Page MenuHomePhabricator
Create Task
Maniphest T289606

Requesting access to Stat1007 for jmando
Closed, ResolvedPublicRequest
Actions

Description

Requestor provided information and prerequisites

This section is to be completed by the individual requesting access.

  • Wikitech username: Jmando
  • Email address: jmando-ctr@wikimedia.org
  • SSH public key (must be a separate key from Wikimedia cloud SSH access): ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMhRXJiQz3jMGbDfCY5VO8CZJQHMwfq6FQsBGUhHjXTs josephmando@wmf2938
  • Requested group membership: 'analytics-privatedata-users'
  • Reason for access: Will use as a member of the fundraising analytics team
  • Name of approving party (manager for WMF/WMDE staff): Erin Yener
  • Ensure you have signed the L3 Wikimedia Server Access Responsibilities document: Yes
  • Please coordinate obtaining a comment of approval on this task from the approving party.

For contractors only:

  • Contract end date: 2022-07-19
  • Contract contact person: Erin Yener (@EYener)

SRE Clinic Duty Confirmation Checklist for Access Requests

This checklist should be used on all access requests to ensure that all steps are covered, including expansion to existing access. Please double check the step has been completed before checking it off.

This section is to be confirmed and completed by a member of the SRE team.

  • - User has signed the L3 Acknowledgement of Wikimedia Server Access Responsibilities Document.
  • - User has a valid NDA on file with WMF legal. (All WMF Staff/Contractor hiring are covered by NDA. Other users can be validated via the NDA tracking sheet)
  • - User has provided the following: wikitech username, email address, and full reasoning for access (including what commands and/or tasks they expect to perform)
  • - User has provided a public SSH key. This ssh key pair should only be used for WMF cluster access, and not shared with any other service (this includes not sharing with WMCS access, no shared keys.)
  • - access request (or expansion) has sign off of WMF sponsor/manager (sponsor for volunteers, manager for wmf staff) @EYener
  • - access request (or expansion) has sign off of group approver indicated by the approval field in data.yaml

For additional details regarding access request requirements, please see https://wikitech.wikimedia.org/wiki/Requesting_shell_access

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
admin: add jmoperations/puppetproduction+13 -1
Customize query in gerrit

Event Timeline

JMando created this task.Aug 24 2021, 5:54 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 24 2021, 5:54 PM
Maintenance_bot added a project: SRE.Aug 24 2021, 6:45 PM
jcrespo updated the task description. (Show Details)Aug 25 2021, 11:29 AM
jcrespo updated the task description. (Show Details)Aug 25 2021, 11:55 AM
jcrespo assigned this task to EYener.Aug 25 2021, 11:59 AM
jcrespo added subscribers: KFrancis, jcrespo.

@JMando You don't seem to have an ssh key defined on wikitech/horizon (WMFCloud). That's ok- it is absolutely not needed for production access, but note that as per what you just signed on L3, if you reuse your production SSH key on cloud, access to production will be cut.

We will need the approval of 2 people here, Jmando's manager @EYener to confirm the contractual relationship we have with him and that the need is correct; and then director of Data Engineering to approve it.

Regarding the NDA, @JMando doesn't appear on Namely, nor in the list of NDA signatures, so I have no way to verify it was signed, so I think I will require assistance from @KFrancis, as either NDA was already signed as part of the contract or there is need for one now.

jcrespo triaged this task as High priority.Aug 25 2021, 12:00 PM
EYener added a comment.Aug 25 2021, 1:01 PM

Thank you for the notes, and absolutely approved! @JMando is a 40-hour / week. long-term contractor in a senior level position with a full confidentiality agreement who is a core member of our team. He will need access to production data on stat100x machines in order to query, model, and analyze data that impacts Fundraising Analytics outcomes, such as pageviews and banner history event collection during Fundraising campaigns.

I'm happy to provide more details about use cases we have in Fundraising (and will have in the future) for this data, as well as provide documentation that @JMando has already signed if it would be helpful.

jcrespo reassigned this task from EYener to KFrancis.Aug 25 2021, 1:11 PM

@EYener a simple approve was enough, at least for us SREs :-). Thank you! This is mostly a formality to make sure we check he is who he says he is.

Actual approval will be signed off by the service owner: Data Engineering.

Assigning to @KFrancis for NDA check- legal should be able to tell us if the right things are already signed.

jcrespo updated the task description. (Show Details)Aug 25 2021, 1:18 PM
jcrespo added a comment.Aug 25 2021, 1:27 PM

BTW, @JMando 'researchers' is a deprecated role, DE team is likely to suggest a different group for your access, probably the other one you are asking for: analytics-privatedata-users Check also https://wikitech.wikimedia.org/wiki/Analytics/Data_access#What_access_should_I_request? to understand if you will need kerberos access (for Hadoop, Hive, Presto access).

jcrespo moved this task from Untriaged to Manager/NDA Approval/Confirmation on the SRE-Access-Requests board.Aug 25 2021, 1:35 PM
JMando added a comment.Aug 25 2021, 3:51 PM

@jcrespo I spoke with @EYener and it looks like I will need kerberos access. Should I make a separate ticket for that?

jcrespo added a comment.Aug 25 2021, 3:55 PM

No need for another ticket, just making it explicit on the 'Requested group membership' section on the description above will make me not forget it when deploying the change 0:-) Thank you!

KFrancis added a comment.Aug 25 2021, 6:15 PM

@jcrespo Hi Jaime, Joseph Mando is a currently contractor wit the WMF and therefore the NDA is covered under the contractor agreement signed. Thanks!

jcrespo updated the task description. (Show Details)Aug 25 2021, 6:21 PM
jcrespo reassigned this task from KFrancis to odimitrijevic.Aug 25 2021, 6:23 PM
jcrespo added a subscriber: odimitrijevic.

Thank you for the quick clarification. Assigning to @odimitrijevic for the Data Engineering approval.

jcrespo added a comment.Aug 26 2021, 10:47 AM

@JMando One last thing I need from you is- some contractors/researchers/grantees have an end of contact date- If you have one (can be extended later) I will need it to note it on the access properties so we can contact @EYener ahead of time so there is no interruptions on your access near renewals.

JMando added a comment.Aug 26 2021, 2:25 PM

@jcrespo Right now that date is July 19, 2022.

jcrespo added a comment.Aug 26 2021, 2:27 PM

Thank you! Now only waiting on Analytics final approval.

jcrespo updated the task description. (Show Details)Aug 31 2021, 2:16 PM
Ottomata subscribed.Aug 31 2021, 2:18 PM

I think I can still approve these for Analytics access. Approved!

fgiunchedi updated the task description. (Show Details)Sep 1 2021, 8:46 AM
gerritbot added a comment.Sep 1 2021, 8:46 AM

Change 715920 had a related patch set uploaded (by Filippo Giunchedi; author: Filippo Giunchedi):

[operations/puppet@production] admin: add jmando

https://gerrit.wikimedia.org/r/715920

gerritbot added a project: Patch-For-Review.Sep 1 2021, 8:46 AM
gerritbot added a comment.Sep 1 2021, 12:18 PM

Change 715920 merged by Filippo Giunchedi:

[operations/puppet@production] admin: add jm

https://gerrit.wikimedia.org/r/715920

Maintenance_bot removed a project: Patch-For-Review.Sep 1 2021, 1:11 PM
fgiunchedi subscribed.Sep 1 2021, 1:42 PM

@JMando access has been set up, please confirm the following:

  • SSH access is working
  • the kerberos initial password (sent via email) has been changed

thank you!

fgiunchedi reassigned this task from odimitrijevic to JMando.Sep 2 2021, 6:42 AM
fgiunchedi moved this task from Manager/NDA Approval/Confirmation to Awaiting User Input on the SRE-Access-Requests board.Sep 2 2021, 9:07 AM
EYener added a comment.Sep 2 2021, 11:07 PM

Hi all! Thank you for working on this and granting access for @JMando! We have been working from the level of access authorized, which you've all granted, to trying to confirm that we can login as expected, and hitting some roadblocks - probably user error on my part, as I'm guessing the instructions I've written up have changed since I last checked.

It would be much appreciated if you could help me figure out a few questions I have or point me toward the correct documentation.

  • Now that stat machine access is granted, and assuming the config file is correctly written, what is the manual command for access to the stat machines? I have previously used ssh stat1007.eqiad.wmnet but this no longer appears to be working (for me or for @JMando)
  • There are several UIs that I was assuming would be accessible once we were given the 'okay' but @JMando got a 'permissions denied' error. The portals are those for Hue, Turnilo, and Superset (links below). Could you advise on how to access or which credentials to use?

URLS for Hue, Turnilo, and Superset:
https://hue.wikimedia.org/hue/editor/?type=hive
https://turnilo.wikimedia.org/
https://superset.wikimedia.org/superset/welcome

Thanks for your help!

fgiunchedi added a comment.Sep 3 2021, 10:19 AM
In T289606#7329757, @EYener wrote:

Hi all! Thank you for working on this and granting access for @JMando! We have been working from the level of access authorized, which you've all granted, to trying to confirm that we can login as expected, and hitting some roadblocks - probably user error on my part, as I'm guessing the instructions I've written up have changed since I last checked.

It would be much appreciated if you could help me figure out a few questions I have or point me toward the correct documentation.

  • Now that stat machine access is granted, and assuming the config file is correctly written, what is the manual command for access to the stat machines? I have previously used ssh stat1007.eqiad.wmnet but this no longer appears to be working (for me or for @JMando)

I verified the host stat1007.eqiad.wmnet is up and ssh-accessible for me, could you check your configuration against https://wikitech.wikimedia.org/wiki/SRE/Production_access#Setting_up_your_access ? And paste the error from ssh -v stat1007.eqiad.wmnet when connecting? Thank you!

  • There are several UIs that I was assuming would be accessible once we were given the 'okay' but @JMando got a 'permissions denied' error. The portals are those for Hue, Turnilo, and Superset (links below). Could you advise on how to access or which credentials to use?

This was an oversight on my part, as nda LDAP group access was missing, web access should be working now! Please confirm

EYener added a comment.Sep 3 2021, 1:20 PM

Thanks! Error for me when I ssh -v stat1007.eqiad.wmnet:

eyener@wmf2395 ~ % ssh stat1007 -v eqiad.wmnet
OpenSSH_8.1p1, LibreSSL 2.7.3
debug1: Reading configuration data /Users/eyener/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 47: Applying options for *
debug1: hostname canonicalisation enabled, will re-parse configuration
debug1: re-parsing configuration
debug1: Reading configuration data /Users/eyener/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 47: Applying options for *
debug1: Connecting to stat1007 port 22.
ssh: Could not resolve hostname stat1007: nodename nor servname provided, or not known
Ottomata added a comment.Sep 3 2021, 1:32 PM

@EYener you typed ssh stat1007 -v eqiad.wmnet, try ssh -v stat1007.eqiad.wmnet :)

EYener added a comment.Sep 3 2021, 1:37 PM

Oh yes. That will help. :) Connected, thank you!

fgiunchedi added a comment.Sep 3 2021, 2:12 PM

Fantastic, thank you @EYener and @Ottomata ! Awaiting confirmation of access from @JMando

JMando added a comment.Sep 3 2021, 2:35 PM

I am in now. I can access those UI's and successfully ssh into stat1007. Thank you!

JMando closed this task as Resolved.Sep 3 2021, 2:39 PM
EYener reopened this task as Open.Sep 3 2021, 6:27 PM

Hi again! One further question for you all; does @JMando have access to jupyter? The command ssh -N stat1005.eqiad.wmnet -L 8880:127.0.0.1:8880 seems to open a tunnel successfully but he was unable to reach Jupyter at localhost:8000 ("This site can't be reached" error).

Ottomata added a comment.Sep 3 2021, 7:10 PM

http://localhost:8880

EYener closed this task as Resolved.Sep 3 2021, 8:56 PM

Ah, nice. I'll go get my vision checked and close out this task. That you for correcting my numerous typos during this setup process.

JMando added a comment.Sep 3 2021, 8:56 PM
This comment was removed by JMando.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits