Page MenuHomePhabricator
Create Task
Maniphest T325004

Requesting access to analytics-privatedata-users & analytics-product-users for Hxi-ctr
Closed, ResolvedPublicRequest
Actions

Description

Requestor provided information and prerequisites

This section is to be completed by the individual requesting access.

  • Wikitech username: Hxi-ctr
  • Email address: hxi-ctr@wikimedia.org
  • SSH public key (must be a separate key from Wikimedia cloud SSH access): ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMFUWDQcPOmfMWpyKXSVXbnN+3Tf8Xy3kYtLDyIi+JQ8 xihua@MacBook-Pro-4
  • Requested group membership: analytics-privatedata-users & analytics-product-users
  • Reason for access: new contractor
  • Name of approving party (manager for WMF/WMDE staff): Kate Zimmerman, Mikhail Popov
  • Ensure you have signed the L3 Wikimedia Server Access Responsibilities document: Yes
  • Please coordinate obtaining a comment of approval on this task from the approving party.

SRE Clinic Duty Confirmation Checklist for Access Requests

This checklist should be used on all access requests to ensure that all steps are covered, including expansion to existing access. Please double check the step has been completed before checking it off.

This section is to be confirmed and completed by a member of the SRE team.

  • - User has signed the L3 Acknowledgement of Wikimedia Server Access Responsibilities Document.
  • - User has a valid NDA on file with WMF legal. (All WMF Staff/Contractor hiring are covered by NDA. Other users can be validated via the NDA tracking sheet)
  • - User has provided the following: wikitech username, email address, and full reasoning for access (including what commands and/or tasks they expect to perform)
  • - User has provided a public SSH key. This ssh key pair should only be used for WMF cluster access, and not shared with any other service (this includes not sharing with WMCS access, no shared keys.)
  • - access request (or expansion) has sign off of WMF sponsor/manager (sponsor for volunteers, manager for wmf staff)
  • - access request (or expansion) has sign off of group approver indicated by the approval field in data.yaml

For additional details regarding access request requirements, please see https://wikitech.wikimedia.org/wiki/Requesting_shell_access

Details

SubjectRepoBranchLines +/-
Fix xihua's accountoperations/puppetproduction+9 -4
admin: Create hxi-ctr accountoperations/puppetproduction+14 -3
Customize query in gerrit

Related Objects
Search...

Event Timeline

HXi-WMF created this task.Dec 12 2022, 6:53 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 12 2022, 6:53 PM
Aklapper renamed this task from Requesting access to RESOURCE for USER[S] to Requesting access to analytics-privatedata-users & analytics-product-users for Hxi-ctr.Dec 12 2022, 6:54 PM
RhinosF1 subscribed.Dec 12 2022, 7:07 PM
kzimmerman added a comment.Dec 12 2022, 7:39 PM

Approved as Hua's manager

akosiaris added subscribers: odimitrijevic, Ottomata, akosiaris.Dec 15 2022, 10:57 AM

@odimitrijevic, @Ottomata, we need the approval of one of you on this one.

akosiaris added a comment.Dec 15 2022, 10:58 AM

analytics-product-users doesn't have a approver listed, let me chase that one down.

akosiaris updated the task description. (Show Details)Dec 15 2022, 10:59 AM
Ottomata added a comment.Dec 15 2022, 1:40 PM

Approved for analytics-privatedata-users.

analytics-product-users approver could be @mpopov?

mpopov added a comment.Dec 15 2022, 2:39 PM

Yes, please list myself and @kzimmerman as approvers for analytics-product-users.

And approved :)

TheresNoTime removed a subscriber: RhinosF1.Dec 15 2022, 11:35 PM
akosiaris updated the task description. (Show Details)Dec 16 2022, 10:27 AM
gerritbot added a comment.Dec 16 2022, 1:04 PM

Change 868664 had a related patch set uploaded (by Alexandros Kosiaris; author: Alexandros Kosiaris):

[operations/puppet@production] admin: Create hxi-ctr account

https://gerrit.wikimedia.org/r/868664

gerritbot added a project: Patch-For-Review.Dec 16 2022, 1:04 PM
akosiaris moved this task from Untriaged to Ready To Go on the SRE-Access-Requests board.Dec 16 2022, 1:29 PM
gerritbot added a comment.Dec 16 2022, 1:32 PM

Change 868664 merged by Alexandros Kosiaris:

[operations/puppet@production] admin: Create hxi-ctr account

https://gerrit.wikimedia.org/r/868664

akosiaris closed this task as Resolved.Dec 16 2022, 1:34 PM
akosiaris claimed this task.

Hi @HXi-WMF, your account has been created and access to the relevant groups granted. Please wait 30m (as of this comment) before trying it out as the access propagates across the fleet. I 'll resolve this task, feel free to reopen if you meet issues.

Maintenance_bot removed a project: Patch-For-Review.Dec 16 2022, 2:30 PM
mpopov added a comment.Dec 16 2022, 3:52 PM

Thank you @akosiaris!

mpopov added a parent task: T325857: Requesting Kerberos identity for Hxi-ctr.Jan 3 2023, 3:36 PM
mpopov added a parent task: T324349: Onboarding for Hua.Jan 3 2023, 3:52 PM
BTullis mentioned this in T325857: Requesting Kerberos identity for Hxi-ctr.Jan 3 2023, 4:26 PM
taavi reopened this task as Open.Jan 14 2023, 4:15 PM
taavi subscribed.

Re-opening. The developer account Hxi-ctr has shell name xihua, not hxi-ctr which was added to Puppet in this patch https://gerrit.wikimedia.org/r/c/operations/puppet/+/868664/.

BTullis subscribed.Jan 19 2023, 6:10 PM
In T325004#8525568, @taavi wrote:

Re-opening. The developer account Hxi-ctr has shell name xihua, not hxi-ctr which was added to Puppet in this patch https://gerrit.wikimedia.org/r/c/operations/puppet/+/868664/.

Agreed, thanks @taavi. I discovered this as part of T325857: Requesting Kerberos identity for Hxi-ctr too.

@akosiaris is there anything I can do to help here? I see the general instructions and warnings on this page: https://wikitech.wikimedia.org/wiki/SRE/LDAP/Renaming_users so I don't want to go ahead without guidance.
I've also created the kerberos identity as hxi-ctr which we would presumably want to revoke as part of renaming the shell account.

akosiaris added a comment.Jan 20 2023, 1:18 PM
In T325004#8541303, @BTullis wrote:
In T325004#8525568, @taavi wrote:

Re-opening. The developer account Hxi-ctr has shell name xihua, not hxi-ctr which was added to Puppet in this patch https://gerrit.wikimedia.org/r/c/operations/puppet/+/868664/.

I guess the user hasn't tried to use the credentials yet, otherwise they would have reported this.

Agreed, thanks @taavi. I discovered this as part of T325857: Requesting Kerberos identity for Hxi-ctr too.

@akosiaris is there anything I can do to help here? I see the general instructions and warnings on this page: https://wikitech.wikimedia.org/wiki/SRE/LDAP/Renaming_users so I don't want to go ahead without guidance.

I don't think that applies. We have no Hxi-ctr account in LDAP to rename apparently. It's just puppet data that's wrong.

I've also created the kerberos identity as hxi-ctr which we would presumably want to revoke as part of renaming the shell account.

Yes, that one you want to revoke.

gerritbot added a comment.Jan 20 2023, 1:30 PM

Change 881872 had a related patch set uploaded (by Alexandros Kosiaris; author: Alexandros Kosiaris):

[operations/puppet@production] Fix xihua's account

https://gerrit.wikimedia.org/r/881872

gerritbot added a project: Patch-For-Review.Jan 20 2023, 1:30 PM
akosiaris added a comment.Jan 20 2023, 1:47 PM

Diff's at https://puppet-compiler.wmflabs.org/output/881872/39191/bast3005.wikimedia.org/fulldiff.html

In T325004#8543435, @akosiaris wrote:
In T325004#8541303, @BTullis wrote:
In T325004#8525568, @taavi wrote:

Re-opening. The developer account Hxi-ctr has shell name xihua, not hxi-ctr which was added to Puppet in this patch https://gerrit.wikimedia.org/r/c/operations/puppet/+/868664/.

I guess the user hasn't tried to use the credentials yet, otherwise they would have reported this.

Just to verify this claim, I just ran a fleet wide cumin of 'last |grep hxi-ctr'. The only output is on stat1007, dating Jan 19 17:23. No files in /home/hxi-ctr.

akosiaris added a comment.Jan 20 2023, 1:48 PM

@HXi-WMF, we are going to have to rename your account from hxi-ctr to xihua due to a mistake on my part. Let us know if this would cause you issues.

Clement_Goubert moved this task from Ready To Go to Awaiting User Input on the SRE-Access-Requests board.Jan 23 2023, 11:39 AM
Clement_Goubert subscribed.

@HXi-WMF, could you please confirm that we can proceed with the account renaming?

Clement_Goubert triaged this task as Medium priority.Jan 23 2023, 12:39 PM
gerritbot added a comment.Jan 23 2023, 4:42 PM

Change 881872 merged by Jbond:

[operations/puppet@production] Fix xihua's account

https://gerrit.wikimedia.org/r/881872

jbond closed this task as Resolved.Jan 23 2023, 4:53 PM
jbond subscribed.

I have gone ahead and merged the changes to rename this account, please reopen if you have have any issues

Maintenance_bot removed a project: Patch-For-Review.Jan 23 2023, 5:31 PM
mpopov mentioned this in T324349: Onboarding for Hua.Mar 20 2023, 6:13 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL