Page MenuHomePhabricator
Create Task
Maniphest T300579

Add dhorn to analytics-privatedata-users
Closed, ResolvedPublic
Actions

Description

I'd like to be added to analytics-privatedata-users, to be able to access private data sets in Superset and Turnilo, after HDFS permission updates.

Requestor provided information and prerequisites

This section is to be completed by the individual requesting access.

  • Shell username: dannyh
  • Ssh public key (must be dedicated key for wmf production): n/a
  • Requested group membership: analytics-privatedata-users
  • Reason for access: see above
  • Name of approving party (hiring manager for WMF staff): Carol Dunn
  • Requestor -- Please Acknowledge that you have read and signed the L3 Wikimedia Server Access Responsibilities document:
  • Requestor -- Please coordinate obtaining a comment of approval on this task from the approving party.

SRE Clinic Duty Confirmation Checklist for Access Requests

This checklist should be used on all access requests to ensure that all steps are covered, including expansion to existing access. Please double check the step has been completed before checking it off.

This section is to be confirmed and completed by a member of the SRE team.

  • - User has signed the L3 Acknowledgement of Wikimedia Server Access Responsibilities Document.
  • - User has a valid NDA on file with WMF legal. (This can be checked by Operations via the NDA tracking sheet & is included in all WMF Staff/Contractor hiring.)
  • - User has provided the following: wikitech username, preferred shell username, email address, and full reasoning for access (including what commands and/or tasks they expect to perform)
  • - access request (or expansion) has sign off of WMF sponsor/manager (sponser for volunteers, manager for wmf staff)
  • - Patchset for access request

For additional details regarding access request requirements, please see https://wikitech.wikimedia.org/wiki/Requesting_shell_access

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
admin: Add dannyh to analytics-privatedata-usersoperations/puppetproduction+8 -5
Customize query in gerrit

Event Timeline

DannyH created this task.Jan 31 2022, 9:57 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 31 2022, 9:57 PM
DannyH added a comment.Jan 31 2022, 9:58 PM

I hope that I've done this correctly; please let me know if I've made a mistake. Thanks!

RhinosF1 added subscribers: Ladsgroup, Ottomata, odimitrijevic, RhinosF1.Jan 31 2022, 10:22 PM

Adding Andrew & Olja as they normally approve for this group.

@DannyH: it looks good. @Ladsgroup is on clinic duty this week and will pick it up for you! Please get your manager to comment on the task ready with their approval.

Ottomata added a comment.Jan 31 2022, 10:42 PM

Approved!

Ottomata added a comment.Jan 31 2022, 10:43 PM

Looks like Danny will not need shell access, just ssh-keyless group membership.

CDunn subscribed.Jan 31 2022, 11:47 PM

Approved

Ladsgroup claimed this task.Feb 1 2022, 1:42 AM

According to https://github.com/wikimedia/puppet/blob/production/modules/admin/data/data.yaml your shell username is dannyh, or you want a new username set?

Restricted Application added a project: User-Ladsgroup. · View Herald TranscriptFeb 1 2022, 1:42 AM
gerritbot added a comment.Feb 1 2022, 5:38 AM

Change 758603 had a related patch set uploaded (by Ladsgroup; author: Amir Sarabadani):

[operations/puppet@production] admin: Add dannyh to analytics-privatedata-users

https://gerrit.wikimedia.org/r/758603

gerritbot added a project: Patch-For-Review.Feb 1 2022, 5:38 AM
Ladsgroup added a comment.Feb 1 2022, 5:40 AM

I made the patch for it, please confirm that the correct LDAP username is dannyh and I will merge it. Keep it in mind this is wikimedia production/cloud ldap account which is different from WMF ITS LDAP account. It is basically your wikitech.wikimedia.org username and password.

DannyH added a comment.Feb 1 2022, 10:11 PM

I'm not sure how to check this. On Superset, my profile is https://superset.wikimedia.org/superset/profile/dannyh/

To log in, I use DannyH (WMF)

I'm not sure which of those is the LDAP username.

Ladsgroup added a subscriber: jbond.Feb 2 2022, 11:47 AM

I talked to @jbond and it seems you can login with your CN in CAS, that's why "DannyH (WMF)" works but your ldap entry says your usename is "dannyh" and "dhorn" (I think) is your user name in wmf ITS LDAP.

All of this jargon means I just can merge the patch and you will have access in half an hour.

gerritbot added a comment.Feb 2 2022, 11:48 AM

Change 758603 merged by Ladsgroup:

[operations/puppet@production] admin: Add dannyh to analytics-privatedata-users

https://gerrit.wikimedia.org/r/758603

Ladsgroup closed this task as Resolved.Feb 2 2022, 11:49 AM
Ladsgroup updated the task description. (Show Details)

You should be able to access it in half an hour, reopen if that's not the case.

jbond added a comment.Feb 2 2022, 11:51 AM

I talked to @jbond and it seems you can login with your CN in CAS, that's why "DannyH (WMF)" works but your ldap entry says your usename is "dannyh" and "dhorn" (I think) is your user name in wmf ITS LDAP.

To expand a bit on the username cn, uid confusions please see https://wikitech.wikimedia.org/wiki/CAS-SSO#What_username_do_services_use and let me know if that needs additional clarification

Maintenance_bot removed a project: Patch-For-Review.Feb 2 2022, 12:10 PM
Maintenance_bot moved this task from Incoming to Done on the User-Ladsgroup board.Feb 2 2022, 12:15 PM
DannyH added a comment.Feb 2 2022, 10:08 PM

@Ladsgroup Thank you, I appreciate it!

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits