Page MenuHomePhabricator
Create Task
Maniphest T289259

Requesting access to restricted and analytics-privatedata-users for Nathan Forrester
Closed, ResolvedPublicRequest
Actions

Description

  • Wikitech username: Nforrester
  • Preferred shell username: nforrester
  • Email address: nforrester at wikimedia.org
  • SSH Key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDdxggtJm+mTopKHAWfpRmj0sN3+Lph1/fulIfYEts7S7xXciz4W2dFCh6BvImpKcG+F82fqrDDMPEupd22pRY+49STXBHXjI81wIgT5+vrexy5VlXUyMYbp+tz35C4JucdpBJUTNKtTnFVxPzxxr4+JAzF1col1orJiWn9pQjeUFyBckDHRzSjx3XVxO5yj0riWW5jb8p20f6y7E+0CkHt4GUeqIF20QFLJdUmZxOWy19v3SMbGL+S8yln245/wjudOdCnoG1Somi/2mvKgRPqx7ia720X8BWd//5i44fryN/N2OoeF6azuUpBmLX+D8Ho/VLKuSvtjwyZu7ddZKO3ADpPuUly68nM6wR83mRTkWskvnBC3MUnViyYDj3H0ky3BA6FwxP5caE2ArPD1qeq4AL6irHkKObj5tUjx5y4xHlHEVawAcyZ3yyAXhGCsvmxzaV36tqf+HC0ljc6cSiUCSJQCWwAHHEkB3oxtakgR8m6H6eXrauoJuSZpyqwAHwVXJM921tcTo7AGoWyWFb+8DHY4bGnLAqh9O7cJPbEOScHctelFsl7qLUpMPj+duUgLEdV8Pfm1wR6cYe2FfuM1lgNK6EBmsPAb++duiaKj/s6kSGKsN5lmA/hD0EBvTM8XzLYgTKjib3Yntan+NlLNNqIOz8mScI/YPx8q8SMbw== .
  • Requested group membership: ‘restricted’ and ‘analytics-privatedata-users’

I'd like to request membership for @NForrester to the ‘restricted’ and ‘analytics-privatedata-users’ group. The Trust and Safety team has a number of workflows requiring shell access and private analytics logs (hadoop). He is a member of the T&S team and requires those accesses for his regular work. Specifically some of the workflows he needs to be able to do (and needs this access for):

  • Run maintenance scripts (mwmaint servers) to:
    • To add or reset user email addresses when locked out of their account (again after identity verification)
    • To permanently remove illegal images from the servers
  • Lookup private information such as user email addresses for legal or T&S investigations (such as urgent threats of harm or court orders).
  • Query webserver logs for private information such as IPs which have viewed certain pages (usually court orders)

NForrester has already signed L3. @NNair is NForrester’s people manager. Naha, could you confirm/approve this request by commenting here?

SRE Clinic Duty Confirmation Checklist for Access Requests

This checklist should be used on all access requests to ensure that all steps are covered, including expansion to existing access. Please double check the step has been completed before checking it off.

This section is to be confirmed and completed by a member of the SRE team.

  • - User has signed the L3 Acknowledgement of Wikimedia Server Access Responsibilities Document.
  • - User has a valid NDA on file with WMF legal. (This can be checked by Operations via the NDA tracking sheet & is included in all WMF Staff/Contractor hiring.)
  • - User has provided the following: wikitech username, preferred shell username, email address, and full reasoning for access (including what commands and/or tasks they expect to perform)
  • - User has provided a public SSH key.
  • - access request has sign off of WMF manager
  • - access request has sign off of group approver for 'restricted' via T289259#7296724
  • - access request has sign off of group approver for 'analytics-privatedata-users'
  • - Patchset for access request

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
admin: add nforresteroperations/puppetproduction+12 -2
Customize query in gerrit

Event Timeline

Nahid created this task.Aug 19 2021, 1:33 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 19 2021, 1:33 PM
NNair added a comment.Aug 19 2021, 1:34 PM

This is approved for Nathan.

Thank you,
Neha

Nahid added a project: Trust-and-Safety.Aug 19 2021, 1:40 PM
Maintenance_bot added a project: SRE.Aug 19 2021, 1:45 PM
NForrester updated the task description. (Show Details)Aug 19 2021, 1:52 PM
RobH moved this task from Untriaged to Manager/NDA Approval/Confirmation on the SRE-Access-Requests board.Aug 19 2021, 2:58 PM
RobH added subscribers: odimitrijevic, thcipriani, RobH.

@odimitrijevic,

This is one of three current requests to add a new wmf employee to both ‘restricted’ and ‘analytics-privatedata-users’. As the director of Analytics, we'd like your approval (or defer approval to someone in your team) to add this user to ‘analytics-privatedata-users’. Please comment with your approval or other information.

@thcipriani,

This is one of three current requests to add a new wmf employee to both ‘restricted’ and ‘analytics-privatedata-users’. As the manager of Release Engineering, we'd like your approval (or defer approval to someone in your team) to add this user to ‘restricted’. Please comment with your approval or other information.

RobH added a comment.Aug 19 2021, 3:00 PM
This comment was removed by RobH.
RobH updated the task description. (Show Details)Aug 19 2021, 3:01 PM
thcipriani added a comment.Aug 20 2021, 12:20 AM
In T289259#7294999, @RobH wrote:

@thcipriani,

This is one of three current requests to add a new wmf employee to both ‘restricted’ and ‘analytics-privatedata-users’. As the manager of Release Engineering, we'd like your approval (or defer approval to someone in your team) to add this user to ‘restricted’. Please comment with your approval or other information.

Maintenance use-case makes sense to me, approved!

RobH assigned this task to odimitrijevic.Aug 20 2021, 4:38 PM
In T289259#7294999, @RobH wrote:

@odimitrijevic,

This is one of three current requests to add a new wmf employee to both ‘restricted’ and ‘analytics-privatedata-users’. As the director of Analytics, we'd like your approval (or defer approval to someone in your team) to add this user to ‘analytics-privatedata-users’. Please comment with your approval or other information.

@odimitrijevic, This is just pending your approval so I've assigned it to you to ensure visibility. Please comment and if approved, just remove yourself (so it is unassigned) and it'll be picked up by myself (if this week) or by SRE clinic duty next week. Thanks!

RobH updated the task description. (Show Details)Aug 20 2021, 4:39 PM
RobH updated the task description. (Show Details)
RobH unsubscribed.Aug 20 2021, 9:43 PM
jcrespo subscribed.Aug 24 2021, 8:12 AM

Hi, @odimitrijevic, this is a friendly reminder that this request (and other 2) are pending on your approval. Please take all time you need to review them, I just want to confirm you are aware of them and just need more time to attend them (sometimes phabricator notifications policies are strange or people may be on vacations, so I would search someone else on your team).

jcrespo triaged this task as High priority.Aug 26 2021, 1:58 PM
odimitrijevic added a comment.Aug 31 2021, 6:02 PM

Approved! Apologies for the delay.

gerritbot added a comment.Sep 1 2021, 9:26 AM

Change 715928 had a related patch set uploaded (by Filippo Giunchedi; author: Filippo Giunchedi):

[operations/puppet@production] admin: add nforrester

https://gerrit.wikimedia.org/r/715928

gerritbot added a project: Patch-For-Review.Sep 1 2021, 9:26 AM
gerritbot added a comment.Sep 1 2021, 12:24 PM

Change 715928 merged by Filippo Giunchedi:

[operations/puppet@production] admin: add nforrester

https://gerrit.wikimedia.org/r/715928

Maintenance_bot removed a project: Patch-For-Review.Sep 1 2021, 1:11 PM
fgiunchedi subscribed.Sep 1 2021, 1:42 PM

@NForrester access has been set up, please confirm the following:

  • SSH access is working
  • the kerberos initial password (sent via email) has been changed

thank you!

fgiunchedi reassigned this task from odimitrijevic to NForrester.Sep 2 2021, 6:42 AM
fgiunchedi moved this task from Manager/NDA Approval/Confirmation to Awaiting User Input on the SRE-Access-Requests board.Sep 2 2021, 9:07 AM
NForrester added a comment.Sep 7 2021, 11:16 AM

I can confirm that SSH access is working and the initial kerberos password has been changed.

Thank you kindly for all your work on this!

fgiunchedi closed this task as Resolved.Sep 7 2021, 11:45 AM
fgiunchedi updated the task description. (Show Details)

I'm glad things are working @NForrester! Resolving

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits