Page MenuHomePhabricator

Access request to Superset for toberto
Closed, ResolvedPublic

Description

We've built visualization and dashboards for the Structured Data team that require access to Superset. @toberto recently joined the team and needs access to these. This appears to involve setting up a Wikitech account, getting added to the wmf LDAP group, and the analytics-privatedata-users POSIX group (ref: https://wikitech.wikimedia.org/wiki/Analytics/Data_access#Dashboards_in_Superset_/_Hive_interfaces_(like_Hue)_that_do_access_private_data). SSH access will not be needed for this.

Requestor provided information and prerequisites

This section is to be completed by the individual requesting access.

  • Wikitech username: Toni Oberto
  • Email address: toberto@wikimedia.org
  • SSH public key (must be a separate key from Wikimedia cloud SSH access):
  • Requested group membership: wmf, analytics-privatedata-users
  • Reason for access: Superset
  • Name of approving party (manager for WMF/WMDE staff): Shari Wakiyama
  • Ensure you have signed the L3 Wikimedia Server Access Responsibilities document: Signed
  • Please coordinate obtaining a comment of approval on this task from the approving party.

SRE Clinic Duty Confirmation Checklist for Access Requests

This checklist should be used on all access requests to ensure that all steps are covered, including expansion to existing access. Please double check the step has been completed before checking it off.

This section is to be confirmed and completed by a member of the SRE team.

  • - User has signed the L3 Acknowledgement of Wikimedia Server Access Responsibilities Document. (Not strictly needed here but signed anyway, thank you!)
  • - User has a valid NDA on file with WMF legal. (All WMF Staff/Contractor hiring are covered by NDA. Other users can be validated via the NDA tracking sheet)
  • - User has provided the following: wikitech username, email address, and full reasoning for access (including what commands and/or tasks they expect to perform)
  • - User has provided a public SSH key. This ssh key pair should only be used for WMF cluster access, and not shared with any other service (this includes not sharing with WMCS access, no shared keys.)
  • - access request (or expansion) has sign off of WMF sponsor/manager (sponsor for volunteers, manager for wmf staff)
  • - access request (or expansion) has sign off of group approver indicated by the approval field in data.yaml

For additional details regarding access request requirements, please see https://wikitech.wikimedia.org/wiki/Requesting_shell_access

Event Timeline

Signed the L3 doc today, thanks!

@nettrom_WMF Hi Morten! I've signed the doc and completed info up above. One question: is the approver my manager or someone else? Thanks!

@nettrom_WMF Hi Morten! I've signed the doc and completed info up above. One question: is the approver my manager or someone else? Thanks!

@toberto : Darn, I just learned from T270438 that you wouldn't need to sign the L3 doc. Instead, as mentioned in T270438#6701685, read wt:Analytics/Data_access#User_responsibilities carefully. Apologies for having you do extra work here!

The approver would be your manager, yes. I don't think Shari's on Phabricator, though? From what I understand, SRE can do that part over email. Looks like I forgot to tag SRE on this too, I'll update the task tags as well so they can triage and follow up on this.

All good and thanks, @nettrom_WMF ! I'll review the user responsibilities and be on standby if you need anything else from me. Thanks!

Hi Toni, welcome to the Foundation! I can get you set up here. Thanks @nettrom_WMF for getting us started. (For future requests, note the form automatically adds the SRE-Access-Requests project, so we'll see it right away; you can get there from the Production access page on Wikitech.)

@toberto I do need approval from your manager, ideally here on Phab so that there's a record. But if she doesn't have a Phabricator account, I guess there's no reason she can't send me a message by email (rlazarus@) or on Slack, saying she approves of your access to Analytics private data. Could you please ask her to do so?

I'll also need approval from Analytics. @Ottomata is out of the office until tomorrow; I'm tagging him in this so he'll see it when he returns (welcome back, tomorrow-Andrew!) but if this is urgent, let me know and I'll see if I can find a delegate.

Sorry for the additional delay -- once all the approvals are in place, I'll be able to take care of this for you right away.

Thanks for your patience with us, @RLazarus , while we go off protocol! I have messaged Shari and asked she email or Slack you with approval. Thank you again for your help getting set up and the warm welcome!

Received from Shari Wakiyama on her WMF email account:

Hi Reuven,

Please give Toni Oberto, cc'd here, access to Superset to fulfill her job responsibilities.

Thank you,
Shari

Manager approval is all set then, and now all we need is Analytics approval.

Change 706756 had a related patch set uploaded (by RLazarus; author: RLazarus):

[operations/puppet@production] admin: Add toberto with no-ssh membership in analytics-privatedata-users

https://gerrit.wikimedia.org/r/706756

Change 706756 merged by RLazarus:

[operations/puppet@production] admin: Add toberto with no-ssh membership in analytics-privatedata-users

https://gerrit.wikimedia.org/r/706756

Added to wmf group:

rzl@mwmaint2002:~$ ldapsearch -x cn=wmf | grep toberto
member: uid=toberto,ou=people,dc=wikimedia,dc=org
RLazarus claimed this task.

@toberto Give it 30 minutes for the Puppet change to roll out everywhere, then you should be all set!

As you already read in L3 and the Analytics user responsibilities, you now have access to some extremely sensitive user data. I'm sure your teammates have already talked to you about the importance of keeping that data safe, but feel free to ping me on IRC or Slack any time if you have questions.

I'm resolving this task, but feel free to reopen (or start a new one under SRE-Access-Requests) if you have any trouble with your new access.