Page MenuHomePhabricator

LDAP access to the wmf group for Mike Pham
Closed, ResolvedPublic

Description

hi! I am requesting access to Superset by being added to the WMF LDAP group.

I am the product manager on the Search team. I believe I heard that my wikitech username is the one needed, but the following are the various WMF user names I have at the moment just in case:

  • mediawiki: MPham (WMF)
  • wikitech: Mike Pham
  • phabricator: MPhamWMF

ops_access_request_checklist

  • - User has signed the L3 Acknowledgement of Wikimedia Server Access Responsibilities Document.
  • - User has a valid NDA on file with WMF legal. (This can be checked by Operations via the NDA tracking sheet & is included in all WMF Staff/Contractor hiring.)
  • - User has provided the following: wikitech username, preferred shell username, email address, and full reasoning for access (including what commands and/or tasks they expect to perform.
  • - User has provided a public SSH key. This ssh key pair should only be used for WMF cluster access, and not share with any other service (this includes not sharing with WMCS access, no shared keys.)
  • - Access request (or expansion) has sign off of WMF sponsor/manager (sponsor for volunteers, manager for WMF/WMDE staff). If the permissions also give access to restricted data then the data owner must also approve the request.
  • - Patchset for access request

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald Transcript
RLazarus triaged this task as Medium priority.

Change 650272 had a related patch set uploaded (by RLazarus; owner: RLazarus):
[operations/puppet@production] admin: Add mttp to admin_only_users

https://gerrit.wikimedia.org/r/650272

Change 650272 merged by RLazarus:
[operations/puppet@production] admin: Add mttp to ldap_only_users

https://gerrit.wikimedia.org/r/650272

Hi @MPhamWMF, welcome to the Foundation! Your wikitech username was indeed the right one (thanks!) and delightfully I used it to pull up your shell uid "mttp", just to complete the set. ;)

rzl@mwmaint1002:~$ ldapsearch -x cn=wmf | grep mttp
member: uid=mttp,ou=people,dc=wikimedia,dc=org

You should be all set in the wmf LDAP group, feel free to reopen if you have any trouble.

Hello!

@MPhamWMF will also need a posix account in the analytics-privatedata-users group to access some Superset dashboards (those based on Presto instead of Druid).

https://wikitech.wikimedia.org/wiki/Analytics/Data_access#Generic_data_access_%28can_go_together_with_the_Team_specific_ones%29%3A

Also...I approve this access! :)

( P.S. o/ );

RLazarus added a subscriber: JKatzWMF.

Why, I'd swear that wasn't there yesterday...

I mean, can do! In that case, in addition to Analytics approval (thanks @Ottomata for saving the roundtrip) I'll just need a quick stamp from @MPhamWMF's manager as well.

@JKatzWMF Can you approve adding @MPhamWMF to analytics-privatedata-users as above?

Change 650298 had a related patch set uploaded (by RLazarus; owner: RLazarus):
[operations/puppet@production] admin: Add mttp to analytics-privatedata-users, but with no SSH.

https://gerrit.wikimedia.org/r/650298

Awesome. Just tried it and it worked. Thanks everyone!

Great! Pardon a brief delay in getting you set up with the additional access @Ottomata mentioned -- you're the guinea pig for a new arrangement, so I'd like to get some feedback from European-time-zone colleagues on how to implement it, and we should be able to get it committed tomorrow.

@RLazarus reporting a question from IRC: do we need to have L3 or something similar to be signed?

@RLazarus reporting a question from IRC: do we need to have L3 or something similar to be signed?

L3 is all about shell access so im not sure they would need to sign that however if they have access to PPI information they will also need to sign an NDA
Sorry missed that this was staff so NDA should be considered complete as well

@RLazarus reporting a question from IRC: do we need to have L3 or something similar to be signed?

I agree with John -- rereading it, I don't see anything that's relevant without shell access. (Except maybe the section about sensitive data... but that's already covered by the NDA.) I think we should leave it out, but I wouldn't argue with anyone who wants it to be signed. Long run, if we intend to set up more users in this "group membership without ssh access" situation and we do want to require something like L3, we should come up with a shorter agreement without the ssh parts, to use in this case.

Change 650298 merged by RLazarus:
[operations/puppet@production] admin: Add mttp to analytics-privatedata-users, but with no SSH.

https://gerrit.wikimedia.org/r/650298

@MPhamWMF You're all set! After we discussed a bit more, consensus is that you don't need to sign L3. It may take up to 30 minutes for the change to roll out everywhere.

Please do, however, carefully read wt:Analytics/Data_access#User_responsibilities as you now have access to sensitive personal information, as does anyone who compromises your account. Feel free to reach out to SRE or Analytics if you have any questions about what that means, or if you have any problems with your access.