Page MenuHomePhabricator

Requesting access to restricted production access and analytics-privatedata-users for Janina Abrams
Closed, ResolvedPublic

Description

Wikitech username: JaninaAbrams
Preferred shell username: jabrams
Email address: jabrams@wikimedia.org

SSH Key: ssh-rsa

AAAAB3NzaC1yc2EAAAADAQABAAACAQCwOSRMxXi6dgJc4Bg69itjllEM0EAPJuqYTgnUTn4eMjWGZQ4O1iO4Uf953IuWYFIfjC9oLM3zwDso7M1m4d0qa9aeIIeUV6B5KolPs3M+FepjcvT5rr6jemeY+ke1sMeA7c3t7D0hS887JTPHpMWWSeZoMF2pqdxX0uxl6tnODsO9J9wMoXghmEpVWA3a7qBYqzfW1vUU0yjMogPxzlMe/amschqEbHYx/ymjetOHQpOdIhOjd4K/pMDs0BJoue0H6dOoi9jDgHdm58CUcViQaiitQ7tHJLnQ1X33YpdppQU1dDF9kJ6vMJybqk7VzIEo85xLTLryyoPL9M/R2o7jJRSQBBJGjkEONk0trzdn09K72A508TOcgliAo8BXYn/fBetN9zcLxIz/R7IwMbTPJ7jq1tmNiajasmBuxlNAf8l+U2/8E+bIH8ifp0gsFLc9qhMLs/rmYWHanLRXn+qsufW6lwCqxC0I/+6RFprtRkd0MYfkDPLZI9lxJQp/9A4TNHs3j1iShPq7YA0TG7yXGFesFBGju/ZkXmPTxm2ReoiVz3rrOr2kr69XR+LSG2PxfVwz5XI96yPbBZXDw8K3mekYOHDk09BaOwRrhVO+fwPdKrGw/7SnuurMTK25DDLS9+Vnh6ljGrpwu1CH5KUaRlkmzQ1CkGDTsBP7Qur6lw== jabrams@Janinas-MBP.home

I'd like to request access for @JAbrams to what I believe will be the restricted group and analytics-privatedata-users (the same that @Nahid and @jrbs have). Trust and Safety has had a number of workflows requiring shell access and private analytics logs (hadoop). Janina is the newest member of the T&S Operations team alongside @jrbs, @Nahid, I, and other collaborators.

Specifically some of the workflows she needs to be able to perform (and I believe needs this access for):

  • Run maintenance scripts (mwmaint servers) to:
    • Remove 2FA for users who have lost their backup codes (after identity verification)
    • Add or reset user email addresses when locked out of their account (again after identity verification)
    • Permanently remove illegal images from the servers
  • Lookup private information such as user email addresses for legal or T&S investigations (such as handling urgent threats of harm or processing court orders).
  • Query webserver logs for private information such as IPs which have viewed certain pages (usually court orders)

Janina has already signed the L3 agreement. @JanWMF is the T&S team global head and I can have him comment here in support, if required. Please let me know if there are any issues or questions regarding this request (it's my first time filing it).

SRE Clinic Duty Confirmation Checklist for Access Requests

This checklist should be used on all access requests to ensure that all steps are covered, including expansion to existing access. Please double check the step has been completed before checking it off.

This section is to be confirmed and completed by a member of the SRE team.

  • - User has signed the L3 Acknowledgement of Wikimedia Server Access Responsibilities Document.
  • - User has a valid NDA on file with WMF legal. (All WMF Staff/Contractor hiring are covered by NDA. Other users can be validated via the NDA tracking sheet)
  • - User has provided the following: wikitech username, email address, and full reasoning for access (including what commands and/or tasks they expect to perform)
  • - User has provided a public SSH key. This ssh key pair should only be used for WMF cluster access, and not shared with any other service (this includes not sharing with WMCS access, no shared keys.)
  • - access request (or expansion) has sign off of WMF sponsor/manager (sponsor for volunteers, manager for wmf staff)
  • - access request (or expansion) has sign off of group approver indicated by the approval field in data.yaml

For additional details regarding access request requirements, please see https://wikitech.wikimedia.org/wiki/Requesting_shell_access

Event Timeline

Note 2FA removal can be done on wiki those days. I think T&S should do this via the web interface, as it creates a log of all removals in a single place :). Otherwise no objections.

RLazarus subscribed.

Hi Janina, welcome to the Foundation! I can get you set up. Thanks for signing L3 -- in particular, you're getting access to some extremely sensitive user data. I'm sure your teammates have already talked to you about the importance of keeping that data safe, but feel free to ping me on IRC or Slack any time if you have questions.

@Kalliope For approval, all I need is Janina's direct manager -- which I see is you, so we're all set.

In general terms I agree with @Urbanecm -- doing as much as possible on-wiki sounds better to me, in the abstract. But for the purposes of this access ticket, I'm setting up Janina with the same access as the rest of the team (as needed for the other workflows listed, if nothing else).

Admin patch to follow shortly. (And thanks Reedy for routing.)

Oops, one more thing: @Ottomata can you approve for analytics-privatedata-users please? I'll include Kerberos for access to hadoop.

And @JAbrams please note the Analytics data access user responsibilities on top of everything else.

Thank you kindly @RLazarus! Much appreciated :) @Urbanecm also thank you for that note! Will take it onboard.

Just noticed @Ottomata is out of office. @odimitrijevic can you approve this for Analytics, or should we wait for Andrew to approve when he's back on Thursday?

Change 706755 had a related patch set uploaded (by RLazarus; author: RLazarus):

[operations/puppet@production] admin: Create jabrams, add to restricted, analytics-privatedata-users

https://gerrit.wikimedia.org/r/706755

Change 706755 merged by RLazarus:

[operations/puppet@production] admin: Create jabrams, add to restricted, analytics-privatedata-users

https://gerrit.wikimedia.org/r/706755

rzl@krb1001:~$ sudo manage_principals.py create jabrams --email_address=jabrams@wikimedia.org
Principal successfully created. Make sure to update data.yaml in Puppet.
Successfully sent email to jabrams@wikimedia.org

@JAbrams You should be all set! Give it 30 minutes for the change to roll out everywhere, then your access should be ready to go.

I'm resolving this task, but feel free to reopen (or start a new one under SRE-Access-Requests) if anything doesn't work as expected.