Page MenuHomePhabricator

Requesting access to analytics-privatedata-users for bgwiki / Bethany Gerdemann
Closed, ResolvedPublicRequest

Description

Requestor provided information and prerequisites

This section is to be completed by the individual requesting access.

  • Wikitech username: bgwiki
  • Email address: bgerdemann@wikimedia.org
  • SSH public key (must be a separate key from Wikimedia cloud SSH access):
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDdN538Dee8RiVDDLrQ1fG+SGWnVAuI+HxXDUsD1/PdNHCgniOAYPahKrThJtoKAyC6VoxUAm458JR7aLa0iagUGVBvbQAmNZ+ZxHG4IiHlxr9f47Ynh3gwKsl9nB1POq4CQHvUE35tIWmCCqHS0/pyPkHVE6jDbOJo4ycG7yjxY7u5FNjOareEDcRrDU3ZZHuSNUUueFg4I4CaPRSP6mCwGw44LfGWK3APMxUoSTzXCEZ8ZDDRDU9dR16ZnQJB5/VNox+68NK0WOdLKZRKty4r56VaWVPPW91vdhbiuK8zMPjrrzdenqtjrFiRcQKNOxdTPX4BC8eky1kl0pV88uGr bgerdemann@wikimedia.org
  • Requested group membership: analytics-privatedata-users
  • Reason for access: Data analytics for Product Design Strategy
  • Name of approving party (manager for WMF/WMDE staff): @GEscalante-WMF or @MNovotny_WMF
  • Ensure you have signed the L3 Wikimedia Server Access Responsibilities document: Signed
  • Please coordinate obtaining a comment of approval on this task from the approving party.

SRE Clinic Duty Confirmation Checklist for Access Requests

This checklist should be used on all access requests to ensure that all steps are covered, including expansion to existing access. Please double check the step has been completed before checking it off.

This section is to be confirmed and completed by a member of the SRE team.

  • - User has signed the L3 Acknowledgement of Wikimedia Server Access Responsibilities Document.
  • - User has a valid NDA on file with WMF legal. (All WMF Staff/Contractor hiring are covered by NDA. Other users can be validated via the NDA tracking sheet)
  • - User has provided the following: wikitech username, email address, and full reasoning for access (including what commands and/or tasks they expect to perform)
  • - User has provided a public SSH key. This ssh key pair should only be used for WMF cluster access, and not shared with any other service (this includes not sharing with WMCS access, no shared keys.)
  • - access request (or expansion) has sign off of WMF sponsor/manager (sponsor for volunteers, manager for wmf staff)
  • - access request (or expansion) has sign off of group approver indicated by the approval field in data.yaml

For additional details regarding access request requirements, please see https://wikitech.wikimedia.org/wiki/Requesting_shell_access

Event Timeline

Bethany renamed this task from Requesting access to RESOURCE for USER[S] to Requesting access to analytics-privatedata-users for bgwiki / Bethany Gerdemann.Jul 12 2022, 4:24 AM

Hi @Bethany can you provide a list of properties you need to access?

@Ottomata can you approve once we're sure which access Bethany needs?

Joe added a subscriber: Ottomata.

Approved once we have the details.

Please see https://wikitech.wikimedia.org/wiki/Analytics/Data_access#What_access_should_I_request? for help figuring out exactly what you need.

Seeking access to "All of the above"

  • LDAP membership in the wmf or nda LDAP group.
  • Shell (posix) membership in the analytics-privatedata-users group
  • An ssh key for your shell user
  • A Kerberos principal
Reedy renamed this task from Requesting access to analytics-privatedata-users for bgwiki / Bethany Gerdemann to Requesting access to analytics-privatedata-users for bgwiki / Bethany Gerdemann.Jul 13 2022, 4:25 PM
Reedy updated the task description. (Show Details)
  • LDAP membership in the wmf or nda LDAP group.

That seems to be already the case per https://ldap.toolforge.org/user/bgwiki

I don't have access to analytics-privatedata-users
When I log into superset, I cannot view any databases. I get an error every time I try to view a dataset, run a query, etc:

Presto Error
presto error: Permission denied: user=bgwiki, access=EXECUTE, inode="/wmf/data/raw":analytics:analytics-privatedata-users:drwxr-x---

I'm seeking the same level of permissions as jmads

If it makes any difference, my Wikimedia developer single sign on username is : Bethany

Joe triaged this task as Medium priority.Jul 15 2022, 10:15 AM

Change 814121 had a related patch set uploaded (by Giuseppe Lavagetto; author: Giuseppe Lavagetto):

[operations/puppet@production] admin: add bgwiki to analytics-privatedata-users

https://gerrit.wikimedia.org/r/814121

Change 814121 merged by Giuseppe Lavagetto:

[operations/puppet@production] admin: add bgwiki to analytics-privatedata-users

https://gerrit.wikimedia.org/r/814121

Hi @Bethany in about 30 minutes you should be able to access all systems and to ssh to the hadoop nodes, and change your kerberos password (you should have received instructions via email)

Change 814122 had a related patch set uploaded (by Giuseppe Lavagetto; author: Giuseppe Lavagetto):

[operations/puppet@production] admin: add kerberos to bgwiki

https://gerrit.wikimedia.org/r/814122

Change 814122 merged by Giuseppe Lavagetto:

[operations/puppet@production] admin: add kerberos to bgwiki

https://gerrit.wikimedia.org/r/814122

Joe claimed this task.

Tentatively resolving. Please let us know if you have issues by re-opening the task.