Page MenuHomePhabricator
Create Task
Maniphest T298657

Requesting access to the data engineering team resources for Antoine Qu'hen
Closed, ResolvedPublicRequest
Actions

Description

Requestor provided information and prerequisites

This section is to be completed by the individual requesting access.

  • Wikitech username: Aqu
  • Developer access user name: aqu
  • Email address: aquhen@wikimedia.org
  • SSH public key (must be a separate key from Wikimedia cloud SSH access):

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDYrjilJIe+R2sk2apaP0VXzfc7yheF78o7zHYhQ+/E88q/EgZWj5c7cMelaw/W6B4d096sl8DK1yjJ8mDwFfc2iPv7hvUA8awH5jCKUwgRtmaqYc8mCsBYLg6AgUzUDZkM99bZCUXIgKQGeppAXTmvm95Q9rKPJboZzygr4Bg37QacxJqBPLsuJL663gBG88VA6jU5ayZp4HyAfj6VU2xQ0WwzQV11H5Q1QnXbA7GYaeHYKHWz6Rqt32i9qjxduk4ERAMSB/wgschnvI41M+i0APqvz18E8mlvi5HXpIFBqhZwt6IcDffTsdbUx/ckeUFjlWB0KLZ9hpZmmyWRxYWz5BGf3MalrbNDioJWARYFfVG51wKQlMxJj6tO4E/ihH3l0oZqqficstssmHiY2sbPrdBOObAtFnlJJzFUusBy1WGvOi+JT9IBZtFssOI1u8INlKRm5jHfxvpTa+fLEnoX1y8qatyxMDcflibiqjFnCgEPoxenii/L/7AjCsJngxxU+St+gHFJNW4lRHWTnEJr+EPj32zhwYTKlTqG0NtdWC3uwkhXrTH2pQYc2ge1ObtiC0h5xVIUcaFr1n6+i3uliW5stCO54xcncmLbWmgi/ZIfB6Kdekl5r1UyPKD/HMFQt9qQWYHp/ygsasRRkokU56Sbpby8FnJSZ423bqTHOw== aquhen@wikimedia.org production

I confirm that this key is separate from my Wikimedia Cloud/Gerrit key.

  • Requested group membership: analytics-privatedata-users, analytics-admins
  • Reason for access: Onboarding Antoine Qu'hen in his role as a data engineer in the analytics (data engineering) team
  • Name of approving party (manager for WMF/WMDE staff): Olja Dimitrijevic
  • Ensure you have signed the L3 Wikimedia Server Access Responsibilities document: I can confirm that I have signed this document.
  • Please coordinate obtaining a comment of approval on this task from the approving party.

I believe that I also need:

  • a membership in the wmf group in LDAP
  • a Kerberos principal

SRE Clinic Duty Confirmation Checklist for Access Requests

This checklist should be used on all access requests to ensure that all steps are covered, including expansion to existing access. Please double check the step has been completed before checking it off.

This section is to be confirmed and completed by a member of the SRE team.

  • - User has signed the L3 Acknowledgement of Wikimedia Server Access Responsibilities Document.
  • - User has a valid NDA on file with WMF legal. (All WMF Staff/Contractor hiring are covered by NDA. Other users can be validated via the NDA tracking sheet)
  • - User has provided the following: wikitech username, email address, and full reasoning for access (including what commands and/or tasks they expect to perform)
  • - User has provided a public SSH key. This ssh key pair should only be used for WMF cluster access, and not shared with any other service (this includes not sharing with WMCS access, no shared keys.)
  • - access request (or expansion) has sign off of WMF sponsor/manager (sponsor for volunteers, manager for wmf staff)
  • - access request (or expansion) has sign off of group approver indicated by the approval field in data.yaml

For additional details regarding access request requirements, please see https://wikitech.wikimedia.org/wiki/Requesting_shell_access

Details

SubjectRepoBranchLines +/-
Adding user Antoine Qu'hen to analytics-admin groupoperations/puppetproduction+1 -1
admin: create shell user aqu, add to analytics-privatedata-usersoperations/puppetproduction+11 -1
Customize query in gerrit

Event Timeline

Antoine_Quhen created this task.Jan 5 2022, 8:27 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 5 2022, 8:27 PM
Antoine_Quhen updated the task description. (Show Details)Jan 5 2022, 8:31 PM
Maintenance_bot added a project: SRE.Jan 5 2022, 8:45 PM
gerritbot added a comment.Jan 6 2022, 4:17 PM

Change 751956 had a related patch set uploaded (by Aqu; author: Aqu):

[operations/puppet@production] admin: create shell user aqu, add to analytics-privatedata-users

https://gerrit.wikimedia.org/r/751956

gerritbot added a project: Patch-For-Review.Jan 6 2022, 4:17 PM
Ottomata subscribed.Jan 6 2022, 7:17 PM

Approved.

Ottomata updated the task description. (Show Details)Jan 6 2022, 7:18 PM
odimitrijevic added a comment.Jan 7 2022, 6:50 AM

Approved

gerritbot added a comment.Jan 7 2022, 9:52 AM

Change 751956 merged by Btullis:

[operations/puppet@production] admin: create shell user aqu, add to analytics-privatedata-users

https://gerrit.wikimedia.org/r/751956

Maintenance_bot removed a project: Patch-For-Review.Jan 7 2022, 10:10 AM
BTullis updated the task description. (Show Details)Jan 7 2022, 10:47 AM
BTullis added a comment.Jan 7 2022, 11:16 AM

I have added aqu to the wmf LDAP group as per: https://wikitech.wikimedia.org/wiki/SRE/LDAP#Add_a_user_to_a_group

btullis@mwmaint1002:~$ sudo modify-ldap-group wmf
Searching in: dc=wikimedia,dc=org
      1 entry read                                                                                                                                                                                                 
Searching in: ou=groups
      1 entry read                                                                                                                                                                                                 
Search failed: No such object
No search results.
add: 0, rename: 0, modify: 1, delete: 0
Action? [yYqQvVebB*rsf+?] y
Done.

I have also added Antoine to the WMF-NDA group in Phabricator, as per instructions.

BTullis added a comment.Jan 7 2022, 11:21 AM

Maybe I jumped the gun here. I think that perhaps this ought to have been more correctly handled by the person on SRE clinic duty. https://wikitech.wikimedia.org/wiki/SRE/Clinic_Duty
As per the notes here: https://wikitech.wikimedia.org/wiki/SRE/Production_access#Filing_the_request

I won't do any more work on this and I apologise if I have mis-manged the onboarding process for Antoine.

Ottomata added a comment.Jan 7 2022, 2:05 PM

No I think any SRE can do the work; IIUC clinic duty exists to make sure things like this don't fall through the cracks. Proceed!

BTullis claimed this task.Jan 7 2022, 2:07 PM
BTullis triaged this task as Medium priority.
BTullis added a project: Data-Engineering-Kanban.Jan 7 2022, 2:11 PM
BTullis moved this task from Next Up to In Progress on the Data-Engineering-Kanban board.
BTullis added a comment.EditedJan 7 2022, 2:38 PM

I have created a Kerberos principal for Antoine.

btullis@krb1001:~$ sudo manage_principals.py get aqu
get_principal: Principal does not exist while retrieving "aqu@WIKIMEDIA".
btullis@krb1001:~$ sudo manage_principals.py create aqu --email_address=aquhen@wikimedia.org
Principal successfully created. Make sure to update data.yaml in Puppet.
Successfully sent email to aquhen@wikimedia.org

His account is already marked as kerberos: present in data.yaml.

BTullis moved this task from In Progress to Done on the Data-Engineering-Kanban board.Jan 7 2022, 3:13 PM

I believe that this is now complete, but feel free to respond on this ticket Antoine if anything doesn't behave as you'd expect.

BTullis added a comment.Jan 7 2022, 4:21 PM

@Antoine_Quhen - I notice that you haven't added yourself to the analytics-admins group in data.yaml, only the analytics-privatedata-users group. I think that this will be required at some point, but it's not urgent by any means.

odimitrijevic added a comment.Jan 7 2022, 4:46 PM

Approved

gerritbot added a comment.Jan 11 2022, 3:19 PM

Change 753061 had a related patch set uploaded (by Cathal Mooney; author: Cathal Mooney):

[operations/puppet@production] Adding user Antoine Qu'hen to analytics-admin group

https://gerrit.wikimedia.org/r/753061

gerritbot added a project: Patch-For-Review.Jan 11 2022, 3:19 PM

Change 753061 merged by Cathal Mooney:

[operations/puppet@production] Adding user Antoine Qu'hen to analytics-admin group

https://gerrit.wikimedia.org/r/753061

cmooney claimed this task.Jan 11 2022, 3:24 PM
cmooney subscribed.

On the back of Olja's explicit approval I've added the username to the 'analytics-admin' group in data.yaml now.

@Antoine_Quhen please advise if things are working for you and I will resolve this request. Thanks.

Maintenance_bot removed a project: Patch-For-Review.Jan 11 2022, 4:10 PM
Antoine_Quhen added a comment.Jan 12 2022, 8:33 AM

Thanks @cmooney

My analytics-admin access is working as it should. For example, I can now access an-launcher1002.eqiad.wmnet.

cmooney closed this task as Resolved.Jan 12 2022, 1:26 PM

Super thanks for confirming! And other problems just let me know :)

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL