Page MenuHomePhabricator

Hue access for Peter Pelberg
Closed, ResolvedPublic

Description

Per https://www.mediawiki.org/wiki/Product_Analytics/Onboarding#SSH_Keys,_Stat_machines,_Notebooks,_HUE,_Datagrip,_Groups and https://wikitech.wikimedia.org/wiki/Production_access#Filing_the_request, I, Peter Pelberg [i][ii], am filing this request in order to [ideally] gain access to Hue. [iii]

Note: if there is a better process to follow to gain access to Hue, please let me know.

Requestor provided information and prerequisites

This section is to be completed by the individual requesting access.

  • Wikitech username: PPelberg
  • Preferred shell username: ppel
  • Email address: ppelberg@wikimedia.org
  • Requested group membership: analytics-privatedata-users
  • Reason for access: In my capacity as the Product Manager for the Editing-team, I would like to be able to write and run queries to understand how people are using the tools [iv][v] we build and maintain.
  • Name of approving party (hiring manager for WMF staff): @DannyH
  • Requestor -- Please Acknowledge that you have read and signed the L3 Wikimedia Server Access Responsibilities document: DONE
  • Requestor -- Please coordinate obtaining a comment of approval on this task from the approving party.

SRE Clinic Duty Confirmation Checklist for Access Requests

This checklist should be used on all access requests to ensure that all steps are covered, including expansion to existing access. Please double check the step has been completed before checking it off.

This section is to be confirmed and completed by a member of the SRE team.

  • - User has signed the L3 Acknowledgement of Wikimedia Server Access Responsibilities Document.
  • - User has a valid NDA on file with WMF legal. (This can be checked by Operations via the NDA tracking sheet & is included in all WMF Staff/Contractor hiring.)
  • - User has provided the following: wikitech username, preferred shell username, email address, and full reasoning for access (including what commands and/or tasks they expect to perform)
  • - access request (or expansion) has sign off of WMF sponsor/manager (sponser for volunteers, manager for wmf staff)
  • - Patchset for access request - https://gerrit.wikimedia.org/r/c/operations/puppet/+/658992

For additional details regarding access request requirements, please see https://wikitech.wikimedia.org/wiki/Requesting_shell_access


i. Wikitech username: PPelberg
ii. Superset username: ppel
iii. https://hue.wikimedia.org/accounts/login/
iv. https://www.mediawiki.org/wiki/Extension:DiscussionTools
v. https://www.mediawiki.org/wiki/Extension:VisualEditor

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Joe triaged this task as Medium priority.Jan 11 2021, 7:14 AM
Joe updated the task description. (Show Details)

While we wait for the manager approval, I will loop in @Ottomata for analytics approval. @ppelberg please provide the *public* ssh key you generated specifically for accessing production services, so that we can grant you access ASAP when the approvals are in place.

@ppelberg Hi! Are you planning to ssh to stat100x hosts to explore data via cli tools like hive/presto/etc.. or are you looking for a way to explore data via a UI? If so we have a new Analytics access scheme that avoids the ssh configs and focuses only on UI tools. We also offer a tool called Superset, with its sqllab, that should be way better than Hue.

See https://wikitech.wikimedia.org/wiki/Analytics/Data_access#Access_Groups

In order to access to the UIs we'll need to put the username into either wmf or nda LDAP group as well (writing it down in here as note for SRE).

@ppelberg Hi! Are you planning to ssh to stat100x hosts to explore data via cli tools like hive/presto/etc.. or are you looking for a way to explore data via a UI? If so we have a new Analytics access scheme that avoids the ssh configs and focuses only on UI tools. We also offer a tool called Superset, with its sqllab, that should be way better than Hue.

See https://wikitech.wikimedia.org/wiki/Analytics/Data_access#Access_Groups

In order to access to the UIs we'll need to put the username into either wmf or nda LDAP group as well (writing it down in here as note for SRE).

Given Peter is an employee, I guess wmf :)

Approved for LDAP and ssh if needed too. @ppelberg +1 to what Luca said, Superset's SQL Lab will probably be what you are looking for.

jcrespo added a subscriber: jcrespo.

@ppelberg This is blocked only on providing additional information requested by @Joe and @elukey above.

We would also need @DannyH to sign off the request, as to the best of my understanding, this is not a team's "standarized request".

@ppelberg, this ticket needs to be done before you can access data via Presto.

You don't need ssh access, but you do need to be in the analytics-privatedata-users group, which requires the same approvals. You are going for 'analytics-privatedata-users (no kerberos, no ssh)', as documented here: https://wikitech.wikimedia.org/wiki/Analytics/Data_access#Access_Groups

We need approval from your manager (@DannyH?) to proceed.

@Joe, @elukey, @Ottomata and @jcrespo: thank you responding as helpfully and responsively as y'all did...I'm sorry I left you wondering for as long as I have.

Responses to, what I think are, the remaining open points below. If I've missed something between this ticket and T272767, please let me know.


@ppelberg +1 to what Luca said, Superset's SQL Lab will probably be what you are looking for.

Agreed and this sounds like a great place to start.

You don't need ssh access, but you do need to be in the analytics-privatedata-users group, which requires the same approvals. You are going for 'analytics-privatedata-users (no kerberos, no ssh)', as documented here: https://wikitech.wikimedia.org/wiki/Analytics/Data_access#Access_Groups

We need approval from your manager (@DannyH?) to proceed.

Understood and sounds great. I'll speak with Danny and ask that he comment here approving/disapproving this request.

I approve Peter for this, thanks.

Change 658992 had a related patch set uploaded (by Ottomata; owner: Ottomata):
[operations/puppet@production] Add ppel to analytics-privatedata-users with no ssh access

https://gerrit.wikimedia.org/r/658992

Change 658992 merged by Ottomata:
[operations/puppet@production] Add ppel to analytics-privatedata-users with no ssh access

https://gerrit.wikimedia.org/r/658992

@ppelberg, I've applied your access patch, please try again!

Also, it seems that in T223351: LDAP access to the wmf group for Peter Pelberg you were given a shell user name of ppel, not ppelberg (as originally requested in this ticket), so I kept that one. I hope that is ok.

Hi, just wanted to check in if anything more was needed here?

Hi, just wanted to check in if anything more was needed here?

Yikes – thank you for bumping this @CDanis. I don't think anything more is needed. See below.

@ppelberg, I've applied your access patch, please try again!

Superset has been working as expected/desired since y'all applied these changes...thank you! I'm sorry to have left this loop open until now.

Also, it seems that in T223351: LDAP access to the wmf group for Peter Pelberg you were given a shell user name of ppel, not ppelberg (as originally requested in this ticket), so I kept that one. I hope that is ok.

Totally fine. I appreciate you mentioning this.

Glad to hear, thanks!