Page MenuHomePhabricator
Create Task
Maniphest T294970

Requesting access to restricted for htriedman
Closed, DeclinedPublicRequest
Actions

Description

Requestor provided information and prerequisites

This section is to be completed by the individual requesting access.

  • Wikitech username: htriedman
  • Email address: htriedman@wikimedia.org
  • SSH public key (must be a separate key from Wikimedia cloud SSH access): ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINg+30YbsjYeICXShn3j8eeB3plcZejaRmxETshPQ7bT haltriedman@Hals-MacBook-Pro.local
  • Requested group membership: restricted
  • Reason for access: To investigate the frequency and severity of privacy breaches in event streams among revisions that are reverted due to sensitive information in a page title or username. More information about the specific issue here. To conduct this investigation, I specifically need access to the gu_blocked and gu_hidden fields within the centralauth globaluser table (for globally suppressed users) and the ipb_deleted field within local instances of the ipblocks table.
  • Name of approving party (manager for WMF/WMDE staff): Jennifer Cross
  • Ensure you have signed the L3 Wikimedia Server Access Responsibilities document: Done
  • Please coordinate obtaining a comment of approval on this task from the approving party.

SRE Clinic Duty Confirmation Checklist for Access Requests

This checklist should be used on all access requests to ensure that all steps are covered, including expansion to existing access. Please double check the step has been completed before checking it off.

This section is to be confirmed and completed by a member of the SRE team.

  • - User has signed the L3 Acknowledgement of Wikimedia Server Access Responsibilities Document.
  • - User has a valid NDA on file with WMF legal. (All WMF Staff/Contractor hiring are covered by NDA. Other users can be validated via the NDA tracking sheet)
  • - User has provided the following: wikitech username, email address, and full reasoning for access (including what commands and/or tasks they expect to perform)
  • - User has provided a public SSH key. This ssh key pair should only be used for WMF cluster access, and not shared with any other service (this includes not sharing with WMCS access, no shared keys.)
  • - access request (or expansion) has sign off of WMF sponsor/manager (sponsor for volunteers, manager for wmf staff)
  • - access request (or expansion) has sign off of group approver indicated by the approval field in data.yaml

For additional details regarding access request requirements, please see https://wikitech.wikimedia.org/wiki/Requesting_shell_access

Event Timeline

Htriedman created this task.Nov 3 2021, 7:29 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 3 2021, 7:29 PM
Maintenance_bot added a project: SRE.Nov 3 2021, 7:45 PM
RLazarus updated the task description. (Show Details)Nov 3 2021, 7:46 PM
Urbanecm subscribed.Nov 3 2021, 7:51 PM

Hello everyone, I'm not sure why this is a request to restricted. That user group is normally used for people to run maintenance queries or (write) queries on production databases, which does not appear to be the usecase here.

I think that analytics-privatedata-users (without kerberos) would be better, as that'd give the requestor access to the unredacted analytics MariaDB replicas, without giving them the ability to run write queries or otherwise change stuff in MediaWiki.

Urbanecm added a comment.Nov 3 2021, 7:53 PM

Actually...htriedman appears to already be in the analytics-privatedata-users group (albeit with a different SSH key), so I don't think anything's needed here.

@Htriedman Can you try to ssh to stat1004.eqiad.wmnet and run analytics-mysql frwiki there, and see if that meets your needs?

RLazarus added subscribers: thcipriani, RLazarus.Nov 3 2021, 7:55 PM

@Htriedman Hi, I can get you set up here! I see you're already a member of analytics_privatedata_users but with a different SSH key -- assuming that you can still use that key, there's no need for a new one; I can just add your account to the restricted group, and you can continue to log in with the existing key. If that won't work (e.g. you no longer have access to that private key) let me know and we can address that too.

@Jcross Can you please comment here, approving as Hal's manager?

@thcipriani And can you approve for restricted please?

RLazarus added a comment.Nov 3 2021, 7:56 PM

Ah sorry, crossed in-flight -- @Htriedman please go ahead with @Urbanecm's request and let us know how it goes.

Jcross added a comment.Nov 3 2021, 8:37 PM

@RLazarus You have my approval

Htriedman added a comment.Nov 3 2021, 9:52 PM

Hi @Urbanecm, thanks for the quick response and the helpful pointer. I've been able to get into centralauth by running analytics-mysql centralauth, and can query centralauth.globaluser. I must've been mistaken in thinking that I need access to mwmaint — that came up as part of a discussion with one of my peers who had access to mwmaint, and I didn't realize the same data was accessible with my current user permissions. You can deny this request and close this ticket.

Urbanecm closed this task as Declined.Nov 3 2021, 9:53 PM

Let's call this declined then :).

It's usually better to use analytics-related privs for research purposes. As I said above, with mwmaint access, you can actually break a lot of things :).

If you need this in a script or sth, https://wikitech.wikimedia.org/wiki/Analytics/Systems/MariaDB are the upstream docs, just in case you need them.

Htriedman added a comment.Nov 3 2021, 9:56 PM

Totally understand. Thanks for the tips!

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL