Page MenuHomePhabricator
Create Task
Maniphest T271362

dumps::web::fetches::stats job should use a user to pull from HDFS that exists in Hadoop cluster
Closed, ResolvedPublic
Actions

Description

In {T270629} we changed the default HDFS umask so that newly written files are not world readable. This caused the hdfs-rsync jobs declared in dumps::web::fetches::stats to fail. Those jobs are currently run as the dumpsgen user, which does not exist on the HDFS namenode. Since the files are not world readable, the user must exist on the namenode and belong to a posix group there that has permissions to read the files.

Related Objects
Search...

Event Timeline

Ottomata created this task.Jan 6 2021, 8:29 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 6 2021, 8:29 PM
Ottomata triaged this task as High priority.Jan 6 2021, 8:29 PM
ArielGlenn added a subscriber: Bstorm.Jan 7 2021, 7:01 AM

I'd like that not to be root; what are our choices? Looping in @Bstorm who will have thoughts on this I am sure, since those are WMCS boxes doing the fetches.

elukey added a comment.Jan 7 2021, 7:24 AM

I'll try to follow up on this today, we tightened up the file permission settings on hdfs and some use cases like this one popped up. The alternative are two (keeping dumpsgen):

  1. add dumpsgen to analytics-privatedata-users, to be able to read the files.
  2. modify permissions/umask for the specific datasets that are public so that other (and dumpsgen) can read them.

I really prefer 2) since it is also better in the context of containing security breaches on WMCS nodes exposed to the internet, but it needs a little bit of work :) Will update the task once done!

ArielGlenn added a comment.Jan 7 2021, 9:25 AM

Sounds good to me!

Bstorm added a comment.Jan 7 2021, 2:57 PM

Sounds sensible.

Hydriz mentioned this in T271511: Mediacounts dumps missing since January 4, 2021.Jan 8 2021, 8:51 AM
elukey added a comment.Jan 8 2021, 8:13 PM

We are in the process of fixing permissions for files, and restart the rsync jobs that pull data from HDFS to the labstore nodes (serving dumps.wikimedia.org). The job is expected to take more or less the weekend, so sorry for the inconvenience to every consumer. We'll update the task as soon as we have more news to share.

RhinosF1 subscribed.Jan 8 2021, 9:48 PM
elukey added a parent task: Restricted Task.Jan 9 2021, 8:18 AM
Restricted Application added a subscriber: Universal_Omega. · View Herald TranscriptJan 9 2021, 8:18 AM
ArielGlenn mentioned this in T271561: dumps.wikimedia.org/other/pageviews/ appears to be stalled at 20210106-140000 .Jan 9 2021, 9:57 AM
ArielGlenn mentioned this in T271521: Hourly pageviews stop working after the last pageviews-20210106-140000.gz.
elukey added a comment.Jan 9 2021, 11:14 AM

There is still a problem with permissions on labstore nodes, so users get a HTTP 403 when trying to download files, as outlined in T271616. We are trying to fix this issue asap.

elukey added a comment.Jan 10 2021, 4:22 PM

The issue should be fixed, please let us know if something is not working :)

elukey lowered the priority of this task from High to Medium.Jan 11 2021, 8:30 AM

@Ottomata the remaining step to do would be to address the issue that you outlined in the task description, namely adding dumspgen to the namenode, but in theory it is not really mandatory with the fix the Joseph did during the past days (adding back other perms). Let me know if we can move on or if you prefer to add the user :)

Universal_Omega unsubscribed.Jan 11 2021, 9:42 AM
Ottomata added a comment.Jan 11 2021, 2:31 PM

I think adding back readable perms to public datasets is a better solution. I think this is done!

fdans closed this task as Resolved.Jan 11 2021, 4:53 PM
fdans claimed this task.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits