I'm a full-time WMF employee, engineer on the iOS app, and need Superset access to view data related to our feature work. Thank you!
Dmantena
No
Superset
wmf
| Subject | Repo | Branch | Lines +/- | |
|---|---|---|---|---|
| admin: Add dmantena to ldap_only_users | operations/puppet | production | +4 -0 |
Change 791480 had a related patch set uploaded (by RLazarus; author: RLazarus):
[operations/puppet@production] admin: Add dmantena to ldap_only_users
Change 791480 merged by RLazarus:
[operations/puppet@production] admin: Add dmantena to ldap_only_users
Hi @Dmantena, you should be all set now:
rzl@mwmaint1002:~$ ldapsearch -x cn=wmf | grep dmantena member: uid=dmantena,ou=people,dc=wikimedia,dc=org
Before I resolve this ticket, though -- I notice you said you currently have shell access, but I wasn't able to locate your account.
If you do have SSH access on WMF production servers (maybe under a different username and email address) could you let me know your shell username please? That way I can make sure our records are consistent, between your shell account and the LDAP access I just gave you. If you don't (for example, if you use a shell account on Wikimedia Cloud, but not in production) then just let me know and we can call this complete.
Thanks!
Before I resolve this ticket, though -- I notice you said you currently have shell access, but I wasn't able to locate your account.
If you do have SSH access on WMF production servers (maybe under a different username and email address) could you let me know your shell username please? That way I can make sure our records are consistent, between your shell account and the LDAP access I just gave you. If you don't (for example, if you use a shell account on Wikimedia Cloud, but not in production) then just let me know and we can call this complete.
@RLazarus Apologies, I misinterpreted the original shell access question – while I have shell access on Wikimedia Cloud, I do not have production shell access. I confirmed I was able to login to Superset so I think we're all set. Thank you!
@RLazarus Sorry for re-opening this task, but while it appears I have Superset access, it doesn't appear I have SQL/Presto access to be able to view the analytics data I was after. Here's a snippet of the stack trace:
Presto Error Permission denied: user=dmantena, access=EXECUTE, inode="/wmf/data/event":analytics:analytics-privatedata-users:drwxr-x--- at org.apache.hadoop.hdfs.server.namenode.FSPermissionChecker.check(FSPermissionChecker.java:351) at org.apache.hadoop.hdfs.server.namenode.FSPermissionChecker.checkTraverse(FSPermissionChecker.java:311) at ... This may be triggered by: Issue 1002 - The database returned an unexpected error.
Are you aware of any additional permissions I'd require for SQL/Presto access?
I've left a message with Analytics to check but based on https://wikitech.wikimedia.org/wiki/Analytics/Data_access#What_access_should_I_request?, I think this may need shell access / a posix user too.
Indeed, RhinosF1 is right, take a look at that link and I believe you need analytics-privatedata-users to run queries and access Presto-backed dashboards
@Dmantena: Can you file a new task using https://phabricator.wikimedia.org/maniphest/task/edit/form/8/ or copy the information from that form into this task?
A bit more information is needed for shell access. You'll also need to get your manager to comment on the task with their approval. Please be as detailed as you can in what systems you need so we can sure the Clinic Duty & Analytics team can help you get the access needed as quick as possible.
Thanks for this information! Frankly, I'd prefer not to have production shell access and these elevated permissions. I'm just after a snapshot of the iOS notifications event dashboard (https://superset.wikimedia.org/superset/dashboard/ios_notifications/) and nothing else. Are you aware of any alternatives?
But I understand if you all don't see any way around it though. I'm happy to move forward opening a task with that requested information if it's the only way. I just wanted to be extra careful and sure before requesting more elevated permissions than I in reality need for my purposes :-)
I think we should escalate this directly to the analytics team for advice how to move forward. Let me add them.
Hi y'all - I believe whatever was last done for me on T308616 (adding me to analytics-private-users) might work here as well.
@Tsevener is right, and that's the access that @RhinosF1 pointed to. @Dmantena: unfortunately, due to how authentication and authorization works more broadly at wmf, this is the only way that we can manage access right now. Desiree Abad is leading an effort to improve that, you can connect with her for more details. But I totally agree with you that there should be a way to get this access without all the other implications. For your peace of mind, you can read the User Responsibilities section. You'll notice that you're very unlikely to get in trouble if you're going through the use case you describe here.
thanks @Milimetric.that makes sense. it was just out of habit to still use that tag. gotcha for next time