Page MenuHomePhabricator
Create Task
Maniphest T322795

Requesting access to analytics-privatedata-users for ryasmeen (superset access with no server access)
Closed, ResolvedPublicRequest
Actions

Description

Requestor provided information and prerequisites

This section is to be completed by the individual requesting access.

  • Wikitech username: ryasmeen
  • Email address: ryasmeen@wikimedia.org
  • SSH public key (must be a separate key from Wikimedia cloud SSH access):
  • Requested group membership: analytics-privatedata-users
  • Reason for access: I need to be able to view this dashboard: https://superset.wikimedia.org/superset/dashboard/372/ for the Edit Check project by Editing team.
  • Name of approving party (manager for WMF/WMDE staff): @ppelberg
  • Ensure you have signed the L3 Wikimedia Server Access Responsibilities document: not yet.
  • Please coordinate obtaining a comment of approval on this task from the approving party.

SRE Clinic Duty Confirmation Checklist for Access Requests

This checklist should be used on all access requests to ensure that all steps are covered, including expansion to existing access. Please double check the step has been completed before checking it off.

This section is to be confirmed and completed by a member of the SRE team.

  • - User has signed the L3 Acknowledgement of Wikimedia Server Access Responsibilities Document.
  • - User has a valid NDA on file with WMF legal. (All WMF Staff/Contractor hiring are covered by NDA. Other users can be validated via the NDA tracking sheet)
  • - User has provided the following: wikitech username, email address, and full reasoning for access (including what commands and/or tasks they expect to perform)
  • - User has provided a public SSH key. This ssh key pair should only be used for WMF cluster access, and not shared with any other service (this includes not sharing with WMCS access, no shared keys.)
  • - access request (or expansion) has sign off of WMF sponsor/manager (sponsor for volunteers, manager for wmf staff)
  • - access request (or expansion) has sign off of group approver indicated by the approval field in data.yaml

For additional details regarding access request requirements, please see https://wikitech.wikimedia.org/wiki/Requesting_shell_access

Details

SubjectRepoBranchLines +/-
admin: validate human users have ssh_keysoperations/puppetproduction+17 -7
admin: add ssh_keys for ryasmeenoperations/puppetproduction+1 -0
admin: add ryasmeen to analytics-privatedata-usersoperations/puppetproduction+7 -5
Customize query in gerrit

Event Timeline

Ryasmeen created this task.Nov 9 2022, 9:07 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 9 2022, 9:07 PM
gerritbot added a comment.Nov 10 2022, 9:22 AM

Change 855492 had a related patch set uploaded (by Filippo Giunchedi; author: Filippo Giunchedi):

[operations/puppet@production] admin: add ryasmeen to analytics-privatedata

https://gerrit.wikimedia.org/r/855492

gerritbot added a project: Patch-For-Review.Nov 10 2022, 9:22 AM
fgiunchedi updated the task description. (Show Details)Nov 10 2022, 9:23 AM
fgiunchedi added subscribers: odimitrijevic, Ottomata, fgiunchedi.

Request looks good to me, @Ottomata @odimitrijevic I'm seeking approval for the above! Thank you

fgiunchedi triaged this task as Medium priority.Nov 10 2022, 9:24 AM
Ottomata added a comment.Nov 10 2022, 2:04 PM

Approved.

gerritbot added a comment.Nov 10 2022, 2:19 PM

Change 855492 merged by Filippo Giunchedi:

[operations/puppet@production] admin: add ryasmeen to analytics-privatedata-users

https://gerrit.wikimedia.org/r/855492

fgiunchedi closed this task as Resolved.Nov 10 2022, 2:20 PM
fgiunchedi claimed this task.

Thank you @Ottomata ! @Ryasmeen this is complete, access will be live in the next 30min. I'm resolving the task, though feel free to reopen if sth is amiss

Restricted Application added a project: User-Ryasmeen. · View Herald TranscriptNov 10 2022, 2:20 PM
Maintenance_bot removed a project: Patch-For-Review.Nov 10 2022, 2:31 PM
Volans subscribed.Nov 14 2022, 9:38 AM

@fgiunchedi the above patch is missing the ssh_keys key and that broke the /usr/local/bin/cross-validate-accounts script that is expecting that as a required key.

gerritbot added a comment.Nov 14 2022, 9:55 AM

Change 856484 had a related patch set uploaded (by Filippo Giunchedi; author: Filippo Giunchedi):

[operations/puppet@production] admin: add ssh_keys for ryasmeen

https://gerrit.wikimedia.org/r/856484

gerritbot added a project: Patch-For-Review.Nov 14 2022, 9:55 AM

Change 856485 had a related patch set uploaded (by Filippo Giunchedi; author: Filippo Giunchedi):

[operations/puppet@production] admin: validate human users have ssh_keys

https://gerrit.wikimedia.org/r/856485

fgiunchedi added a comment.Nov 14 2022, 9:55 AM

Interesting, thank you for the heads up @Volans . There's an obvious disconnect between CI validation of data.yaml and what cross-validate-accounts expects. Should we make sure all accounts have ssh_keys (even if empty) or should cross-validate-accounts tolerate a missing ssh_keys ? I've gone with the CI route but easy enough to change

Volans added a comment.Nov 14 2022, 9:57 AM

I'm ok either way, probably I'd go the CI way too, but check with moritz/john on that to be sure.

gerritbot added a comment.Nov 14 2022, 10:47 AM

Change 856484 merged by Filippo Giunchedi:

[operations/puppet@production] admin: add ssh_keys for ryasmeen

https://gerrit.wikimedia.org/r/856484

gerritbot added a comment.Nov 14 2022, 10:47 AM

Change 856485 merged by Filippo Giunchedi:

[operations/puppet@production] admin: validate human users have ssh_keys

https://gerrit.wikimedia.org/r/856485

Maintenance_bot removed a project: Patch-For-Review.Nov 14 2022, 11:30 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL