Page MenuHomePhabricator
Create Task
Maniphest T285754

Requesting access to analytics cluster for Ben Tullis
Closed, ResolvedPublicRequest
Actions

Description

Requestor provided information and prerequisites

This section is to be completed by the individual requesting access.

  • Wikitech username: Btullis
  • Email address: btullis@wikimedia.org
  • SSH public key (must be a separate key from Wikimedia cloud SSH access):

ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDLwVzH9rT959TVnPq/SBJIQU4T1eZXIBAdyEM5TchYg btullis@wikimedia.org

I confirm that this key is separate from my Wikimedia Cloud/Gerrit key.

  • Requested group membership: analytics-privatedata-users
  • Reason for access: Onboarding Ben Tullis in his role as an SRE in the analytics (data engineering) team
  • Name of approving party (manager for WMF/WMDE staff): Olja Dimitrijevic and/or Fransisco Dans
  • Ensure you have signed the L3 Wikimedia Server Access Responsibilities document:

I can confirm that I have signed this document today.

I believe that I also need the following:

  • Membership of the wmf group in LDAP
  • A Kerberos principal
  • Please coordinate obtaining a comment of approval on this task from the approving party.

SRE Clinic Duty Confirmation Checklist for Access Requests

This checklist should be used on all access requests to ensure that all steps are covered, including expansion to existing access. Please double check the step has been completed before checking it off.

This section is to be confirmed and completed by a member of the SRE team.

  • - User has signed the L3 Acknowledgement of Wikimedia Server Access Responsibilities Document.
  • - User has a valid NDA on file with WMF legal. (All WMF Staff/Contractor hiring are covered by NDA. Other users can be validated via the NDA tracking sheet)
  • - User has provided the following: wikitech username, email address, and full reasoning for access (including what commands and/or tasks they expect to perform)
  • - User has provided a public SSH key. This ssh key pair should only be used for WMF cluster access, and not shared with any other service (this includes not sharing with WMCS access, no shared keys.)
  • - access request (or expansion) has sign off of WMF sponsor/manager (sponsor for volunteers, manager for wmf staff)
  • - access request (or expansion) has sign off of group approver indicated by the approval field in data.yaml
  • - prepare patchset for access

For additional details regarding access request requirements, please see https://wikitech.wikimedia.org/wiki/Requesting_shell_access

Details

SubjectRepoBranchLines +/-
admin: Fix path of btullis' dotfiles and one scriptoperations/puppetproduction+0 -0
Add initial personal dotfiles and one scriptoperations/puppetproduction+148 -0
Replace the username for btullis with Btullisoperations/puppetproduction+4 -4
Enable kerberos for btullisoperations/puppetproduction+1 -0
Grant icinga permissions to btullisoperations/puppetproduction+4 -4
Add btullis to the ops security groupoperations/puppetproduction+1 -1
admin: create shell user btullis, add to analytics-privatedata-usersoperations/puppetproduction+9 -1
Customize query in gerrit

Related Objects

Event Timeline

BTullis created this task.Jun 29 2021, 10:54 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 29 2021, 10:54 AM
BTullis updated the task description. (Show Details)Jun 29 2021, 11:05 AM
BTullis updated the task description. (Show Details)
BTullis updated the task description. (Show Details)
Maintenance_bot added a project: SRE.Jun 29 2021, 11:45 AM
BTullis added a comment.Jun 29 2021, 1:47 PM

Should I create a separate request for the LDAP group change?
I see from here that there is a special LDAP-Access-Requests tag that I should use.

BTullis added a project: LDAP-Access-Requests.Jun 29 2021, 1:48 PM
Ottomata assigned this task to razzi.Jun 29 2021, 4:17 PM
Ottomata added subscribers: razzi, Ottomata.

Ben's first day was yesterday, so let's expedite this! @razzi will take care of this, and I will follow up with SRE on enabling root access after the initial access is granted.

Ottomata added a comment.Jun 29 2021, 4:17 PM

Oh, I think analytics-admins is not needed since Ben will be an SRE and have root access, editing task description.

Ottomata updated the task description. (Show Details)Jun 29 2021, 4:17 PM
herron updated the task description. (Show Details)Jun 29 2021, 5:14 PM
herron subscribed.Jun 29 2021, 5:21 PM
In T285754#7184198, @Ottomata wrote:

@razzi will take care of this, and I will follow up with SRE on enabling root access after the initial access is granted.

SGTM, I'll be on SRE clinic duty this week and will stay hands-off until hearing otherwise

On a related note -- is there another onboarding task to link as a parent?

Ottomata added a comment.Jun 29 2021, 5:28 PM

Oh, and approved by me for analytics-privatedata-users.

@herron if you have time to do this now I'm sure @razzi would not mind, we just wanted to expedite :) Thank you!

herron moved this task from Untriaged to Manager/NDA Approval/Confirmation on the SRE-Access-Requests board.Jun 29 2021, 6:09 PM

Sure I'll go ahead and prep a patch. I may have missed it, but what realname should be used for btullis?

Would also be ideal to log a comment of approval from the approving party either here or via a parent onboarding task, etc. With that and a +1 review on the patch we should be good to go.

Ottomata added a subscriber: odimitrijevic.Jun 29 2021, 6:13 PM

Oh, Ben Tullis.

Yes, we need approval from Ben's manager: @odimitrijevic Please approve!

Ottomata renamed this task from Requesting access to analytics cluster for btullis to Requesting access to analytics cluster for Ben Tullis.Jun 29 2021, 6:13 PM
odimitrijevic added a comment.Jun 29 2021, 6:14 PM

Approved

gerritbot added a comment.Jun 29 2021, 6:15 PM

Change 702197 had a related patch set uploaded (by Herron; author: Herron):

[operations/puppet@production] admin: create shell user btullis, add to analytics-privatedata-users

https://gerrit.wikimedia.org/r/702197

gerritbot added a project: Patch-For-Review.Jun 29 2021, 6:15 PM
herron updated the task description. (Show Details)Jun 29 2021, 6:19 PM
gerritbot added a comment.Jun 29 2021, 6:39 PM

Change 702197 merged by Herron:

[operations/puppet@production] admin: create shell user btullis, add to analytics-privatedata-users

https://gerrit.wikimedia.org/r/702197

herron added a comment.Jun 29 2021, 6:52 PM

Shell account has been created, and ldap account has been added to group wmf

Maintenance_bot removed a project: Patch-For-Review.Jun 29 2021, 7:10 PM
Dzahn subscribed.Jun 30 2021, 2:12 PM

getting requests for ops-maintenance group access. These things have been checkboxes in the general onboarding tickets but there doesn't seem to be one here.

BTullis added a comment.Jun 30 2021, 2:21 PM

@Dzahn - Thanks, yes I requested it, because it was an entry on my onboarding checklist - I can confirm that I now have to the ops-maintenance group.

Dzahn added a comment.Jun 30 2021, 2:23 PM

@BTullis Thanks, yes, I approved it. Welcome to WMF!

BTullis added a comment.Jun 30 2021, 2:25 PM

I also have an item on my checklist to say that I should be in the cn=ops LDAP group.

There are instructions on how I can add myself to that group, but only once I have sudo access.

Can anyone confirm this requirement? If so, can it be done on this ticket, or should I raise a new one?

herron added a comment.Jun 30 2021, 3:02 PM
In T285754#7187160, @BTullis wrote:

I also have an item on my checklist to say that I should be in the cn=ops LDAP group.

There are instructions on how I can add myself to that group, but only once I have sudo access.

Can anyone confirm this requirement? If so, can it be done on this ticket, or should I raise a new one?

Hey @BTullis, Typically this is done with the onboarding buddy who has root already which is the case for @Ottomata and @razzi. So I'll defer to them on next steps for now. Fwiw it should work out to roughly two steps 1) being added to the ldap ops group, and 2) uploading, reviewing and merging/deploying a puppet patch adding your shell account to the unix ops group.

Ottomata added a comment.EditedJun 30 2021, 3:49 PM

@herron, so we should do step 1 and then help Ben do step 2?

herron added a comment.Jun 30 2021, 4:00 PM
In T285754#7187636, @Ottomata wrote:

@herron, so we should do step 1 and then help Ben do step 2?

I think so, I'm basing that on is the "who starts it" column from https://office.wikimedia.org/wiki/Technology/Onboarding/Checklists/Ben_Tullis#Site_Reliability_Engineering. Of course happy to help with that as well if you'd prefer

Ottomata added a comment.Jun 30 2021, 4:19 PM

Ok, done step 1. @BTullis you are in the ops LDAP group now.

I believe this means you can create a patch to add your user to the "ops" group in puppet in modules/admin/data/data.yaml. Add me and razzi as reviewer, and we'll +1, and then you can +2 and merge. We can do the puppet-merge stuff together! :)

Ottomata updated the task description. (Show Details)Jun 30 2021, 4:29 PM
gerritbot added a comment.Jun 30 2021, 4:56 PM

Change 702424 had a related patch set uploaded (by Zabe; author: Btullis):

[operations/puppet@production] Add btullis to the ops security group

https://gerrit.wikimedia.org/r/702424

gerritbot added a project: Patch-For-Review.Jun 30 2021, 4:56 PM
gerritbot added a comment.Jul 1 2021, 4:19 PM

Change 702424 merged by Btullis:

[operations/puppet@production] Add btullis to the ops security group

https://gerrit.wikimedia.org/r/702424

Maintenance_bot removed a project: Patch-For-Review.Jul 1 2021, 5:10 PM
BTullis added a comment.Jul 1 2021, 5:48 PM

Thanks. I can confirm that I've now been able to access puppetmasters and other servers requiring ops group membership.

One thing that doesn't seem to be working so far is Netbox. I can log in, but I get a permission denied message after that.
Do we need to do something in Django admin?

BTullis added a comment.Jul 1 2021, 5:55 PM

Also LibreNMS and Logstash authentication don't seem to let me in.
Neither is urgent, just thought I'd let you know in case there is anything else I should do.

gerritbot added a comment.Jul 1 2021, 7:16 PM

Change 702739 had a related patch set uploaded (by Btullis; author: Btullis):

[operations/puppet@production] Grant icinga permissions to btullis

https://gerrit.wikimedia.org/r/702739

gerritbot added a project: Patch-For-Review.Jul 1 2021, 7:16 PM
gerritbot added a comment.Jul 1 2021, 7:34 PM

Change 702739 merged by Btullis:

[operations/puppet@production] Grant icinga permissions to btullis

https://gerrit.wikimedia.org/r/702739

Maintenance_bot removed a project: Patch-For-Review.Jul 1 2021, 8:10 PM
BTullis added a comment.Jul 2 2021, 12:12 PM

Added myself to the root alias on puppetmaster1001

Added my GPG key to the pwstore repo.

MoritzMuehlenhoff closed this task as Resolved.Jul 7 2021, 8:20 AM
MoritzMuehlenhoff subscribed.

Given that Ben is in root users and has cn=ops/cn=wmf LDAP membership this seems complete, closing the task so that it no longer shows up in the access request dashboard.

BTullis added a comment.Jul 14 2021, 3:26 PM

I have created myself a kerberos principal with the following command:

btullis@krb1001:~$ sudo manage_principals.py create btullis --email_address btullis@wikimedia.org
Principal successfully created. Make sure to update data.yaml in Puppet.
Successfully sent email to btullis@wikimedia.org

I'll follow up with a puppet change to admin/data.yaml

gerritbot added a comment.Jul 14 2021, 3:57 PM

Change 704562 had a related patch set uploaded (by Btullis; author: Btullis):

[operations/puppet@production] Enable kerberos for btullis

https://gerrit.wikimedia.org/r/704562

gerritbot added a project: Patch-For-Review.Jul 14 2021, 3:57 PM
gerritbot added a comment.Jul 16 2021, 10:41 AM

Change 704562 merged by Btullis:

[operations/puppet@production] Enable kerberos for btullis

https://gerrit.wikimedia.org/r/704562

Maintenance_bot removed a project: Patch-For-Review.Jul 16 2021, 11:10 AM
gerritbot added a comment.Aug 10 2021, 4:44 PM

Change 711171 had a related patch set uploaded (by Btullis; author: Btullis):

[operations/puppet@production] Replace the username for btullis with Btullis

https://gerrit.wikimedia.org/r/711171

gerritbot added a project: Patch-For-Review.Aug 10 2021, 4:44 PM
gerritbot added a comment.Aug 10 2021, 4:46 PM

Change 711171 merged by Btullis:

[operations/puppet@production] Replace the username for btullis with Btullis

https://gerrit.wikimedia.org/r/711171

Maintenance_bot removed a project: Patch-For-Review.Aug 10 2021, 5:10 PM
gerritbot added a comment.Oct 18 2021, 11:49 AM

Change 731403 had a related patch set uploaded (by Btullis; author: Btullis):

[operations/puppet@production] Add initial personal dotfiles and one script

https://gerrit.wikimedia.org/r/731403

gerritbot added a project: Patch-For-Review.Oct 18 2021, 11:49 AM
gerritbot added a comment.Oct 18 2021, 1:33 PM

Change 731403 merged by Btullis:

[operations/puppet@production] Add initial personal dotfiles and one script

https://gerrit.wikimedia.org/r/731403

Maintenance_bot removed a project: Patch-For-Review.Oct 18 2021, 2:10 PM
gerritbot added a comment.Nov 26 2021, 5:19 PM

Change 742172 had a related patch set uploaded (by Jcrespo; author: Jcrespo):

[operations/puppet@production] admin: Fix path of btullis' dotfiles and one script

https://gerrit.wikimedia.org/r/742172

gerritbot added a project: Patch-For-Review.Nov 26 2021, 5:19 PM
gerritbot added a comment.Nov 29 2021, 9:44 AM

Change 742172 merged by Btullis:

[operations/puppet@production] admin: Fix path of btullis' dotfiles and one script

https://gerrit.wikimedia.org/r/742172

BTullis mentioned this in T345633: Requesting access to analytics-privatedata-users and ops for brouberol.Sep 7 2023, 1:18 PM
Maintenance_bot removed a project: Patch-For-Review.Sep 7 2023, 1:30 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL