldn't find @DNdubane_WMF's signature on L3, task description updated accordingly.

@DNdubane_WMF going through the list, we will need your manager's approval, thank you!

Hi @DNdubane_WMF, could you please coordinate obtaining a comment from your manager approving this request?

Also, looping in @Ottomata for analytics group review/approvals.

Approved. Please also make sure DNdubane is in the wmf LDAP group.

herron changed the task status from Open to Stalled.Nov 19 2020, 3:17 PM

@Sbodington: To explain my previous action: The "Approved" comment in T266791#6637698 initially looked like drive-by vandalism to me.
It was made by a self-created account with zero previous on-wiki activity or Phab activity, thus it is impossible to verify who that account actually belongs to.
Now I ran into T266249#6637266 (a comment by @JAnstee_WMF implying that the account @Sbodington might be staff). If the account @Sbodington belongs to WMF staff, then please follow the onboarding guide and use an official WMF account so staff membership could be verified. Thanks a lot.

Dzahn changed the task status from Stalled to Open.Nov 23 2020, 11:23 PM
Dzahn claimed this task.

Change 643520 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] admin: create shell user for Dumisani Ndubane

https://gerrit.wikimedia.org/r/643520

Change 643521 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] admin: add dumisane to researchers

https://gerrit.wikimedia.org/r/643521

Change 643521 abandoned by Dzahn:
[operations/puppet@production] admin: add dumisane to researchers

Reason:
merged into https://gerrit.wikimedia.org/r/c/operations/puppet/ /643520

https://gerrit.wikimedia.org/r/643521

Change 643520 merged by Dzahn:
[operations/puppet@production] admin: shell user for Dumisani Ndubane, add to analytics-privatedata

https://gerrit.wikimedia.org/r/643520

Hi @DNdubane_WMF,

your shell account has been created. See the change above.

I ran puppet (our configuration management system) on 2 hosts, bast1002 and stat1006 to confirm and it created your user.

It is "dumisani" as requested. On all other relevant hosts it will be automatically created within the next 30 min.

You can now setup your access (https://wikitech.wikimedia.org/wiki/Production_access#Setting_up_your_access) and try it out.

Let us know if you run into problems.

Dzahn updated the task description. (Show Details)
Dzahn removed a project: Patch-For-Review.

Mentioned in SAL (#wikimedia-operations) [2020-11-25T20:43:33Z] <mutante> LDAP added user duminasi to group wmf (T266791)

Approved. Please also make sure DNdubane is in the wmf LDAP group.

Done

after talking with @elukey about group memberships this turned into "just analytics-privatedata-users" as group memberships. The "researchers" group is deprecated and "wikidev" is automatically added.

[stat1006:~] $ id dumisani
uid=27436(dumisani) gid=500(wikidev) groups=500(wikidev),107(render),731(analytics-privatedata-users)
DNdubane_WMF updated the task description. (Show Details)

I would like to request an update of my public key chain, as I was experiencing an error when I was trying to connect to the STAT6 machine. We figured that it might be that I forgot my passphrase and password.

I have update the new public key above.

Below was the error I was getting:

ssh -v -N stat6 -L 8880:127.0.0.1:8880

OpenSSH_8.1p1, LibreSSL 2.7.3

debug1: Reading configuration data /users/dumisani/.ssh/config
debug1: /users/dumisani/.ssh/config/config line 7: Applying options for *
debug1: /users/dumisani/.ssh/config/config line 45: Applying options for stat6
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh.ssh_config line 47: Applying options for *
debug1: Executing proxy command: exec ssh -a -w stat1006.eqiad.wmnet:22 dumisani@bast4003.wikimedia.org
debug1: identify file /users/dumisani/.ssh/id_ed25519 type 3
debug1: identify file /users/dumisani/.ssh/id_ed25519-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.1

Enter passphrase for key '/Users/dumisani/.ssh/id_ed25519':
Password:
Password:
Password:

dumisani@bast4003.wikimedia.org: Permission denied (publickey,keyboard-interactive).
kex_exchange_identification: Connection closed by remote host

I trust that the above is clear and useful in resolving this issue

Best

I had a chat with @DNdubane_WMF over slack about this issue, and suggested to reopen the task :)

Change 698790 had a related patch set uploaded (by Volans; author: Volans):

[operations/puppet@production] admin: update dumisani's SSH key

https://gerrit.wikimedia.org/r/698790

Change 698790 merged by Volans:

[operations/puppet@production] admin: update dumisani's SSH key

https://gerrit.wikimedia.org/r/698790

New key merged. The change will be distributed within ~30 minutes from now on all affected hosts.
@DNdubane_WMF Please ensure you can connect after the 30 minutes have passed and feel free to resolve this task if it's all good.

Thank you so much for such express service. I am now able to connect!!