Page MenuHomePhabricator
Create Task
Maniphest T277692

Requesting access to analytics-privatedata-users for Cory Massaro
Closed, ResolvedPublicRequest
Actions

Description

Requestor provided information and prerequisites

This section is to be completed by the individual requesting access.

  • Wikitech username: Cory Massaro
  • Preferred shell username: apine
  • Email address: cmassaro@wikimedia.org
  • Ssh public key (must be dedicated key for wmf production): ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILPofgCuu5AVNvAyH2qs3IFOhpByNCfO5HMVnTBG6IdX corybant@delphi
  • Requested group membership: analytics-privatedata-users
  • Reason for access: I would like SSH access to Hadoop (stat1006.equiad.wmnet); I would like to be able to work with mediawiki_wikitext_history data
  • Name of approving party (hiring manager for WMF staff): Adam Baso
  • Requestor -- Please Acknowledge that you have read and signed the L3 Wikimedia Server Access Responsibilities document: I have.
  • Requestor -- Please coordinate obtaining a comment of approval on this task from the approving party. I have discussed this with dr0ptp4kt.

SRE Clinic Duty Confirmation Checklist for Access Requests

This checklist should be used on all access requests to ensure that all steps are covered, including expansion to existing access. Please double check the step has been completed before checking it off.

This section is to be confirmed and completed by a member of the SRE team.

  • - User has signed the L3 Acknowledgement of Wikimedia Server Access Responsibilities Document.
  • - User has a valid NDA on file with WMF legal. (This can be checked by Operations via the NDA tracking sheet & is included in all WMF Staff/Contractor hiring.)
  • - User has provided the following: wikitech username, preferred shell username, email address, and full reasoning for access (including what commands and/or tasks they expect to perform)
  • - User has provided a public SSH key. This ssh key pair should only be used for WMF cluster access, and not share with any other service (this includes not sharing with WMCS access, no shared keys.)
  • - access request (or expansion) has sign off of WMF sponsor/manager (sponsor for volunteers, manager for wmf staff)
  • - Patchset for access request

For additional details regarding access request requirements, please see https://wikitech.wikimedia.org/wiki/Requesting_shell_access

Details

SubjectRepoBranchLines +/-
admin: add apine to analytics-privatedata-usersoperations/puppetproduction+10 -5
Customize query in gerrit

Related Objects

Event Timeline

cmassaro created this task.Mar 17 2021, 6:54 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 17 2021, 6:54 PM
cmassaro mentioned this in T277544: Grant Access to <not sure> for apine.Mar 17 2021, 6:55 PM
RhinosF1 subscribed.Mar 17 2021, 7:06 PM
Maintenance_bot added a project: SRE.Mar 17 2021, 7:45 PM
dr0ptp4kt added a comment.Mar 17 2021, 7:57 PM

Approved.

Ottomata added a subscriber: JAllemandou.Mar 17 2021, 8:17 PM

Approved.

@JAllemandou FYI for you that Cory wants to work with mediawiki_wikitext_history. :)

JAllemandou added a comment.Mar 18 2021, 8:29 AM

Thanks for letting me know @Ottomata :)
@cmassaro : Let's sync on the work you wish to accomplish, as wikitext-history is really big and I might have some hints :)

Volans updated the task description. (Show Details)Mar 18 2021, 10:11 AM
Volans triaged this task as Medium priority.Mar 18 2021, 10:13 AM
Volans subscribed.

@cmassaro I can't find your signature on L3, could you please double check you've signed it?

Volans moved this task from Untriaged to Awaiting User Input on the SRE-Access-Requests board.Mar 18 2021, 10:13 AM
Volans renamed this task from Requesting access to analytics-privatdata-user for Cory Massaro to Requesting access to analytics-privatedata-user for Cory Massaro.Mar 18 2021, 10:19 AM
Volans renamed this task from Requesting access to analytics-privatedata-user for Cory Massaro to Requesting access to analytics-privatedata-users for Cory Massaro.
Volans updated the task description. (Show Details)Mar 18 2021, 10:31 AM
gerritbot added a comment.Mar 18 2021, 10:37 AM

Change 673223 had a related patch set uploaded (by Volans; owner: Volans):
[operations/puppet@production] admin: add apine to analytics-privatedata-users

https://gerrit.wikimedia.org/r/673223

gerritbot added a project: Patch-For-Review.Mar 18 2021, 10:37 AM
Volans reassigned this task from Ottomata to cmassaro.Mar 18 2021, 12:06 PM
Volans added a subscriber: Ottomata.
cmassaro added a comment.Mar 18 2021, 1:46 PM

Signed!

cmassaro reassigned this task from cmassaro to Ottomata.Mar 18 2021, 1:47 PM
Volans claimed this task.Mar 18 2021, 3:07 PM
Volans updated the task description. (Show Details)
Volans moved this task from Awaiting User Input to Ready To Go on the SRE-Access-Requests board.
gerritbot added a comment.Mar 18 2021, 3:32 PM

Change 673223 merged by Volans:
[operations/puppet@production] admin: add apine to analytics-privatedata-users

https://gerrit.wikimedia.org/r/673223

Volans added a comment.Mar 18 2021, 3:43 PM

Created kerberos principal:

krb1001 ~$ sudo manage_principals.py create apine --email_address=cmassaro@wikimedia.org
Principal successfully created. Make sure to update data.yaml in Puppet.
Successfully sent email to cmassaro@wikimedia.org
Volans added a comment.Mar 18 2021, 3:50 PM

@cmassaro kerberos activated and patch with your access merged, please follow https://wikitech.wikimedia.org/wiki/Production_access#Setting_up_your_access to setup your SSH configuration file and test your access to one bastion first and then one of the hosts you want to access. FYI it can take up to 30 minutes from the merge time to get the change propagated to all bastions to allow you to SSH.

Let us know if you encounter any issue.

Volans added a comment.Mar 18 2021, 3:52 PM

And feel free to resolve this task once it's all working as expected.

Volans removed Volans as the assignee of this task.Mar 18 2021, 3:55 PM

@Ottomata is there anything to be done on the analytics side to sync the user for the intended usage?

Ottomata added a comment.Mar 18 2021, 3:57 PM

Nope, that's it! Thank you!

Maintenance_bot removed a project: Patch-For-Review.Mar 18 2021, 4:11 PM
cmassaro added a comment.Mar 18 2021, 6:23 PM

I am able to access the bastion. I am not able to access stat1006.equiad.wmnet, though. I can provide the output from ssh -v if that would help.

Urbanecm subscribed.Mar 18 2021, 6:25 PM
In T277692#6926262, @cmassaro wrote:

I am able to access the bastion. I am not able to access stat1006.equiad.wmnet, though. I can provide the output from ssh -v if that would help.

How are you trying to access it (ie. what's your client SSH config)? You should use something like https://wikitech.wikimedia.org/wiki/Production_access#Setting_up_your_SSH_config in your ~/.ssh/config, and then directly use ssh stat1006.eqiad.wmnet.

cmassaro added a comment.Mar 18 2021, 6:29 PM

Got it. I did set up my SSH config as prescribed there, and ssh bast1002.wikimedia.org works as a result. When I try ssh stat1006.eqiad.wmnet, it looks like I'm able to authenticate to the bastion, but channel_connect_stdio_fwd fails thereafter.

Dzahn subscribed.Mar 18 2021, 6:31 PM

@cmassaro It seems to be a typo in the host name.

found in auth.log on bast1002

error: connect_to stat1006.equiad.wmnet: unknown        host (Name or service not known)

That's an "equiad" vs "eqiad" there.

cmassaro added a comment.Mar 18 2021, 6:44 PM

Ahhhh sorry, that is embarrassing. It's all good now. Thank you!

cmassaro added a comment.Mar 18 2021, 6:45 PM
In T277692#6924028, @JAllemandou wrote:

Thanks for letting me know @Ottomata :)
@cmassaro : Let's sync on the work you wish to accomplish, as wikitext-history is really big and I might have some hints :)

Thanks, let's do!

cmassaro closed this task as Resolved.Mar 18 2021, 7:00 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL