FNavas-foundation
No
Turnilo
wmf (was: analytics_privatedata_users but that isn't an LDAP group)
For contractors only:
@FNavas-foundation can I double-check what access you need for what purposes, please? You say you need access to turnilo - that can be done with just wmf access (not analytics_privatedata_users) - see https://wikitech.wikimedia.org/wiki/Analytics/Data_access and/or talk to your manager.
Can I also check this is the correct wikitech username? Our internal check thinks your email address is associated with the FranCapoArg wikitech account.
Hi @MatthewVernon, thanks for picking this up - I do need Turnilo access. I also need access to a special dashboard created by @Pablo.
Sorry about the wikinames. I made a mess. FranCapoArg is my personal editing account. I made another user with my WMF mediawiki account (FNavas-foundation), which is linked to my foundation email. Should we/do we need to adjust this before going forward?
Please advise! Thanks.
I made another user with my WMF mediawiki account (FNavas-foundation), which is linked to my foundation email.
On a related note, in staff capacity I'd recommend not to use the self-created on-wiki SUL wiki account FNavas-foundation and instead the verified WMF ITS created SUL wiki account FNavas-WMF and link the latter also to your Phabricator account (after connecting your LDAP/wikitech account and logging into Phab via the LDAP account). It makes verification of several permission requests easier plus increases transparency. Thanks.
@FNavas-foundation Who's your manager? They need to sign off on this task.
@Ottomata This needs approval for analytics-privatedata-users
@MoritzMuehlenhoff my manager is @RBrounley_WMF (he is off on holiday at the moment).
@Aklapper is there someone who can help me untangle this? perhaps ITS?
@MoritzMuehlenhoff - alerting that my manager is back so he can sign-off should you need to contact him. Should he contact you? let me know.
@Aklapper - re-pinging you on my last question, sorry to be a burden.
Hello all - apologies for delay. Back from holiday today.
Approved! He's doing analysis for a feature we're working on for Breaking News detection.
@FNavas-foundation: Hi, thanks for caring and no worries - basivcally see my comment T331482#8703089 what would be nice to do here (and feel free to elaborate which parts are unclear). Thanks!
Hi, just back from vacation too.
@FNavas-foundation can you update the task description with exactly what you need access too? Your comment mentions a 'special' dashboard, but not the kind of dashboard or what kind of data it accesses. I'm guessing this is in Superset with some data hosted in Hive?
See https://wikitech.wikimedia.org/wiki/Analytics/Data_access#What_access_should_I_request? for help figuring out what you need.
Your response isn't going to influence an approval from me, so once the description is updated, I approve. :)
Thank you!
@MoritzMuehlenhoff -- hi checking in on this! I just tried to log in and was not recognized. So want to make sure its not an IT issue!
@FNavas-foundation: We still need feedback by @Ottomata in the kind of access you'll need to access these dashboards.
The access requests are processed on a weekly rotation of SREs, once this information is available @ssingh will add your access.
Hiya, I believe task description is not accurate, but in T331482#8735917 it looks like what is needed is ssh-less membership in analytics-privatedata-users.
Approved.
Change 905767 had a related patch set uploaded (by Ssingh; author: Ssingh):
[operations/puppet@production] admin: add fnavas-foundation to analytics-privatedata-users
Change 905767 merged by Ssingh:
[operations/puppet@production] admin: add fnavas-foundation to analytics-privatedata-users
@FNavas-foundation: Your access request has been merged. Please try again (in about 30 minutes from this comment) and feel free to reopen this task if required. Thank you!
Make sure you are logging in with the correct account? fnavas-foundation in this case.
You missed a part of this conversation that involved ITS
removing fnavas-foundation in favor of the verified WMF ITS created SUL
wiki account FNavas-WMF
https://meta.wikimedia.org/wiki/Special:CentralAuth/FNavas-WMF.
I think I have to connect my unified and LADP accounts, and you would have
to give access to FNavas-WMF instead of fnavas-foundation.
I think I did miss it yes. But please unify the accounts and I am happy to revise the patch.
ITS should have removed fnavas-foundation entirely. Do you still see it? or
is the only issue that FNavas-WMF is not LADP?
@FNavas-foundation What matters here is what login you are using on the wikitech wiki ( https://wikitech.wikimedia.org/wiki/Main_Page). If the user works there then it's the same as the LDAP user, which is also what you use to login to Grafana and Superset. That is not a SUL wiki, so it's not related to changes to global wiki user on wikipedia etc and ITS will likely not change it for you. It's whatever you create or created yourself when you registered on Wikitech wiki.
Now, when checking LDAP we can see there are 2 users:
Both are using the same -ctr@wikimedia email address. Some users have multiple users, one for private and one for work use and that's ok.
But if both have the same email address then it doesn't really matter to us which we use. You should just tell us which one you want to use.
Regardless, it's not related to SUL and ITS.
Thanks @Dzahn. I understood it was /fnavas-wmf\ not just /fnavas\
Neither of those two or /fnavas-foundation\ allow me to log-in on the wikitech main page (https://wikitech.wikimedia.org/wiki/Main_Page)
I attempted reset my password, but get nothing back to my email.
Any thoughts?
Hi!
So,, each LDAP user has multiple fields, uid, sn and cn and depending on whether it's an SSH login, a wiki login or other, confusingly a different one may be used. The first user looks like this:
uid: fnavas sn: Francisco Navas cn: Francisco Navas
and the second user looks like this:
uid: fnavas-foundation sn: FNavas-foundation cn: FNavas-foundation
Try using the sn/cn value to login on the Wikitech wiki. Does that work? The "uid" value is what you would use if you login somewhere via ssh.
The part that you don't receive email is strange but for that, and after you have double checked spam folders, I would ask you to go to ITS to debug, since the wikimedia.org mail there is on their side in Google.
Cheers
P.S. I did test if wikitech wiki sends out email to myself, and it did. that's why I am saying to check on the ITS side.
Thanks @Dzahn - I was able to get into wikitech with /FNavas-foundation/
Yet, I was unable to access this superset or this one
which was the original request. Still receiving the error —
Service access denied due to missing privileges.
I get nothing back from the reset password anywhere, will chase that with ITS.
Let me reopen the ticket then since you don't have access that you should have. We have rotating clinic duty each week to handle open access requests.
@FNavas-foundation So looking back at the original request it actually said turnilo. Does https://turnilo.wikimedia.org/ work for you? But you also want https://superset.wikimedia.org and (only) that does not work? Maybe it is because you don't have a kerberos access token. We should verify again with DE what is needed for you.
Maybe it is because you don't have a kerberos access token. We should verify again with DE what is needed for you.
Kerberos access is not required for superset. Many superset dashboard do require posix group membership in analytics-privatedata-users.
fnavas-foundation is a member of analytics-privatedata-users but something is not working or there is still confusion about which user to use. Could you take a look as clinic duty this week, please.
@FNavas-foundation let's make sure I understand:
Many superset dashboard do require posix group membership in analytics-privatedata-users.
FWIW I cannot access those either. @Ottomata, are there specific permissions for those dashboards that would prevent access? Also, your approval is for both Turnilo and Superset, right?
@FNavas-foundation can you confirm that you are able to log in to superset? Can you log into turnilo? Which account are you using?
FWIW I cannot access those either
Makes sense, user brett would have to be in analytics-privatedata-users
Unless...what do you mean by 'access'? You should be able to log in, but I think those dashboard's queries will fail with some privilege error.
@Ottomata yes, I just meant those dashboards, which I do get privilege errors. I'll wait for @FNavas-foundation to clarify their issues. Thanks!
Hi with @FNavas-foundation —
Current access —
Superset - no - "Service access denied due to missing privileges."
Turnilo - no - "Service access denied due to missing privileges.
Wikitech - yes
Mediawiki - no
Need access to all of those. understand that mediawiki is separate. Supserset/Turnilo are priorities so I can access those dashboards.
Thanks!
Mediawiki - no
That's via https://meta.wikimedia.org/wiki/Special:CentralAuth?target=FNavas-WMF instead and unrelated to this task?
Turnilo - no - "Service access denied due to missing privileges.
Turnilo only uses LDAP for authentication (no posix group membership), so this hints that something is off with LDAP group membership.
Seems like there are not just 2 users, there are actually 3 different users!
[mwmaint1002:~] $ ldapsearch -x uid=fnavas* | grep uidNumber
uidNumber: 43544
uidNumber: 43670
[mwmaint1002:~] $ ldapsearch -x mail=fnavas* | grep uidNumber
uidNumber: 43544
uidNumber: 43545
To remove any ambiguity, let's refer to them by uidNumbers. Starting with the oldest:
43544 | uid = fnavas | sn = Francisco Navas | cn = Francisco Navas | mail = fnavas-ctr@wikimedia.org
43545 | uid = francapo | sn = FranCapoArg | cn = FranCapoArg | mail = fnavas-ctr@wikimedia.org
43670 | uid = fnavas-foundation | sn = FNavas-foundation | cn = FNavas-foundation | mail = <NONE> !!
something is off with LDAP group membership
Yea, for sure, since the request says the requested _LDAP group_ is analytics_privatedata_users, but that is not even an LDAP group. An LDAP group would be something like "wmf" or "nda".
Hi @FNavas-foundation can you please do these things:
You have never been added to any LDAP group, "analytics_privatedata_users" is not in the category "LDAP groups". It's a group for shell access.
It seems like what has been done so far should be reverted and what you actually need is the group called "wmf".
Please check with Data Engineering if that's true and what you really need and let the person on clinic duty know.
Thanks @Dzahn
@FNavas-foundation Thank you for the prompt reply. I can confirm that all users have an (the same) email address now, cool!.
It's possible that you need both analytics_privatedata_users (which confusingly can be with or without shell access but isn't an LDAP group).. AND additionally an LDAP group, which is most likely either "wmf" or "nda" but we as the people processing these tickets wouldn't know that. So it's great that you are reaching out to the superset creator.
If that doesn't work and since you have had so much trouble with this I suggest maybe reaching out to @RBrounley_WMF to find out for you (or how we can make this easier in general).
Then you can edit the ticket and under the "The specific LDAP group.." section put the LDAP group name.
Finally the clinic duty person will follow the process like a regular fresh request to be added to an LDAP group.. but we still have to figure out if analytics-privatedata users access should be reverted or if in fact both types of access are needed in combination for your use case.
So maybe the best would be to revert, add ONLY to LDAP group, have you test if it works or not..
Also what can be helpful is if you find a person who already has the exact type of access you need so you can point to them and say "whatever they have".
To quickly answer your last question - Abhas Tripathi has access to those supersets (I know for a fact) and @SDelbecque-WMF (who is the other PM on my team has Turnilo and Superset).
Let me know if you can copy either, then we can try that way.
Thanks! This was very valuable information. With that we are able to track it down, luckily.
So when I look at Abhas Tripathi, they have membership in analytics-privatedata-users WITH actual shell access (the highest form of access) and additionally the "wmf" LDAP group. This by itself wouldn't have told us.
But when I look at Stephanie Delbecque, they have NO membership in analytics-privatedata-users, no shell access and ONLY the "wmf" LDAP group. This tells us that that is all you ever needed.
So conclusion to me is:
Let me make some edits for you to reflect that.
Change 910104 had a related patch set uploaded (by Dzahn; author: Dzahn):
[operations/puppet@production] admin: move fnavas to ldap_only admins, remove from a-privatedata-users
Mentioned in SAL (#wikimedia-operations) [2023-04-20T00:02:08Z] <mutante> LDAP - adding uid fnavas-foundation to group wmf - T331482
Change 910104 merged by Clément Goubert:
[operations/puppet@production] admin: move fnavas to ldap_only admins, remove from a-privatedata-users
@Dzahn I believe that @FNavas-foundation needs LDAP wmf AND ssh-less membership in analytics-privatedata-users.
Ok, I'll be reverting the patch to reinstate you in the analytics-privatedata-users group.
thanks @Clement_Goubert - please advise when you do. I get the following error from the data on the superset dashboard -
Permission denied: user=fnavas-foundation, access=EXECUTE, inode="/user/hive/warehouse":hive:analytics-privatedata-users:drwxrwx--- at org.apache.hadoop.hdfs.server.namenode.FSPermissionChecker.check(FSPermissionChecker.java:351)
Thanks all as well from me. Sorry FNavas, this should have been easier! All my comments should be interpreted as "our process needs to improve", never that you did something wrong. Cheers