Page MenuHomePhabricator
Create Task
Maniphest T322145

Requesting access to analytics-privatedata-users & Kerberos identity for Hghani
Closed, ResolvedPublicRequest
Actions

Description

Requestor provided information and prerequisites

This section is to be completed by the individual requesting access.

  • Wikitech username: Hghani
  • Email address: hghani-ctr@wikimedia.org
  • SSH public key (must be a separate key from Wikimedia cloud SSH access): ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE9YrjjXUnDX0d8mk62yYBR6Pcflz/1pw/tkoMTeSrM0 hghani-ctr@wikimedia.org
  • Requested group membership: analytics-privatedata-users
  • Reason for access: For fellowship with Global Data and Insights, need to access JupyterLab for querying data.
  • Name of approving party (manager for WMF/WMDE staff): @kzimmerman
  • Ensure you have signed the L3 Wikimedia Server Access Responsibilities document:
  • Please coordinate obtaining a comment of approval on this task from the approving party.

SRE Clinic Duty Confirmation Checklist for Access Requests

This checklist should be used on all access requests to ensure that all steps are covered, including expansion to existing access. Please double check the step has been completed before checking it off.

This section is to be confirmed and completed by a member of the SRE team.

  • - User has signed the L3 Acknowledgement of Wikimedia Server Access Responsibilities Document.
  • - User has a valid NDA on file with WMF legal. (All WMF Staff/Contractor hiring are covered by NDA. Other users can be validated via the NDA tracking sheet)
  • - User has provided the following: wikitech username, email address, and full reasoning for access (including what commands and/or tasks they expect to perform)
  • - User has provided a public SSH key. This ssh key pair should only be used for WMF cluster access, and not shared with any other service (this includes not sharing with WMCS access, no shared keys.)
  • - access request (or expansion) has sign off of WMF sponsor/manager (sponsor for volunteers, manager for wmf staff)
  • - access request (or expansion) has sign off of group approver indicated by the approval field in data.yaml

For additional details regarding access request requirements, please see https://wikitech.wikimedia.org/wiki/Requesting_shell_access

Details

ProjectBranchLines +/-Subject
operations/puppetproduction+9 -5admin: Re-enable hghani
operations/puppetproduction+23 -13admin: add Hghani and Ilooremeta to analytics-privatedata-users
Customize query in gerrit

Event Timeline

Hghani created this task.Nov 1 2022, 3:33 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 1 2022, 3:33 PM
Hghani renamed this task from Requesting access to analytics-privatedata-users & Kerberos identity for USERNAME and kinit credentials to Requesting access to analytics-privatedata-users & Kerberos identity for Hghani and kinit credentials.Nov 1 2022, 3:34 PM
Hghani updated the task description. (Show Details)
KCVelaga_WMF renamed this task from Requesting access to analytics-privatedata-users & Kerberos identity for Hghani and kinit credentials to Requesting access to analytics-privatedata-users & Kerberos identity for Hghani.Nov 3 2022, 9:55 AM
Ottomata added a subscriber: Ottomata.Nov 3 2022, 1:59 PM

Approved

jbond updated the task description. (Show Details)Nov 3 2022, 3:28 PM
jbond added a subscriber: jbond.

@Hghani can you please sign the L3 document

@CMacholan are you able to approve this request

jbond triaged this task as Medium priority.Nov 3 2022, 3:29 PM
Hghani added a comment.Nov 3 2022, 5:25 PM

Hi,

I have signed the L3 document.

CMacholan added a comment.Nov 3 2022, 6:36 PM

@jbond Approved on my end. Thanks!

Dzahn updated the task description. (Show Details)Nov 3 2022, 8:22 PM
Dzahn added a subscriber: Dzahn.Nov 3 2022, 8:25 PM
  • confirmed L3 signature
  • confirmed in Namely (@Hghani I see you have a wikimedia -ctr email address, it's used here in Phabricator and I can see it in Google. But I also see in Namely you have a different personal address. This could be as you want it or an oversight, I am not sure about it, just pointing it out)
Dzahn added a comment.Nov 3 2022, 8:26 PM

@jbond found in Namely but with unknown job title / manager. so the usual verification step might be missing, not sure.

Dzahn changed the task status from Open to In Progress.Nov 3 2022, 8:27 PM
Dzahn moved this task from Untriaged to In Discussion on the SRE-Access-Requests board.
jbond updated the task description. (Show Details)Nov 4 2022, 10:40 AM
gerritbot added a comment.Nov 4 2022, 10:47 AM

Change 853255 had a related patch set uploaded (by Jbond; author: jbond):

[operations/puppet@production] admin: add Hghani and Ilooremeta to analytics-privatedata-users

https://gerrit.wikimedia.org/r/853255

gerritbot added a project: Patch-For-Review.Nov 4 2022, 10:47 AM

Change 853255 merged by Jbond:

[operations/puppet@production] admin: add Hghani and Ilooremeta to analytics-privatedata-users

https://gerrit.wikimedia.org/r/853255

jbond closed this task as Resolved.Nov 4 2022, 10:51 AM
jbond claimed this task.

This has been completed let me know it there are any issues

Maintenance_bot removed a project: Patch-For-Review.Nov 4 2022, 11:30 AM
Hghani added a comment.Nov 8 2022, 4:26 PM

Hi,

I have not received an e-mail with the Kerberos credentials.

Hghani added a comment.Nov 8 2022, 4:28 PM

Hi,

I have not received an e-mail with the Kerberos credentials.

Dzahn reopened this task as Open.Nov 8 2022, 5:50 PM
fgiunchedi added a subscriber: fgiunchedi.Nov 9 2022, 8:35 AM

I have sent the temporary credentials via email following https://wikitech.wikimedia.org/wiki/Analytics/Systems/Kerberos#Create_a_principal_for_a_real_user please check, and change your password!

fgiunchedi closed this task as Resolved.Nov 9 2022, 8:36 AM
Hghani added a comment.Nov 24 2022, 6:52 PM

Hi
I am using a windows 10 machine and I am having trouble logging in via ssh. When I attempt to connect to the server it prompts for password/pass phrase but I don't remember creating one. I have tried passwords that I would have created with no luck. Is there anything specific to the OS that would need to be configured? I am not sure what details should be included that could help get any suggestions. User name I have entered in my config file is hghani.
Thank you

Ottomata added a comment.Nov 28 2022, 3:34 PM

Hi, this sounds like an issue with your ssh config and your ssh key. If your key is configured correctly, ssh should not prompt you for a password:

See:

Hghani added a comment.Dec 2 2022, 5:00 AM

Hi,

The public key I submitted in the initial ticket matches the key that I have saved on my device. My config looks correct but I am still being prompted for a passphrase. Would it be possible to resubmit a new key?

I have attached the config/key for reference and the erro rmessage I get in the debugging is:
debug1: read_passphrase: c{F35827776}an't open /dev/tty: No such file or directory.

config1 KBDownload

Ottomata added a comment.Dec 2 2022, 3:00 PM

It might be hard for us to help you, since I'm not aware of many folks that use Windows. Without more context, that error messagelooks like there is something wrong locally with your ssh config or something else, not with your access setup on our servers.

Can you try to ssh again with ssh -v and paste the full output?

Hghani added a comment.Dec 2 2022, 6:16 PM

Hi,

PS C:\WINDOWS\system32> ssh -v stat1005.eqiad.wmnet -L 8880:127.0.0.1:8880
OpenSSH_for_Windows_8.1p1, LibreSSL 3.0.2
debug1: Reading configuration data C:\\Users\\zechs/.ssh/config
debug1: C:\\Users\\zechs/.ssh/config line 22: Applying options for *.wmnet
debug1: hostname canonicalisation enabled, will re-parse configuration
debug1: re-parsing configuration
debug1: Reading configuration data C:\\Users\\zechs/.ssh/config
debug1: C:\\Users\\zechs/.ssh/config line 22: Applying options for *.wmnet
debug1: Setting implicit ProxyCommand from ProxyJump: "C:\\WINDOWS\\System32\\OpenSSH\\ssh.exe" -v -W "[%h]:%p" bast
debug1: Executing proxy command: exec "C:\\WINDOWS\\System32\\OpenSSH\\ssh.exe" -v -W "[stat1005.eqiad.wmnet]:22" bast
debug1: identity file C:\\Users\\zechs/.ssh/id_rsa type 3
debug1: identity file C:\\Users\\zechs/.ssh/id_rsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_for_Windows_8.1
OpenSSH_for_Windows_8.1p1, LibreSSL 3.0.2
debug1: Reading configuration data C:\\Users\\zechs/.ssh/config
debug1: C:\\Users\\zechs/.ssh/config line 14: Applying options for bast
debug1: hostname canonicalisation enabled, will re-parse configuration
debug1: re-parsing configuration
debug1: Reading configuration data C:\\Users\\zechs/.ssh/config
debug1: C:\\Users\\zechs/.ssh/config line 22: Skipping Host block because of negated match for bast*.wikimedia.org
debug1: C:\\Users\\zechs/.ssh/config line 27: Applying options for bast*.wikimedia.org
debug1: Connecting to bast [2620:0:861:4:208:80:155:110] port 22.
debug1: Connection established.
debug1: identity file C:\\Users\\zechs/.ssh/id_rsa type 3
debug1: identity file C:\\Users\\zechs/.ssh/id_rsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_for_Windows_8.1
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.9p1 Debian-10+deb10u2
debug1: match: OpenSSH_7.9p1 Debian-10+deb10u2 pat OpenSSH* compat 0x04000000
debug1: Authenticating to bast1003.wikimedia.org:22 as 'hghani'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256@libssh.org
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:fh4BdnF8H75oGadNz1ivLYBz2UDc86GuRJvazViL17M
debug1: Host 'bast1003.wikimedia.org' is known and matches the ECDSA host key.
debug1: Found key in C:\\Users\\zechs/.ssh/known_hosts:3
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: pubkey_prepare: ssh_get_authentication_socket: No such file or directory
debug1: Will attempt key: C:\\Users\\zechs/.ssh/id_rsa ED25519 SHA256:B2BCxABPYtj3qv1zx9ABRyysh1HQ0hCc8J/csxTGCiU explicit
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering public key: C:\\Users\\zechs/.ssh/id_rsa ED25519 SHA256:B2BCxABPYtj3qv1zx9ABRyysh1HQ0hCc8J/csxTGCiU explicit
debug1: Server accepts key: C:\\Users\\zechs/.ssh/id_rsa ED25519 SHA256:B2BCxABPYtj3qv1zx9ABRyysh1HQ0hCc8J/csxTGCiU explicit
debug1: read_passphrase: can't open /dev/tty: No such file or directory
Enter passphrase for key 'C:\Users\zechs/.ssh/id_rsa':

Ottomata added a comment.Dec 5 2022, 1:10 PM

Thanks. Not sure what is going on, but I found some things you could try in this serverfault.com thread. Give those a try and let us know how it goes.

kzimmerman reopened this task as Open.Thu, May 18, 6:40 PM
kzimmerman added a subscriber: kzimmerman.

Hi all, we have re-hired Hamid Ghani. I am the hiring manager. Can you please re-enable his accounts? Thank you!

kzimmerman updated the task description. (Show Details)Thu, May 18, 6:40 PM
CDanis claimed this task.Thu, May 18, 8:49 PM
jbond added a comment.Mon, May 22, 1:00 PM

@kzimmerman Have they been re-hired as a contractor or full time employee. If the former can you confirm the contract expiry data and would you be the point of contact.

@Hghani are you able to provide the ssh public key you would like configured.

Hghani added a comment.Tue, May 23, 3:17 PM

Hi my public key is:

ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE9YrjjXUnDX0d8mk62yYBR6Pcflz/1pw/tkoMTeSrM0 hghani-ctr@wikimedia.org

gerritbot added a comment.Wed, May 24, 9:00 AM

Change 922799 had a related patch set uploaded (by Jbond; author: jbond):

[operations/puppet@production] admin: Re-enable hghani

https://gerrit.wikimedia.org/r/922799

gerritbot added a project: Patch-For-Review.Wed, May 24, 9:00 AM
jbond added a comment.Wed, May 24, 9:02 AM

Thanks i have crated the change just need confirmation of the contract end data and also a WMF contact

Hghani added a comment.Wed, May 24, 1:36 PM

Hi contract end date is November 30 2023.

Contact: @kzimmerman

jbond added a comment.Wed, May 24, 2:00 PM
In T322145#8876908, @Hghani wrote:

Hi contract end date is November 30 2023.

Contact: @kzimmerman

Thanks Hgjani, @kzimmerman are you able to confirm.

kzimmerman added a comment.Wed, May 24, 3:40 PM

@jbond Yes, confirmed, Hamid's contract end date is November 30, 2023. Thanks!

gerritbot added a comment.Thu, May 25, 9:42 AM

Change 922799 merged by Jbond:

[operations/puppet@production] admin: Re-enable hghani

https://gerrit.wikimedia.org/r/922799

jbond closed this task as Resolved.Thu, May 25, 9:50 AM
jbond claimed this task.
jbond added a subscriber: CDanis.

Access has now been configured and you should have received an email regarding Kerberos authentication

Maintenance_bot removed a project: Patch-For-Review.Thu, May 25, 10:10 AM
Hghani added a comment.Thu, May 25, 4:28 PM

Hi,
I've setup the Kerberos authentication but I am having trouble signing into Jupyterhub and Wikimedia Dev single sign on:

image.png (514×478 px, 26 KB)
image.png (467×502 px, 16 KB)

Let me know if you can provide any info.

Thank you

jbond added a comment.Fri, May 26, 12:40 PM

@Hghani i had forgot to add you to the ldap group, it should be working now. [please reopen if not

Hghani added a comment.Fri, May 26, 2:53 PM

yes it is working, thanks

Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL