Page MenuHomePhabricator
Create Task
Maniphest T310021

Requesting access to analytics-privatedata-users for Bruno Scarone
Closed, ResolvedPublic
Actions

Description

Requestor provided information and prerequisites

This section is to be completed by the individual requesting access.

  • Wikitech username: Bruno Scarone
  • Email address: scarone.b@northeastern.edu
  • SSH public key (must be a separate key from Wikimedia cloud SSH access): ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIElXAh+NueiIvNo55Qv8+Mm4GVx7A7KiOSdMiS/AIX6J scarone.b@northeastern.edu
  • Requested group membership: analytics-privatedata-users
  • Reason for access: research intern with Research (for search research) who will work on Research:Understanding search behavior of users (Note: Bruno has signed a Contractor Confidentiality agreement)
  • Name of approving party (manager for WMF): @leila
  • Ensure you have signed the L3 Wikimedia Server Access Responsibilities document: I have read and signed the L3 document.
  • Please coordinate obtaining a comment of approval on this task from the approving party.

SRE Clinic Duty Confirmation Checklist for Access Requests

This checklist should be used on all access requests to ensure that all steps are covered, including expansion to existing access. Please double check the step has been completed before checking it off.

This section is to be confirmed and completed by a member of the SRE team.

  • - User has signed the L3 Acknowledgement of Wikimedia Server Access Responsibilities Document.
  • - User has a valid NDA on file with WMF legal. (All WMF Staff/Contractor hiring are covered by NDA. Other users can be validated via the NDA tracking sheet)
  • - User has provided the following: wikitech username, email address, and full reasoning for access (including what commands and/or tasks they expect to perform)
  • - User has provided a public SSH key. This ssh key pair should only be used for WMF cluster access, and not shared with any other service (this includes not sharing with WMCS access, no shared keys.)
  • - access request (or expansion) has sign off of WMF sponsor/manager (sponsor for volunteers, manager for wmf staff)
  • - access request (or expansion) has sign off of group approver indicated by the approval field in data.yaml

For additional details regarding access request requirements, please see https://wikitech.wikimedia.org/wiki/Requesting_shell_access

Details

SubjectRepoBranchLines +/-
bscarone: shell/analytics/krb accessoperations/puppetproduction+12 -1
Customize query in gerrit

Related Objects

Event Timeline

leila created this task.Jun 6 2022, 9:19 PM
leila updated the task description. (Show Details)
leila added a subscriber: EBernhardson.Jun 6 2022, 9:22 PM

@EBernhardson I'm prepping access request for Bruno, our search research intern. Question: other than "analytics-privatedata-users", what does he need access to to be able to access search logs or other search related data? ("analytics-privatedata-users" is our go-to request for formal collaborations as that will give access to analytics clusters and webrequest logs.)

leila updated the task description. (Show Details)Jun 6 2022, 9:23 PM
leila updated the task description. (Show Details)
bscarone updated the task description. (Show Details)Jun 6 2022, 11:43 PM
bscarone updated the task description. (Show Details)Jun 7 2022, 2:36 AM
bscarone updated the task description. (Show Details)Jun 7 2022, 8:41 PM
bscarone updated the task description. (Show Details)
leila renamed this task from Requesting access to TBD for Bruno Scarone to Requesting access to analytics-privatedata-users for Bruno Scarone.Jun 8 2022, 1:54 AM
leila added a project: SRE-Access-Requests.
leila updated the task description. (Show Details)

This request is approved on my end.

(Please note that I'm not sure if other than analytics-privatedata-users whether Bruno needs access to another group as he will need to work with both webrequest logs and search logs.)

Maintenance_bot added a project: SRE.Jun 8 2022, 2:29 AM
CDanis claimed this task.Jun 8 2022, 3:24 PM
CDanis added subscribers: bscarone, CDanis.

For now I'll grant analytics-privatedata-users and if later it turns out more access is needed, @EBernhardson or @bscarone can re-open the ticket.

CDanis added a comment.Jun 8 2022, 8:29 PM

@leila I saw on the Research project page you linked that the project lasts through August, so I set an expiry_date of Sept 1st 2022 in my patch. Please let me know if this is wrong :)

gerritbot added a comment.Jun 8 2022, 8:31 PM

Change 803982 had a related patch set uploaded (by CDanis; author: CDanis):

[operations/puppet@production] bscarone: shell/analytics/krb access

https://gerrit.wikimedia.org/r/803982

gerritbot added a project: Patch-For-Review.Jun 8 2022, 8:31 PM
gerritbot added a comment.Jun 8 2022, 8:33 PM

Change 803982 merged by CDanis:

[operations/puppet@production] bscarone: shell/analytics/krb access

https://gerrit.wikimedia.org/r/803982

CDanis closed this task as Resolved.Jun 8 2022, 8:37 PM

@bscarone you should now be able to use that SSH key to access production per the shell access instructions -- bast1003.wikimedia.org is a good first host to attempt with.

Also you should have an email about your Kerberos principal for accessing Analytics data once logged in via shell.

Please reopen if you need help!

Maintenance_bot removed a project: Patch-For-Review.Jun 8 2022, 9:30 PM
Gehel subscribed.Jun 10 2022, 7:30 AM

Just to confirm: analytics-privatedata-users should be all that is required for @bscarone

bscarone added a comment.Jun 10 2022, 8:30 PM

@CDanis once I am on bast1003.wikimedia.org and ssh stat1005.eqiad.wmnet or stat1008.eqiad.wmnet I am prompted to enter a password, so I am not able to run kinit to use the temporary password to log in. Any idea of what I am doing wrong? Thanks!

bscarone reopened this task as Open.Jun 10 2022, 8:31 PM
CDanis added a comment.Jun 10 2022, 8:32 PM
In T310021#7995684, @bscarone wrote:

@CDanis once I am on bast1003.wikimedia.org and ssh stat1005.eqiad.wmnet or stat1008.eqiad.wmnet I am prompted to enter a password, so I am not able to run kinit to use the temporary password to log in. Any idea of what I am doing wrong? Thanks!

You don't use the bastion hosts directly to access other hosts -- instead you configure your local ssh to use them as a proxy automatically. Please check out the sample configuration at https://wikitech.wikimedia.org/wiki/SRE/Production_access#Setting_up_your_access and let me know if you still have trouble once that is installed

bscarone added a comment.Jun 10 2022, 8:40 PM

Oh, I see, that was the issue. Now I managed to do it, thank you, I will close the task.

bscarone closed this task as Resolved.Jun 10 2022, 8:40 PM
leila mentioned this in T330364: Requesting access to analytics-privatedata-users for Bruno Scarone.Feb 23 2023, 1:13 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits