Page MenuHomePhabricator
Create Task
Maniphest T271602

Hue access for Peter Pelberg
Closed, ResolvedPublic
Actions

Description

Per https://www.mediawiki.org/wiki/Product_Analytics/Onboarding#SSH_Keys,_Stat_machines,_Notebooks,_HUE,_Datagrip,_Groups and https://wikitech.wikimedia.org/wiki/Production_access#Filing_the_request, I, Peter Pelberg [i][ii], am filing this request in order to [ideally] gain access to Hue. [iii]

Note: if there is a better process to follow to gain access to Hue, please let me know.

Requestor provided information and prerequisites

This section is to be completed by the individual requesting access.

  • Wikitech username: PPelberg
  • Preferred shell username: ppel
  • Email address: ppelberg@wikimedia.org
  • Requested group membership: analytics-privatedata-users
  • Reason for access: In my capacity as the Product Manager for the Editing-team, I would like to be able to write and run queries to understand how people are using the tools [iv][v] we build and maintain.
  • Name of approving party (hiring manager for WMF staff): @DannyH
  • Requestor -- Please Acknowledge that you have read and signed the L3 Wikimedia Server Access Responsibilities document: DONE
  • Requestor -- Please coordinate obtaining a comment of approval on this task from the approving party.

SRE Clinic Duty Confirmation Checklist for Access Requests

This checklist should be used on all access requests to ensure that all steps are covered, including expansion to existing access. Please double check the step has been completed before checking it off.

This section is to be confirmed and completed by a member of the SRE team.

  • - User has signed the L3 Acknowledgement of Wikimedia Server Access Responsibilities Document.
  • - User has a valid NDA on file with WMF legal. (This can be checked by Operations via the NDA tracking sheet & is included in all WMF Staff/Contractor hiring.)
  • - User has provided the following: wikitech username, preferred shell username, email address, and full reasoning for access (including what commands and/or tasks they expect to perform)
  • - access request (or expansion) has sign off of WMF sponsor/manager (sponser for volunteers, manager for wmf staff)
  • - Patchset for access request - https://gerrit.wikimedia.org/r/c/operations/puppet/+/658992

For additional details regarding access request requirements, please see https://wikitech.wikimedia.org/wiki/Requesting_shell_access

i. Wikitech username: PPelberg
ii. Superset username: ppel
iii. https://hue.wikimedia.org/accounts/login/
iv. https://www.mediawiki.org/wiki/Extension:DiscussionTools
v. https://www.mediawiki.org/wiki/Extension:VisualEditor

Details

SubjectRepoBranchLines +/-
Add ppel to analytics-privatedata-users with no ssh accessoperations/puppetproduction+8 -5
Customize query in gerrit

Related Objects

Event Timeline

ppelberg created this task.Jan 9 2021, 2:03 AM
Restricted Application added a project: SRE. · View Herald TranscriptJan 9 2021, 2:03 AM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Joe triaged this task as Medium priority.Jan 11 2021, 7:14 AM
Joe updated the task description. (Show Details)
Joe added subscribers: Ottomata, Joe.Jan 11 2021, 7:16 AM

While we wait for the manager approval, I will loop in @Ottomata for analytics approval. @ppelberg please provide the *public* ssh key you generated specifically for accessing production services, so that we can grant you access ASAP when the approvals are in place.

Joe moved this task from Untriaged to Manager/NDA Approval/Confirmation on the SRE-Access-Requests board.Jan 11 2021, 7:16 AM
elukey subscribed.Jan 11 2021, 7:22 AM

@ppelberg Hi! Are you planning to ssh to stat100x hosts to explore data via cli tools like hive/presto/etc.. or are you looking for a way to explore data via a UI? If so we have a new Analytics access scheme that avoids the ssh configs and focuses only on UI tools. We also offer a tool called Superset, with its sqllab, that should be way better than Hue.

See https://wikitech.wikimedia.org/wiki/Analytics/Data_access#Access_Groups

In order to access to the UIs we'll need to put the username into either wmf or nda LDAP group as well (writing it down in here as note for SRE).

Joe added a comment.Jan 11 2021, 7:25 AM
In T271602#6735021, @elukey wrote:

@ppelberg Hi! Are you planning to ssh to stat100x hosts to explore data via cli tools like hive/presto/etc.. or are you looking for a way to explore data via a UI? If so we have a new Analytics access scheme that avoids the ssh configs and focuses only on UI tools. We also offer a tool called Superset, with its sqllab, that should be way better than Hue.

See https://wikitech.wikimedia.org/wiki/Analytics/Data_access#Access_Groups

In order to access to the UIs we'll need to put the username into either wmf or nda LDAP group as well (writing it down in here as note for SRE).

Given Peter is an employee, I guess wmf :)

Ottomata added a comment.Jan 11 2021, 2:30 PM

Approved for LDAP and ssh if needed too. @ppelberg +1 to what Luca said, Superset's SQL Lab will probably be what you are looking for.

jcrespo moved this task from Manager/NDA Approval/Confirmation to Awaiting User Input on the SRE-Access-Requests board.Jan 18 2021, 5:33 PM
jcrespo subscribed.

@ppelberg This is blocked only on providing additional information requested by @Joe and @elukey above.

jcrespo updated the task description. (Show Details)Jan 18 2021, 5:34 PM
jcrespo added a comment.Jan 18 2021, 5:43 PM

We would also need @DannyH to sign off the request, as to the best of my understanding, this is not a team's "standarized request".

jcrespo assigned this task to ppelberg.Jan 18 2021, 5:43 PM
jcrespo updated the task description. (Show Details)
Ottomata mentioned this in T272767: Presto error: Failed to list directory.Jan 26 2021, 8:14 PM
Ottomata added a comment.Jan 26 2021, 9:02 PM

@ppelberg, this ticket needs to be done before you can access data via Presto.

You don't need ssh access, but you do need to be in the analytics-privatedata-users group, which requires the same approvals. You are going for 'analytics-privatedata-users (no kerberos, no ssh)', as documented here: https://wikitech.wikimedia.org/wiki/Analytics/Data_access#Access_Groups

We need approval from your manager (@DannyH?) to proceed.

ppelberg added a comment.Jan 26 2021, 10:06 PM

@Joe, @elukey, @Ottomata and @jcrespo: thank you responding as helpfully and responsively as y'all did...I'm sorry I left you wondering for as long as I have.

Responses to, what I think are, the remaining open points below. If I've missed something between this ticket and T272767, please let me know.

In T271602#6736119, @Ottomata wrote:

@ppelberg +1 to what Luca said, Superset's SQL Lab will probably be what you are looking for.

Agreed and this sounds like a great place to start.

In T271602#6778403, @Ottomata wrote:

You don't need ssh access, but you do need to be in the analytics-privatedata-users group, which requires the same approvals. You are going for 'analytics-privatedata-users (no kerberos, no ssh)', as documented here: https://wikitech.wikimedia.org/wiki/Analytics/Data_access#Access_Groups

We need approval from your manager (@DannyH?) to proceed.

Understood and sounds great. I'll speak with Danny and ask that he comment here approving/disapproving this request.

DannyH added a comment.Jan 26 2021, 11:45 PM

I approve Peter for this, thanks.

gerritbot added a comment.Jan 27 2021, 1:52 PM

Change 658992 had a related patch set uploaded (by Ottomata; owner: Ottomata):
[operations/puppet@production] Add ppel to analytics-privatedata-users with no ssh access

https://gerrit.wikimedia.org/r/658992

gerritbot added a project: Patch-For-Review.Jan 27 2021, 1:52 PM
Ottomata updated the task description. (Show Details)Jan 27 2021, 2:34 PM
gerritbot added a comment.Jan 27 2021, 2:34 PM

Change 658992 merged by Ottomata:
[operations/puppet@production] Add ppel to analytics-privatedata-users with no ssh access

https://gerrit.wikimedia.org/r/658992

Ottomata added a comment.Jan 27 2021, 2:37 PM

@ppelberg, I've applied your access patch, please try again!

Also, it seems that in T223351: LDAP access to the wmf group for Peter Pelberg you were given a shell user name of ppel, not ppelberg (as originally requested in this ticket), so I kept that one. I hope that is ok.

Maintenance_bot removed a project: Patch-For-Review.Jan 27 2021, 3:10 PM
Legoktm reassigned this task from ppelberg to Ottomata.Jan 27 2021, 9:21 PM
Legoktm moved this task from Awaiting User Input to Ready To Go on the SRE-Access-Requests board.
CDanis subscribed.Feb 5 2021, 6:53 PM

Hi, just wanted to check in if anything more was needed here?

ppelberg added a comment.Feb 5 2021, 6:56 PM
In T271602#6807375, @CDanis wrote:

Hi, just wanted to check in if anything more was needed here?

Yikes – thank you for bumping this @CDanis. I don't think anything more is needed. See below.

In T271602#6780497, @Ottomata wrote:

@ppelberg, I've applied your access patch, please try again!

Superset has been working as expected/desired since y'all applied these changes...thank you! I'm sorry to have left this loop open until now.

Also, it seems that in T223351: LDAP access to the wmf group for Peter Pelberg you were given a shell user name of ppel, not ppelberg (as originally requested in this ticket), so I kept that one. I hope that is ok.

Totally fine. I appreciate you mentioning this.

CDanis closed this task as Resolved.Feb 5 2021, 6:56 PM

Glad to hear, thanks!

scblr mentioned this in T283190: Requesting access to analytics-privatedata-users for schoenbaechler.May 19 2021, 5:45 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits