Page MenuHomePhabricator
Create Task
Maniphest T293241

Requesting access to analytics-privatedata-users for lbowmaker
Closed, ResolvedPublicRequest
Actions

Description

Requestor provided information and prerequisites

This section is to be completed by the individual requesting access.

  • Wikitech username: https://wikitech.wikimedia.org/wiki/User:Luke_Bowmaker
  • Email address: lbowmaker@wikimedia.org
  • SSH public key (must be a separate key from Wikimedia cloud SSH access): n/a
  • Requested group membership: analytics-privatedata-users
  • Reason for access: PM on the Data Platform team need read access to generated datasets for analysis. I will be using superset UI mainly to view data. I don't need shell access at this point.
  • Name of approving party (manager for WMF/WMDE staff): Desiree Abad
  • Ensure you have signed the L3 Wikimedia Server Access Responsibilities document: Yes
  • Please coordinate obtaining a comment of approval on this task from the approving party.

SRE Clinic Duty Confirmation Checklist for Access Requests

This checklist should be used on all access requests to ensure that all steps are covered, including expansion to existing access. Please double check the step has been completed before checking it off.

This section is to be confirmed and completed by a member of the SRE team.

  • - User has signed the L3 Acknowledgement of Wikimedia Server Access Responsibilities Document.
  • - User has a valid NDA on file with WMF legal. (All WMF Staff/Contractor hiring are covered by NDA. Other users can be validated via the NDA tracking sheet)
  • - User has provided the following: wikitech username, email address, and full reasoning for access (including what commands and/or tasks they expect to perform)
  • - User has provided a public SSH key. This ssh key pair should only be used for WMF cluster access, and not shared with any other service (this includes not sharing with WMCS access, no shared keys.)
  • - access request (or expansion) has sign off of WMF sponsor/manager (sponsor for volunteers, manager for wmf staff)
  • - access request (or expansion) has sign off of group approver indicated by the approval field in data.yaml

For additional details regarding access request requirements, please see https://wikitech.wikimedia.org/wiki/Requesting_shell_access

Details

SubjectRepoBranchLines +/-
shell access & analytics w/ krb for lbowmakeroperations/puppetproduction+10 -1
Customize query in gerrit

Related Objects

Event Timeline

lbowmaker created this task.Oct 13 2021, 1:09 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 13 2021, 1:09 PM
DAbad subscribed.Oct 13 2021, 1:42 PM

I approve this request for Luke Bowmaker.

Maintenance_bot added a project: SRE.Oct 13 2021, 1:45 PM
CDanis added subscribers: odimitrijevic, Ottomata, CDanis.Oct 14 2021, 8:38 PM

@Ottomata or @odimitrijevic can you please approve? Thanks!

Ottomata added a comment.Oct 14 2021, 8:39 PM

Approved.

I think Luke will probably want/need shell access eventually, so if he's willing to generate an ssh key, let's get him full ssh and Kerberos too.

lbowmaker added a comment.Oct 15 2021, 1:06 PM

Thanks all. I have generated an ssh key.

CDanis added a comment.Oct 15 2021, 1:29 PM

@lbowmaker Great, thanks. Please paste somewhere in this task the public part of the key (a line of text that will start with something like ssh-ed25519 or ssh-rsa) and I'll get you set up.

lbowmaker added a comment.Oct 15 2021, 1:35 PM

ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIDFAMA39ztgFi5ECZb5JUN8BEUNR6UdckIzZBP8gQq9 lbowmaker@wikimedia.org

Thanks!

gerritbot added a comment.Oct 15 2021, 3:24 PM

Change 731120 had a related patch set uploaded (by CDanis; author: CDanis):

[operations/puppet@production] shell access & analytics w/ krb for lbowmaker

https://gerrit.wikimedia.org/r/731120

gerritbot added a project: Patch-For-Review.Oct 15 2021, 3:24 PM

Change 731120 merged by CDanis:

[operations/puppet@production] shell access & analytics w/ krb for lbowmaker

https://gerrit.wikimedia.org/r/731120

CDanis closed this task as Resolved.Oct 15 2021, 3:27 PM
CDanis claimed this task.

Access granted to the wmf group in LDAP, so you should be able to access web-based tools.

Shell account created. It's live already on bast1003.wikimedia.org if you want to test that your key works (see https://wikitech.wikimedia.org/wiki/SRE/Production_access#Setting_up_your_access). It will be live on the rest of the fleet within half an hour.

I also created a Kerberos principal for you for authenticating to Hive et al. You should have an email with your temporary password.

Let me know if you run into any trouble!

Maintenance_bot removed a project: Patch-For-Review.Oct 15 2021, 4:10 PM
lbowmaker added a comment.Oct 18 2021, 1:48 PM

@CDanis - the SSH part worked but I was having trouble accessing some sites.

superset.wikimedia.org redirects to:

https://idp.wikimedia.org/login?service=https%3a%2f%2fsuperset.wikimedia.org%2f

I try to login with: Luke Bowmaker but I get this message:

Service access denied due to missing privileges.

However, if I go to: https://idp.wikimedia.org/login then it says:

Log In Successful
You, Luke Bowmaker, have successfully logged into the Central Authentication Service. However, you are seeing this page because CAS does not know about your target destination and how to get you there. Examine the authentication request again and make sure a target service/application that is authorized and registered with CAS is specified.

Any idea what that could be?

lbowmaker added a comment.Oct 18 2021, 2:17 PM

Also, this doesn't work either (same issue) - this should work on LDAP wmf membership

https://grafana-rw.wikimedia.org/?orgId=1

CDanis reopened this task as Open.Oct 18 2021, 2:25 PM
CDanis added subscribers: jbond, MoritzMuehlenhoff.

Interesting, I haven't encountered this before.

You are in the wmf LDAP group: https://ldap.toolforge.org/user/lbowmaker

@MoritzMuehlenhoff @jbond any idea what's going on here?

lbowmaker added a comment.Oct 18 2021, 2:25 PM

Please ignore the above, after logging into CAS, then out, then back in to CAS the links to superset, turnilo, etc worked.

CDanis closed this task as Resolved.Oct 18 2021, 2:26 PM

Weird, but happy to hear it :)

jbond added a comment.EditedOct 18 2021, 3:20 PM

Just a note to say that CAS/IDP (and also mod_auth_cas) only resolve attributes including the memberOf attribute at session creation (when you login). so if you are added to a group you need to logout of CAS and log back in for changes to take effect. you may also need to kill application specific sessions, however theses are normally quite short (1 hour) or die with the browser session. (also in theory SingleLogout should also take care of this)

VirginiaPoundstone mentioned this in T314676: Requesting access to analytics-privatedata-users for vpoundstone - WMF.Dec 15 2022, 7:43 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL