re-open access to Analytic Cluster for ChristineDeKock
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	diego
	Jun 15 2021, 10:22 AM

Description

We have signed a new NDA with @ChristineDeKock and we would like to re-open her access to tha Analytics Cluster (T274304)

Requestor provided information and prerequisites

This section is to be completed by the individual requesting access.

Wikitech username: ChristineDeKock
Preferred shell username: ChristineDeKock
Email address: christinedekock11@gmail.com
Ssh public key (must be dedicated key for wmf production): ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILiOBrHGHChC2y9I7grsl4jCB3ziaLaVni/oUvQN+IS4 cd700@cam.ac.uk
Requested group membership: analytics-privatedata-users (with kerberos)
Reason for access: Research Formal Collaboration on this project.
Name of approving party (hiring manager for WMF staff): @diego
Requestor -- Please Acknowledge that you have read and signed the L3 Wikimedia Server Access Responsibilities document: done
Requestor -- Please coordinate obtaining a comment of approval on this task from the approving party: done

SRE Clinic Duty Confirmation Checklist for Access Requests

This checklist should be used on all access requests to ensure that all steps are covered, including expansion to existing access. Please double check the step has been completed before checking it off.

This section is to be confirmed and completed by a member of the SRE team.

- User has signed the L3 Acknowledgement of Wikimedia Server Access Responsibilities Document.
- User has a valid NDA on file with WMF legal. (This can be checked by Operations via the NDA tracking sheet & is included in all WMF Staff/Contractor hiring.)
- User has provided the following: wikitech username, preferred shell username, email address, and full reasoning for access (including what commands and/or tasks they expect to perform)
- User has provided a public SSH key
- access request (or expansion) has sign off of WMF sponsor/manager (sponser for volunteers, manager for wmf staff)
- non-staff requests: 3 business day wait must pass with no objections being noted on the task
- Patchset for access request

For additional details regarding access request requirements, please see https://wikitech.wikimedia.org/wiki/Requesting_shell_access

Details

	Subject	Repo	Branch	Lines +/-
	admin: add christinedk to analytics-privatedata-users (with kerberos)	operations/puppet	production	+9 -4

Customize query in gerrit

Related Objects
Search...

		Status	Subtype	Assigned	Task
		Resolved		ssingh	T284987 re-open access to Analytic Cluster for ChristineDeKock
		Resolved	Request	MoritzMuehlenhoff	T274304 Requesting access to Analytic Cluster for Research Intern (ChristineDeKock)

Event Timeline

diego created this task.Jun 15 2021, 10:22 AM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 15 2021, 10:22 AM

diego added a parent task: T274304: Requesting access to Analytic Cluster for Research Intern (ChristineDeKock).Jun 15 2021, 11:06 AM

Aklapper removed a parent task: T274304: Requesting access to Analytic Cluster for Research Intern (ChristineDeKock).Jun 15 2021, 12:58 PM

Aklapper added a subtask: T274304: Requesting access to Analytic Cluster for Research Intern (ChristineDeKock).

Approved.

Hi @ChristineDeKock: Can you please read through and sign the L3 (Acknowledgement of Wikimedia Server Access Responsibilities) document? Thank you!

Change 699938 had a related patch set uploaded (by Ssingh; author: Ssingh):

[operations/puppet@production] admin: add christinedk to analytics-privatedata-users (with kerberos)

https://gerrit.wikimedia.org/r/699938

gerritbot added a project: Patch-For-Review.Jun 15 2021, 2:20 PM

Hi @ssingh. Thank you for your trouble. I have signed the L3 form.

ssingh updated the task description. (Show Details)Jun 15 2021, 2:31 PM

Change 699938 merged by Ssingh:

[operations/puppet@production] admin: add christinedk to analytics-privatedata-users (with kerberos)

https://gerrit.wikimedia.org/r/699938

In T284987#7158017, @ChristineDeKock wrote:

Hi @ssingh. Thank you for your trouble. I have signed the L3 form.

Thank you! You should now have access to the analytics cluster,and received an email on the address provided to reset the kerberos password. I am marking this as resolved but please feel free to re-open if there are any issues. Thanks!

Maintenance_bot removed a project: Patch-For-Review.Jun 15 2021, 3:10 PM

Hi all,

Thank you for your trouble on this. Unfortunately, I am having some trouble with credentials when accessing the server.

I ssh’d into stat1008.eqiad.wmnet, but when running kinit my password was incorrect. I reset my wikitech password through the website and retried; no luck. I noticed the shell username was different than I had before (christinedk), so I updated that and retried; now I get asked for a password when ssh-ing, and the reset password does not work there either.

I'd appreciate any help!

Hi, your ssh/shell username is christinedk. You shouldn't need a password to ssh into stat1008. If you can ssh into stat1008 (it sounds like you did at first?) then that part should be set up correctly.

The Wikitech is not connected with ssh or Kerberos, so changing the password there will only affect web-based logins.

I just reset your kerberos password. You should receive an email with instructions. The next time you log in you should be able to set your kerberos password and kinit.

Lemme know if that works!

Thanks, that resolved the kinit issue.

One more thing: I am using the newpyter system as per the instructions here. It says to use my shell username and "LDAP password". Which password is this? I have tried a number of username/password combinations with no luck.

In T284987#7174830, @ChristineDeKock wrote:

Thanks, that resolved the kinit issue.

One more thing: I am using the newpyter system as per the instructions here. It says to use my shell username and "LDAP password". Which password is this? I have tried a number of username/password combinations with no luck.

It's the same password you use for Wikitech (as Wikitech authentication is actually LDAP backed). Shell username is available in your Wikitech preferences as "Instance shell account name". Hope it helps!

This does not work unfortunately. Is there anything else I can do?

In T284987#7174844, @ChristineDeKock wrote:

This does not work unfortunately. Is there anything else I can do?

Can you share the username you use here? We can then verify it is the correct one.

In T284987#7175071, @Urbanecm wrote:

In T284987#7174844, @ChristineDeKock wrote:

This does not work unfortunately. Is there anything else I can do?

Can you share the username you use here? We can then verify it is the correct one.

Sure. I am using christinedk, which is the username in my Wikitech preferences under "Instance shell account name".

FYI I just wrote https://wikitech.wikimedia.org/wiki/Analytics/Data_access#Accounts_and_passwords_explained%3A_LDAP%2FWikitech%2FMW_Developer_vs_shell%2Fssh%2Fposix_vs_Kerberos to hopefully help explain all these different accounts and passwords.

I have tried a number of username/password combinations with no luck.

What is the error you get when you try?

Can you also try logging out of Wikitech/ and then logging back in to make sure you are using the right password? You mentioned before that you changed this password at least once, perhaps you are using the wrong one? You could also change your Wikitech/LDAP password as you did before. After you do that you can be sure that that is the password that should be used to log into JupyterHub.

What is the error you get when you try?

The error is "Invalid username or password". I get this error when I do "ssh -N stat1008.eqiad.wmnet -L 8880:127.0.0.1:8880" and then go to localhost:8880 in a browser.

Can you also try logging out of Wikitech/ and then logging back in to make sure you are using the right password? You mentioned before that you changed this password at least once, perhaps you are using the wrong one?

Tried this; the password works fine for logging into Wikitech with the username ChristineDeKock. I am using my the shell username christinedk with newpyter in accordance with the documentation; though I tried both with no success.

You could also change your Wikitech/LDAP password as you did before. After you do that you can be sure that that is the password that should be used to log into JupyterHub.

This seems unnecessary since I can log into Wikitech just fine with the current password, but I will try that if it is the recommended way.

Just a note, I seem to have had the same issue when I started my internship: see here. At the time, @Ottomata said

Christine will need LDAP membership in the nda group for this access

and updating that seemed to resolve it. Is this something that may need fixing again?

This seems unnecessary since I can log into Wikitech just fine with the current password

Agree, unnecessary if you are sure of the password.

Christine will need LDAP membership in the nda group for this access

Ah, indeed. That is the problem. Just added you to nda group. Try now.

In case you have to file another one of these in the future, this info should be included in the original access request. SRE will just follow instructions they see in the description.

Thanks for your patience!

Reedy renamed this task from re-open access to Analytic Cluster for ChristineDeKock to re-open access to Analytic Cluster for ChristineDeKock.Jun 24 2021, 3:01 PM

Fantastic, thanks for your help. It works now.

Ottomata closed this task as Resolved.Jun 24 2021, 3:43 PM

Urbanecm removed a subtask: T290279: Replace christinedk old ssh public key with a new one.Sep 2 2021, 8:28 PM

re-open access to Analytic Cluster for ChristineDeKockClosed, ResolvedPublicActions