Page MenuHomePhabricator

Requesting access to analytics-privatedata-users and researchers for Effeietsanders
Closed, ResolvedPublicRequest

Description

Requestor provided information and prerequisites

This section is to be completed by the individual requesting access.

  • Wikitech username: effeietsanders
  • Email address: effeietsanders@gmail.com
  • SSH public key (must be a separate key from Wikimedia cloud SSH access): ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO3Jzytoma85Fpr+Sy/BuCIJZ16xWMYEPyY0jHPcDkdG
  • Requested group membership: analytics-privatedata-users, researchers
  • Reason for access: a formal collaborator with Research who will work on https://meta.wikimedia.org/wiki/Research:Effectiveness_of_the_new_participant_pipeline_for_Wiki_Loves_campaigns (MOU/NDA are signed)
  • Name of approving party (manager for WMF/WMDE staff): @MGerlach
  • Ensure you have signed the L3 Wikimedia Server Access Responsibilities document: done
  • Please coordinate obtaining a comment of approval on this task from the approving party.

SRE Clinic Duty Confirmation Checklist for Access Requests

This checklist should be used on all access requests to ensure that all steps are covered, including expansion to existing access. Please double check the step has been completed before checking it off.

This section is to be confirmed and completed by a member of the SRE team.

  • - User has signed the L3 Acknowledgement of Wikimedia Server Access Responsibilities Document.
  • - User has a valid NDA on file with WMF legal. (All WMF Staff/Contractor hiring are covered by NDA. Other users can be validated via the NDA tracking sheet)
  • - User has provided the following: wikitech username, email address, and full reasoning for access (including what commands and/or tasks they expect to perform)
  • - User has provided a public SSH key. This ssh key pair should only be used for WMF cluster access, and not shared with any other service (this includes not sharing with WMCS access, no shared keys.)
  • - access request (or expansion) has sign off of WMF sponsor/manager (sponsor for volunteers, manager for wmf staff)
  • - access request (or expansion) has sign off of group approver indicated by the approval field in data.yaml

For additional details regarding access request requirements, please see https://wikitech.wikimedia.org/wiki/Requesting_shell_access

Event Timeline

Hi. we have a new formal collaborator onboard: @Effeietsanders . They need access to HDFS and stat machines for a new research project. Let me know if you require more information -- Thank you.

@Effeietsanders in the task description, Could you add your public SSH key and acknowledge that you read and signed the L3 Acknowledgement of Wikimedia Server Access Responsibilities Document?

Approved. This means ssh access + kerberos.

Effeietsanders updated the task description. (Show Details)

Thanks @MGerlach . I added the information.

Dzahn subscribed.

Thanks @Ottomata for answering that right away :)

Dzahn changed the task status from Open to In Progress.Oct 21 2021, 7:33 PM
Dzahn updated the task description. (Show Details)

confirmed on "NDA and MOU: Volunteer accounts with Server and LDAP-level access" doc

Change 732805 had a related patch set uploaded (by Dzahn; author: Dzahn):

[operations/puppet@production] admin: add shell account for effeietsanders, add to analytics-privatedata

https://gerrit.wikimedia.org/r/732805

Change 732805 merged by Dzahn:

[operations/puppet@production] admin: add shell account for effeietsanders, add to analytics-privatedata

https://gerrit.wikimedia.org/r/732805

Change 732826 had a related patch set uploaded (by Dzahn; author: Dzahn):

[operations/puppet@production] admin: add 'krb: present' to effeietsanders

https://gerrit.wikimedia.org/r/732826

Change 732826 merged by Dzahn:

[operations/puppet@production] admin: add 'krb: present' to effeietsanders

https://gerrit.wikimedia.org/r/732826

access granted. shell user has been created on bast1003.wikimedia.org , puppet will have created it on all other relevant servers within half an hour

created kerberos principal on krb1001

@Effeietsanders You should be able to connect as a minium directly to bast1003 and everything else will work in a couple minutes. See https://wikitech.wikimedia.org/wiki/SRE/Production_access#Setting_up_your_access for how to setup your SSH to jump via a bastion host to other hosts. Let us know if you run into any issues.

edit: Please also read and ack https://wikitech.wikimedia.org/wiki/Analytics/Data_access#User_responsibilities

@MGerlach Done! I took the expiry date of 2022-04-15 from the NDA doc and you are the expiry_contact we will ask about renewal once it gets close to that date. cheers

@Dzahn thanks! Unfortunately ssh keeps asking for a password when I try to ssh into bast: ssh -v bast1003.eqiad.wmnet and also tried stat: ssh stat1005.eqiad.wmnet

Any idea what I'm doing wrong?

I used the standard setup for the config file:

# Turn CanonicalizeHostname on for Match to work below.
CanonicalizeHostname yes

# Defaults for all Wikimedia Foundation hosts.
Match host=*.wikimedia.org,*.wmnet
    ForwardAgent no
    IdentitiesOnly yes
    KbdInteractiveAuthentication no
    PasswordAuthentication no
    User effeietsanders

# Configure the initial connection to the bastion host, with the one
# HostName closest to you.
Host bast
    HostName bast4003.wikimedia.org
    IdentityFile ~/.ssh/id_ed25519_wikitech_prod

# Proxy all connections to internal servers through the bastion host.
Host *.wmnet *.wikimedia.org !gerrit.wikimedia.org !bast*.wikimedia.org
    ProxyJump bast
    IdentityFile ~/.ssh/id_ed25519_wikitech_prod

# Configure direct connection to the bastion hosts.
Host bast*.wikimedia.org
    IdentityFile ~/.ssh/id_ed25519_wikitech_prod

Host gerrit.wikimedia.org
    Port 29418
    IdentityFile ~/.ssh/cloud.key

and got this verbose: https://pastebin.com/XxzYe9gM

Hi @Effeietsanders,

I noticed in the log you posted it says " as 'lgelauff'".

But your user name here is effeietsanders. So it seems like you are falling back to a different user name.

Try putting the "User effeietsanders" line also into the "bast" section of your config and then again ssh directly to a bastion and see if that works.

Or test it as now but make sure to use ssh effeietsanders@bast1003.wikimedia.org for example.

Cheers,

Daniel

Thanks @Dzahn it looks like making the user explicit for bast did the trick, I'm in.

Great! Thanks for confirming and handling the ticket :)

@Dzahn thank you for your help.

I realized we also missed to ask for access to LDAP (nda-group) for @Effeietsanders since they will work with Jupyter and Turnilo. Could I ask you to add them to the group or should I open a separate ticket? Thanks again.