Page MenuHomePhabricator

Requesting access to Analytic Cluster for Muniza
Closed, ResolvedPublic

Description

@MunizaA will be working as Research Contractor for the Research team, until the of June 2022. We need to give her access to the analytic cluster.

Requestor provided information and prerequisites

This section is to be completed by the individual requesting access.

  • Wikitech username: Muniza
  • Preferred shell username: mnz (matching wikitech acct)
  • Email address: munaslam001@gmail.com
  • Ssh public key (must be dedicated key for wmf production): P17452
  • Requested group membership: analytics-privatedata-users (with kerberos)
  • Reason for access: Research Contractor in this project
  • Name of approving party (hiring manager for WMF staff): @diego
  • Requestor -- Please Acknowledge that you have read and signed the L3 Wikimedia Server Access Responsibilities document:
  • Requestor -- Please coordinate obtaining a comment of approval on this task from the approving party:

SRE Clinic Duty Confirmation Checklist for Access Requests

This checklist should be used on all access requests to ensure that all steps are covered, including expansion to existing access. Please double check the step has been completed before checking it off.

This section is to be confirmed and completed by a member of the SRE team.

  • - User has signed the L3 Acknowledgement of Wikimedia Server Access Responsibilities Document.
  • - User has a valid NDA on file with WMF legal. (This can be checked by Operations via the NDA tracking sheet & is included in all WMF Staff/Contractor hiring.)
  • - User has provided the following: wikitech username, preferred shell username, email address, and full reasoning for access (including what commands and/or tasks they expect to perform)
  • - User has provided a public SSH key
  • - access request (or expansion) has sign off of WMF sponsor/manager (sponser for volunteers, manager for wmf staff)
  • - Patchset for access request

For additional details regarding access request requirements, please see https://wikitech.wikimedia.org/wiki/Requesting_shell_access

Event Timeline

@MunizaA please update the task description with your SSH key.

CDanis added a subscriber: CDanis.

Andrew, can you approve? Thanks!

@diego, does Leila need to approve this too?

I'll let @odimitrijevic officially approve this one from our end, but it is ok by me.
Olja, this is a case of a non WMF employee getting access to private data via an official Research collaboration for a defined time period, which we usually approve. Just wanted to run it by you first since you might not have seen one of these yet.

CDanis added a subscriber: Ottomata.

@MunizaA can you please sign the L3 agreement by clicking on L3 ? thanks!

@diego, does Leila need to approve this too?

@Ottomata, I don't think so, I'm Muniza's hiring manager, and Muniza has already signed a contract including an NDA.

@MunizaA can you confirm that this wikitech user is you? https://ldap.toolforge.org/user/mnz

Also would you rather have mnza0001@gmail.com (from that wikitech account) or munaslam001@gmail.com (from this ticket) associated with this shell account?

@MunizaA can you confirm that this wikitech user is you? https://ldap.toolforge.org/user/mnz

Also would you rather have mnza0001@gmail.com (from that wikitech account) or munaslam001@gmail.com (from this ticket) associated with this shell account?

@CDanis That's me. I'd like to use munaslam001@gmail.com with this shell account, if that's okay.

Change 730589 had a related patch set uploaded (by CDanis; author: CDanis):

[operations/puppet@production] mnz: shell & analytics-privatedata-users w/krb

https://gerrit.wikimedia.org/r/730589

Change 730589 merged by CDanis:

[operations/puppet@production] mnz: shell & analytics-privatedata-users w/krb

https://gerrit.wikimedia.org/r/730589

Shell account created and it will be live in ~30 minutes.

You should be able to connect to bast1003.wikimedia.org immediately though, please make sure your key is properly deployed there and you have access. See https://wikitech.wikimedia.org/wiki/SRE/Production_access#Setting_up_your_access and please let me know if you run into trouble!

I also added you to the nda LDAP group which is needed for access to some Analytics tools.

I've also given you a Kerberos principal for use on the Analytics hosts -- you should have an email with instructions.

Hi! @MunizaA had a problem with her laptop, and she needs to add a new ssh public key to access the cluster.

The new key is here P32283

@CDanis could you help us with this please? Thanks in advance!

RhinosF1 removed MunizaA as the assignee of this task.EditedAug 4 2022, 1:47 PM
RhinosF1 added subscribers: Mutante, RhinosF1.

Hi @diego, the SRE on duty changes weekly. It is now @Dzahn. I'll make sure they see this.

Change 820285 had a related patch set uploaded (by RhinosF1; author: RhinosF1):

[operations/puppet@production] admin: update ssh key for mnz

https://gerrit.wikimedia.org/r/820285

So.. for security reasons I can't just trust the gerrit/phab user and merge that change. I am supposed to do a verification in some other form.

But in this case there is no @wikimedia.org user and also no contractor -ctr@wikimedia.org address is used (is there a rule for that?) and we have never met.

That rules out the usual methods of "quick google meet" and if the previous key is lost I also can't say to proof it by putting the new key on a prod server.

I honestly don't know how to check this. Which is the open ticket T313299.

CC: @Muehlenhoff

@Dzahn, there is a -ctr email: maslam-ctr@wikimedia.org , would that solve the problem?

@Dzahn, there is a -ctr email: maslam-ctr@wikimedia.org , would that solve the problem?

This is not linked to the shell account.

@Muehlenhoff I just re-confirmed via call with @MunizaA that ssh-key is correct.

The key in https://phabricator.wikimedia.org/P32283 matches the key in Gerrit, and thanks for checking it. Per comments on T313299 now I just need to have an email or slack message from @diego that all this is legit and then I can ago ahead.

@diego could you mail me from your work email or message on slack per T313299#8133643. Then we should be good here. And about the -ctr email address,it would be "nice to have" if @MunizaA you could use that wikimedia.org email address in your wikitech user. (But you can also have both, work and personal user if you prefer).

BCornwall triaged this task as Medium priority.Aug 8 2022, 9:44 PM

Hi @BCornwall, just to say this is a high priority for us. We are already lost 4 days of work with @MunizaA been locked-out from the servers.

Diego has confirmed via email so merging this given MunizA has been locked out. @MunizaA: echoing @Dzahn's suggestion above to update the address if possible. Thank you!

Change 820285 merged by Ssingh:

[operations/puppet@production] admin: update ssh key for mnz

https://gerrit.wikimedia.org/r/820285

ssingh claimed this task.

Change has been merged.