Page MenuHomePhabricator
Create Task
Maniphest T268801

Deprecate the 'researchers' posix group
Closed, ResolvedPublic8 Estimated Story Points
Actions

Description

The researchers POSIX group is not needed anymore, people that still need access should be placed either into analytics-users (for simple access) or analytics-privatedata-users (for Hadoop/data/etc.. access).

The only thing that the group grants at the moment, other than stat100x ssh access, is read permissions for /etc/mysql/conf.d/researchers-client.cnf on every stat100x host to query the wiki replicas. The same perms are granted to analytics-privatedata-users and we can argue that accessing the wiki replicas can be considered as private-data access. The name of the group is misleading of course, no member of the Research team (or collaborator) needs it for example :)

These are the current users:

researchers:
  gid: 714
  description: Access statistics hosts and also provides
               access to research mysql credentials.
               If a user is added to this group it should not
               need to be in analytics-users or analytics-privatedata-users.
               In case of doubt, please ask to the Analytics team.
               More info https://wikitech.wikimedia.org/wiki/Analytics/Data_access#Access_Groups
  members: [catrope, dduvall, mattflaschen, cooltey, marktraceur,
            jhernandez, daisy, etonkovidova, legoktm, risler,
            sbisson, matmarex, nikerabbit, dstrine, jdittrich, debt,
            mlitn, sharvaniharan, kharlan]

I am going to send an email to these users to clean up accounts not needed anymore :)

Details

Show related patches Customize query in gerrit

Related Objects
Search...

StatusSubtypeAssignedTask
 ResolvedodimitrijevicT240437 Analytics Ops Technical Debt
 ResolvedelukeyT268801 Deprecate the 'researchers' posix group

Event Timeline

elukey created this task.Nov 26 2020, 7:00 AM
elukey updated the task description. (Show Details)Nov 26 2020, 7:07 AM
gerritbot added a comment.Nov 26 2020, 7:34 AM

Change 643674 had a related patch set uploaded (by Elukey; owner: Elukey):
[operations/puppet@production] admin: add comment about the 'researchers' group

https://gerrit.wikimedia.org/r/643674

gerritbot added a project: Patch-For-Review.Nov 26 2020, 7:34 AM
Nikerabbit subscribed.Nov 26 2020, 7:54 AM

I don't really know which one (if any) I should be in. IIRC I was added there for eventlogging access, which I still occasionally use.

elukey added a comment.Nov 26 2020, 8:03 AM
In T268801#6650551, @Nikerabbit wrote:

I don't really know which one (if any) I should be in. IIRC I was added there for eventlogging access, which I still occasionally use.

Hi @Nikerabbit! Thanks for answering. So eventlogging's data is not pushed anymore to DBs, we deprecated that feature, everything in on Hadoop/Hive currently. Hive provides a SQL-like cli to access Eventlogging's tables, so it is similar to a mysql client, if you are interested I can follow up with you to show how things work, but I'll need to move your account first to analytics-privatedata-users :)

gerritbot added a comment.Nov 26 2020, 9:31 AM

Change 643674 merged by Elukey:
[operations/puppet@production] admin: add comment about the 'researchers' group

https://gerrit.wikimedia.org/r/643674

Maintenance_bot removed a project: Patch-For-Review.Nov 26 2020, 10:10 AM
SBisson subscribed.Nov 27 2020, 2:38 PM

I think I was added to analytics-privatedata-users recently to work on an Oozie job so I should be fine.

gerritbot added a comment.Nov 27 2020, 2:52 PM

Change 643943 had a related patch set uploaded (by Elukey; owner: Elukey):
[operations/puppet@production] admin: remove sbisson from 'researchers'

https://gerrit.wikimedia.org/r/643943

gerritbot added a project: Patch-For-Review.Nov 27 2020, 2:52 PM
elukey added a comment.Nov 27 2020, 2:53 PM
In T268801#6652970, @SBisson wrote:

I think I was added to analytics-privatedata-users recently to work on an Oozie job so I should be fine.

Definitely, thanks a lot for the feedback!

gerritbot added a comment.Nov 27 2020, 3:06 PM

Change 643943 merged by Elukey:
[operations/puppet@production] admin: remove sbisson from 'researchers'

https://gerrit.wikimedia.org/r/643943

Maintenance_bot removed a project: Patch-For-Review.Nov 27 2020, 3:10 PM
gerritbot added a comment.Nov 30 2020, 9:36 AM

Change 644181 had a related patch set uploaded (by Elukey; owner: Elukey):
[operations/puppet@production] admin: remove user nikerabbit from 'researchers'

https://gerrit.wikimedia.org/r/644181

gerritbot added a project: Patch-For-Review.Nov 30 2020, 9:36 AM

Change 644181 merged by Elukey:
[operations/puppet@production] admin: remove user nikerabbit from 'researchers'

https://gerrit.wikimedia.org/r/644181

Maintenance_bot removed a project: Patch-For-Review.Nov 30 2020, 10:10 AM
Ottomata added a comment.Nov 30 2020, 2:05 PM

Thanks Luca!

elukey added subscribers: Sharvaniharan, cooltey, debt and 9 others.Dec 3 2020, 5:57 PM

Pinging people in here too: @Catrope @dduvall @cooltey @MarkTraceur @Jhernandez @dchen @Etonkovidova @Legoktm @matmarex @DStrine @debt @Sharvaniharan

Email sent:

Hi!
If you are receiving this email it means that your shell username is listed in operations/sre puppet among the ones in the 'researchers' POSIX group. We (as Analytics team) are trying to deprecate it since nowadays it has been superseded by two other groups:

  • analytics-users: grants access to the stat100x hosts but no PII data access (no mysql access to wiki replicas or Hadoop etc..).
  • analytics-privatedata-users: grants access to the stat100x hosts, together with mysql access to wiki replicas and Hadoop (the latter requires an extra Kerberos account).

    The main usage of the researchers group has been, as far as I know, mostly for the read access to /etc/mysql/conf.d/research-client.cnf, containing credentials for the Analytics Mariadb Wiki replicas. The same access (different file but same account in it) can be obtained via 'analytics-privatedata-users', so I'd ask to comment in the task if that access is still needed (and in case, if there are reasons blocking you from moving to analytics-privatedata-users) or not (and in case, I'll remove your user from the group).
DStrine added a comment.Dec 3 2020, 6:17 PM

I'm not sure what this is but I'm pretty sure I don't use this. thanks for the ping.

gerritbot added a comment.Dec 4 2020, 7:34 AM

Change 645275 had a related patch set uploaded (by Elukey; owner: Elukey):
[operations/puppet@production] admin: remove access for user dstrine

https://gerrit.wikimedia.org/r/645275

gerritbot added a project: Patch-For-Review.Dec 4 2020, 7:34 AM
elukey added a comment.EditedDec 4 2020, 7:35 AM
In T268801#6667391, @DStrine wrote:

I'm not sure what this is but I'm pretty sure I don't use this. thanks for the ping.

Thanks @DStrine! Since this group is the only one in which you are in, I filed a change to remove your user from the ones allowed to ssh to the stat100x hosts (https://gerrit.wikimedia.org/r/645275). Let me know if I misunderstood and you need to access the stat100x hosts.

Follow up questions: Do you use Turnilo/Superset/Logstash/etc..?

Jhernandez added a comment.Dec 4 2020, 12:55 PM

I've used it in the past for Hadoop/Hive queries I believe, but it has been some time since I've need it. I'd prefer to be removed, and if/when I need it I'll ask for the appropriate role to your team 👍

elukey added a comment.Dec 4 2020, 1:57 PM
In T268801#6669131, @Jhernandez wrote:

I've used it in the past for Hadoop/Hive queries I believe, but it has been some time since I've need it. I'd prefer to be removed, and if/when I need it I'll ask for the appropriate role to your team 👍

Thanks for the feedback! I see that you are in the WMF LDAP group, do you use turnilo/superset/etc..?

Jhernandez added a comment.Dec 5 2020, 4:00 PM

@elukey Yes, I did use them more frequently, and now I do only occasionally.

elukey added a comment.Dec 5 2020, 4:18 PM
In T268801#6671055, @Jhernandez wrote:

@elukey Yes, I did use them more frequently, and now I do only occasionally.

Perfect, this info is needed to update your records in the SRE puppet configs. Just as FYI, some superset dashboards might need to be in analytics-privatedata-users so follow up with us in the future if you have problems!

Ottomata edited projects, added Analytics-Clusters; removed Analytics.Dec 7 2020, 4:28 PM
Ottomata moved this task from Backlog to Q1 2021/2022 on the Analytics-Clusters board.Dec 7 2020, 4:31 PM
Legoktm added a comment.Dec 10 2020, 6:24 PM

I don't need any analytics access anymore.

gerritbot added a comment.Dec 11 2020, 7:52 AM

Change 648112 had a related patch set uploaded (by Elukey; owner: Elukey):
[operations/puppet@production] admin: remove user legoktm from 'researchers'

https://gerrit.wikimedia.org/r/648112

gerritbot added a comment.Dec 11 2020, 7:52 AM

Change 648112 merged by Elukey:
[operations/puppet@production] admin: remove user legoktm from 'researchers'

https://gerrit.wikimedia.org/r/648112

Ottomata assigned this task to elukey.Dec 14 2020, 4:20 PM
Ottomata moved this task from Next Up to In Progress on the Analytics-Kanban board.Dec 14 2020, 4:23 PM
Ottomata moved this task from Q1 2021/2022 to Q3 2020/2021 on the Analytics-Clusters board.Dec 14 2020, 4:38 PM
elukey added a comment.Dec 16 2020, 10:46 AM

Just sent another email as heads up. I added Monday 21st as deadline, if I don't hear anything from people I'll proceed with the removal of the username from the researchers group. It will be possible to get added to analytics-privatedata-users in case needed :)

gerritbot added a comment.Dec 18 2020, 6:16 PM

Change 645275 merged by Elukey:
[operations/puppet@production] admin: remove access for user dstrine

https://gerrit.wikimedia.org/r/645275

Maintenance_bot removed a project: Patch-For-Review.Dec 18 2020, 7:10 PM
matmarex added a comment.Dec 18 2020, 8:16 PM

I still need access, please move me to 'analytics-privatedata-users'.

kostajh subscribed.Jan 4 2021, 10:27 AM

@elukey I still need access for the Add-Link project. (Sorry for missing the deadline!)

elukey added a comment.Jan 4 2021, 2:31 PM
In T268801#6718886, @kostajh wrote:

@elukey I still need access for the Add-Link project. (Sorry for missing the deadline!)

No problem at all, I haven't removed the group yet! Just to understand your use case, how do you use the analytics tools? Do you ssh to stat100x? If so, it is only to check for eventlogging mysql data? I am asking since the eventlogging mysql database has been deprecated/removed long time ago, we are now offering superset.wikimedia.org's sqllab as replacement (see https://wikitech.wikimedia.org/wiki/Analytics/Systems/Superset#SQL_Lab for some info). If you don't need to ssh to stat100x hosts for other use cases (like hive/spark/etc..) we offer the possibility to be in the analytics-privatedata-users group to access PII data but only from our UIs (so without then need of a ssh key etc..). Let me know :)

kostajh added subscribers: MGerlach, Tgr.Jan 4 2021, 2:35 PM
In T268801#6719357, @elukey wrote:
In T268801#6718886, @kostajh wrote:

@elukey I still need access for the Add-Link project. (Sorry for missing the deadline!)

No problem at all, I haven't removed the group yet! Just to understand your use case, how do you use the analytics tools? Do you ssh to stat100x? If so, it is only to check for eventlogging mysql data? I am asking since the eventlogging mysql database has been deprecated/removed long time ago, we are now offering superset.wikimedia.org's sqllab as replacement (see https://wikitech.wikimedia.org/wiki/Analytics/Systems/Superset#SQL_Lab for some info). If you don't need to ssh to stat100x hosts for other use cases (like hive/spark/etc..) we offer the possibility to be in the analytics-privatedata-users group to access PII data but only from our UIs (so without then need of a ssh key etc..). Let me know :)

Yes I access via SSH, and I need access to hive/spark/etc for a specific use case. For the Add-Link project we have a script (run-pipeline.sh) that accesses those services to generate datasets (SQLite and MySQL table files), and I along with @Tgr and @MGerlach need to be able to run that script.

elukey added a comment.Jan 4 2021, 2:39 PM
In T268801#6719402, @kostajh wrote:
In T268801#6719357, @elukey wrote:
In T268801#6718886, @kostajh wrote:

@elukey I still need access for the Add-Link project. (Sorry for missing the deadline!)

No problem at all, I haven't removed the group yet! Just to understand your use case, how do you use the analytics tools? Do you ssh to stat100x? If so, it is only to check for eventlogging mysql data? I am asking since the eventlogging mysql database has been deprecated/removed long time ago, we are now offering superset.wikimedia.org's sqllab as replacement (see https://wikitech.wikimedia.org/wiki/Analytics/Systems/Superset#SQL_Lab for some info). If you don't need to ssh to stat100x hosts for other use cases (like hive/spark/etc..) we offer the possibility to be in the analytics-privatedata-users group to access PII data but only from our UIs (so without then need of a ssh key etc..). Let me know :)

Yes I access via SSH, and I need access to hive/spark/etc for a specific use case. For the Add-Link project we have a script (run-pipeline.sh) that accesses those services to generate datasets (SQLite and MySQL table files), and I along with @Tgr and @MGerlach need to be able to run that script.

Super thanks for explaining! We have set up months ago Kerberos auth (see https://wikitech.wikimedia.org/wiki/Analytics/Systems/Kerberos/UserGuide), if you need to use spark/hive/hadoop etc.. you'll also need to request a Kerberos user/principal.

gerritbot added a comment.Jan 4 2021, 2:41 PM

Change 654258 had a related patch set uploaded (by Elukey; owner: Elukey):
[operations/puppet@production] admin: move user matmarex from 'researchers' to 'analytics-privatedata-users'

https://gerrit.wikimedia.org/r/654258

gerritbot added a project: Patch-For-Review.Jan 4 2021, 2:41 PM
gerritbot added a comment.Jan 4 2021, 2:47 PM

Change 654259 had a related patch set uploaded (by Elukey; owner: Elukey):
[operations/puppet@production] admin: remove ssh access to jherndandez

https://gerrit.wikimedia.org/r/654259

gerritbot added a comment.Jan 4 2021, 4:26 PM

Change 654258 merged by Elukey:
[operations/puppet@production] admin: move user matmarex from 'researchers' to 'analytics-privatedata-users'

https://gerrit.wikimedia.org/r/654258

gerritbot added a comment.Jan 4 2021, 4:28 PM

Change 654259 merged by Elukey:
[operations/puppet@production] admin: remove ssh access to jherndandez

https://gerrit.wikimedia.org/r/654259

Maintenance_bot removed a project: Patch-For-Review.Jan 4 2021, 5:10 PM
gerritbot added a comment.Jan 4 2021, 5:21 PM

Change 654277 had a related patch set uploaded (by Elukey; owner: Elukey):
[operations/puppet@production] admin: remove members of 'reseachers' already in other posix groups

https://gerrit.wikimedia.org/r/654277

gerritbot added a project: Patch-For-Review.Jan 4 2021, 5:21 PM
gerritbot added a comment.Jan 5 2021, 11:39 AM

Change 654277 merged by Elukey:
[operations/puppet@production] admin: remove members of 'reseachers' already in other posix groups

https://gerrit.wikimedia.org/r/654277

Maintenance_bot removed a project: Patch-For-Review.Jan 5 2021, 12:10 PM
gerritbot added a comment.Jan 7 2021, 2:54 PM

Change 654871 had a related patch set uploaded (by Elukey; owner: Elukey):
[operations/puppet@production] admin: move user kharlan from 'researchers' to 'analytics-privatedata-users'

https://gerrit.wikimedia.org/r/654871

gerritbot added a project: Patch-For-Review.Jan 7 2021, 2:54 PM
gerritbot added a comment.Jan 7 2021, 3:03 PM

Change 654873 had a related patch set uploaded (by Elukey; owner: Elukey):
[operations/puppet@production] admin: set user mattflaschen in ldap_only

https://gerrit.wikimedia.org/r/654873

gerritbot added a comment.Jan 7 2021, 3:07 PM

Change 654874 had a related patch set uploaded (by Elukey; owner: Elukey):
[operations/puppet@production] admin: set user 'daisy' in ldap_only

https://gerrit.wikimedia.org/r/654874

gerritbot added a comment.Jan 7 2021, 3:11 PM

Change 654877 had a related patch set uploaded (by Elukey; owner: Elukey):
[operations/puppet@production] admin: set user 'etonkovidova' to ldap_only

https://gerrit.wikimedia.org/r/654877

gerritbot added a comment.Jan 7 2021, 3:16 PM

Change 654880 had a related patch set uploaded (by Elukey; owner: Elukey):
[operations/puppet@production] admin: set user 'risler' to ldap_only

https://gerrit.wikimedia.org/r/654880

gerritbot added a comment.Jan 7 2021, 3:19 PM

Change 654882 had a related patch set uploaded (by Elukey; owner: Elukey):
[operations/puppet@production] admin: absent user 'jdittrich'

https://gerrit.wikimedia.org/r/654882

gerritbot added a comment.Jan 7 2021, 3:23 PM

Change 654884 had a related patch set uploaded (by Elukey; owner: Elukey):
[operations/puppet@production] admin: set user 'debt' to ldap_only

https://gerrit.wikimedia.org/r/654884

gerritbot added a comment.Jan 7 2021, 3:36 PM

Change 654871 merged by Elukey:
[operations/puppet@production] admin: move user kharlan from 'researchers' to 'analytics-privatedata-users'

https://gerrit.wikimedia.org/r/654871

gerritbot added a comment.Jan 7 2021, 3:37 PM

Change 654873 merged by Elukey:
[operations/puppet@production] admin: set user mattflaschen in ldap_only

https://gerrit.wikimedia.org/r/654873

gerritbot added a comment.Jan 7 2021, 3:38 PM

Change 654874 merged by Elukey:
[operations/puppet@production] admin: set user 'daisy' in ldap_only

https://gerrit.wikimedia.org/r/654874

gerritbot added a comment.Jan 7 2021, 3:40 PM

Change 654877 merged by Elukey:
[operations/puppet@production] admin: set user 'etonkovidova' to ldap_only

https://gerrit.wikimedia.org/r/654877

gerritbot added a comment.Jan 7 2021, 3:41 PM

Change 654880 merged by Elukey:
[operations/puppet@production] admin: set user 'risler' to ldap_only

https://gerrit.wikimedia.org/r/654880

gerritbot added a comment.Jan 7 2021, 3:42 PM

Change 654882 merged by Elukey:
[operations/puppet@production] admin: absent user 'jdittrich'

https://gerrit.wikimedia.org/r/654882

gerritbot added a comment.Jan 7 2021, 3:44 PM

Change 654884 merged by Elukey:
[operations/puppet@production] admin: set user 'debt' to ldap_only

https://gerrit.wikimedia.org/r/654884

gerritbot added a comment.Jan 7 2021, 3:59 PM

Change 654892 had a related patch set uploaded (by Elukey; owner: Elukey):
[operations/puppet@production] Remove 'reseachers' and 'gpu-testers' posix group from Analytics cfgs

https://gerrit.wikimedia.org/r/654892

gerritbot added a comment.Jan 7 2021, 4:22 PM

Change 654892 merged by Elukey:
[operations/puppet@production] Remove 'reseachers' and 'gpu-testers' posix group from Analytics cfgs

https://gerrit.wikimedia.org/r/654892

elukey triaged this task as Medium priority.Jan 7 2021, 4:34 PM
elukey set the point value for this task to 8.
elukey moved this task from In Progress to Done on the Analytics-Kanban board.
elukey moved this task from Q3 2020/2021 to Done on the Analytics-Clusters board.
kostajh mentioned this in T271467: Kerberos principal for kharlan.Jan 7 2021, 9:05 PM
fdans closed this task as Resolved.Jan 25 2021, 7:01 PM
JMeybohm mentioned this in T303032: Requesting access to analytics-privatedata-users for ShubhankarP.Mar 4 2022, 1:21 PM
JMeybohm mentioned this in T303031: Requesting access to analytics-privatedata-users for Dale_Zhou.
BTullis mentioned this in T328116: Create kerberos principal for user matmarex.Jan 27 2023, 10:17 AM
Maintenance_bot removed a project: Patch-For-Review.Jan 27 2023, 10:31 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL