Page MenuHomePhabricator

Requesting access to analytics-privatedata-users for lbowmaker
Closed, ResolvedPublicRequest


Requestor provided information and prerequisites

This section is to be completed by the individual requesting access.

  • Wikitech username:
  • Email address:
  • SSH public key (must be a separate key from Wikimedia cloud SSH access): n/a
  • Requested group membership: analytics-privatedata-users
  • Reason for access: PM on the Data Platform team need read access to generated datasets for analysis. I will be using superset UI mainly to view data. I don't need shell access at this point.
  • Name of approving party (manager for WMF/WMDE staff): Desiree Abad
  • Ensure you have signed the L3 Wikimedia Server Access Responsibilities document: Yes
  • Please coordinate obtaining a comment of approval on this task from the approving party.

SRE Clinic Duty Confirmation Checklist for Access Requests

This checklist should be used on all access requests to ensure that all steps are covered, including expansion to existing access. Please double check the step has been completed before checking it off.

This section is to be confirmed and completed by a member of the SRE team.

  • - User has signed the L3 Acknowledgement of Wikimedia Server Access Responsibilities Document.
  • - User has a valid NDA on file with WMF legal. (All WMF Staff/Contractor hiring are covered by NDA. Other users can be validated via the NDA tracking sheet)
  • - User has provided the following: wikitech username, email address, and full reasoning for access (including what commands and/or tasks they expect to perform)
  • - User has provided a public SSH key. This ssh key pair should only be used for WMF cluster access, and not shared with any other service (this includes not sharing with WMCS access, no shared keys.)
  • - access request (or expansion) has sign off of WMF sponsor/manager (sponsor for volunteers, manager for wmf staff)
  • - access request (or expansion) has sign off of group approver indicated by the approval field in data.yaml

For additional details regarding access request requirements, please see

Event Timeline

I approve this request for Luke Bowmaker.


I think Luke will probably want/need shell access eventually, so if he's willing to generate an ssh key, let's get him full ssh and Kerberos too.

Thanks all. I have generated an ssh key.

@lbowmaker Great, thanks. Please paste somewhere in this task the public part of the key (a line of text that will start with something like ssh-ed25519 or ssh-rsa) and I'll get you set up.



Change 731120 had a related patch set uploaded (by CDanis; author: CDanis):

[operations/puppet@production] shell access & analytics w/ krb for lbowmaker

Change 731120 merged by CDanis:

[operations/puppet@production] shell access & analytics w/ krb for lbowmaker

CDanis claimed this task.

Access granted to the wmf group in LDAP, so you should be able to access web-based tools.

Shell account created. It's live already on if you want to test that your key works (see It will be live on the rest of the fleet within half an hour.

I also created a Kerberos principal for you for authenticating to Hive et al. You should have an email with your temporary password.

Let me know if you run into any trouble!

@CDanis - the SSH part worked but I was having trouble accessing some sites. redirects to:

I try to login with: Luke Bowmaker but I get this message:

Service access denied due to missing privileges.

However, if I go to: then it says:

Log In Successful
You, Luke Bowmaker, have successfully logged into the Central Authentication Service. However, you are seeing this page because CAS does not know about your target destination and how to get you there. Examine the authentication request again and make sure a target service/application that is authorized and registered with CAS is specified.

Any idea what that could be?

Also, this doesn't work either (same issue) - this should work on LDAP wmf membership

CDanis added subscribers: jbond, MoritzMuehlenhoff.

Interesting, I haven't encountered this before.

You are in the wmf LDAP group:

@MoritzMuehlenhoff @jbond any idea what's going on here?

Please ignore the above, after logging into CAS, then out, then back in to CAS the links to superset, turnilo, etc worked.

Weird, but happy to hear it :)

Just a note to say that CAS/IDP (and also mod_auth_cas) only resolve attributes including the memberOf attribute at session creation (when you login). so if you are added to a group you need to logout of CAS and log back in for changes to take effect. you may also need to kill application specific sessions, however theses are normally quite short (1 hour) or die with the browser session. (also in theory SingleLogout should also take care of this)