Page MenuHomePhabricator
Create Task
Maniphest T311628

Create Swift account for readonly access to ML models
Closed, ResolvedPublic
Actions

Description

Similar to T280773, we'd like to add an account for readonly access to the ML models stored on Thanos Swift (and in the future, the MOSS cluster). The existing account/user (mlserve:prod) would continue to be used to upload models to the storage bucket.

Naming is a bit tricky (also because I don't know conventions used here all that well. One option would be mlserve:readonly, and we'd clean up the mlserve:prod name into something more useful/accurate later.

On the puppet side, changes 682097 and 682125 plus one for the actually-private repo would follow once we have hashed out the name. One question here is what values access can have to make an account have read-only access.

Details

ProjectBranchLines +/-Subject
operations/puppetproduction+6 -0profile::thanos::swift: add a read only account for ml-serve
labs/privatemaster+1 -0profile::thanos::swift: add mlserve_ro account
Customize query in gerrit

Related Objects

Event Timeline

klausman created this task.Jun 29 2022, 1:32 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 29 2022, 1:32 PM
elukey added a subscriber: MatthewVernon.Jun 30 2022, 8:40 AM

@MatthewVernon hi! Do you have any guidance about how to proceed?

elukey updated the task description. (Show Details)Jun 30 2022, 8:41 AM
elukey updated the task description. (Show Details)
gerritbot added a comment.Jul 4 2022, 8:35 AM

Change 810840 had a related patch set uploaded (by Elukey; author: Elukey):

[operations/puppet@production] profile::thanos::swift: add a read only account for ml-serve

https://gerrit.wikimedia.org/r/810840

gerritbot added a project: Patch-For-Review.Jul 4 2022, 8:35 AM
gerritbot added a comment.Jul 4 2022, 1:46 PM

Change 810926 had a related patch set uploaded (by Elukey; author: Elukey):

[labs/private@master] profile::thanos::swift: add mlserve_ro account

https://gerrit.wikimedia.org/r/810926

gerritbot added a comment.Jul 4 2022, 1:47 PM

Change 810926 merged by Elukey:

[labs/private@master] profile::thanos::swift: add mlserve_ro account

https://gerrit.wikimedia.org/r/810926

elukey mentioned this in rLPRId49724705063: profile::thanos::swift: add mlserve_ro account.Jul 4 2022, 2:11 PM
gerritbot added a comment.Jul 4 2022, 2:15 PM

Change 810840 merged by Elukey:

[operations/puppet@production] profile::thanos::swift: add a read only account for ml-serve

https://gerrit.wikimedia.org/r/810840

Stashbot added a comment.Jul 4 2022, 2:19 PM

Mentioned in SAL (#wikimedia-operations) [2022-07-04T14:19:43Z] <elukey> roll restart of thanos-fe's proxy to pick up a new account - T311628

Maintenance_bot removed a project: Patch-For-Review.Jul 4 2022, 2:30 PM
elukey added a comment.Jul 4 2022, 3:30 PM

The new mlserve:ro account has been added, but if I try to use s3cmd with the new credentials I get an error:

elukey@stat1004:~$ sudo s3cmd -c test.cfg get s3://wmf-ml-models/goodfaith/enwiki/20220214192144/model.bin --force 
download: 's3://wmf-ml-models/goodfaith/enwiki/20220214192144/model.bin' -> './model.bin'  [1 of 1]
ERROR: S3 error: 500 (InternalError): unexpected status code 409

In the logs the 409 seems originated by a 403, so the new account is not able to read anything.

elukey added a comment.Jul 5 2022, 8:31 AM

Filippo applied the following rule and everything now works:

swift post wmf-ml-models+segments -r 'mlserve:ro'

I had previously only added:

swift post wmf-ml-models -r "mlserve:ro"
elukey added a comment.Jul 5 2022, 8:34 AM

Tried to upload a model with the new read only account and I got access denied (good):

elukey@stat1004:~$ sudo s3cmd -c test.cfg put model.bin s3://wmf-ml-models/test/model.bin
upload: 'model.bin' -> 's3://wmf-ml-models/test/model.bin'  [1 of 1]
  2752512 of 10351347    26% in    0s     3.51 MB/s  failed
  2752512 of 10351347    26% in    1s     2.51 MB/s  done
ERROR: S3 error: 403 (AccessDenied): Access Denied.
elukey closed this task as Resolved.Jul 5 2022, 8:47 AM
elukey claimed this task.

All working! Added the new account to the ML staging cluster, and it worked nicely. We'll move away from the admin account in prod as well. Thanks!

Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL