Requesting access to analytics-wmde-users (no kerberos, with ssh) for karapayneWMDE
Closed, ResolvedPublicRequest
Actions

Assigned To

Authored By

	• karapayneWMDE
	Jul 24 2023, 1:33 PM

Description

Requestor provided information and prerequisites

This section is to be completed by the individual requesting access.

Wikitech username: Kara_Payne
Email address: kara.payne@wikimedia.de
SSH public key (must be a separate key from Wikimedia cloud SSH access): ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN2rcD7HPKDRY5qREx2jQ7ls4McLYYCEiWS94r/GeF70 kapa@C363
Requested group membership: analytics-wmde-users
Reason for access: In https://phabricator.wikimedia.org/T340648, the wikidata analytics team is requesting access to an airflow instance. As the engineering manager associated with the team I would like to have access to this as well.
Name of approving party (manager for WMF/WMDE staff): I suppose Manuel and it was already approved: https://phabricator.wikimedia.org/T340648#9034129
Ensure you have signed the L3 Wikimedia Server Access Responsibilities document:
Please coordinate obtaining a comment of approval on this task from the approving party.

SRE Clinic Duty Confirmation Checklist for Access Requests

This checklist should be used on all access requests to ensure that all steps are covered, including expansion to existing access. Please double check the step has been completed before checking it off.

This section is to be confirmed and completed by a member of the SRE team.

- User has signed the L3 Acknowledgement of Wikimedia Server Access Responsibilities Document.
- User has a valid NDA on file with WMF legal. (All WMF Staff/Contractor hiring are covered by NDA. Other users can be validated via the NDA tracking sheet)
- User has provided the following: wikitech username, email address, and full reasoning for access (including what commands and/or tasks they expect to perform)
- User has provided a public SSH key. This ssh key pair should only be used for WMF cluster access, and not shared with any other service (this includes not sharing with WMCS access, no shared keys.)
- The provided SSH key has been confirmed out of band and is verified not being used in WMCS.
- access request (or expansion) has sign off of WMF sponsor/manager (sponsor for volunteers, manager for wmf staff)
- access request (or expansion) has sign off of group approver indicated by the approval field in data.yaml

For additional details regarding access request requirements, please see https://wikitech.wikimedia.org/wiki/Requesting_shell_access

Details

	Subject	Repo	Branch	Lines +/-
	Grant Kara Payne shell access	operations/puppet	production	+8 -4

Customize query in gerrit

Related Objects
Search...

Status	Subtype	Assigned	Task
Open		Manuel	T342331 [EPIC] Set up a sustainable tech stack for Wikidata Analytics
Resolved		Stevemunene	T340648 [Airflow] Setup Airflow instance for WMDE
Resolved	Request	Stevemunene	T342546 Requesting access to analytics-wmde-users (no kerberos, with ssh) for karapayneWMDE

Event Timeline

• karapayneWMDE created this task.Jul 24 2023, 1:33 PM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 24 2023, 1:33 PM

• karapayneWMDE mentioned this in T340648: [Airflow] Setup Airflow instance for WMDE.Jul 24 2023, 1:34 PM

Hello. I'm listed as one of the approvers for this group, but there are a couple of things that I would like to check first, before proceeding.
Firstly, I don't think that the request as set out will actually provide access to the airflow instance in question, so I think it might need a bit of modification.

The reason for this is that the request says no ssh - but the means by which we currently authenticate to and provide access to the Airflow web interface is via SSH tunneling.
See, for example, the instructions for accessing the Analytics instance here: https://wikitech.wikimedia.org/wiki/Data_Engineering/Systems/Airflow/Instances#analytics

Secondly, I'm not sure that the group membership analytics-privatedata-users is actually the right one either. What is required in order to gain access to this new airflow instance is shell access to the new VM an-airflow1007:
I have a feeling that perhaps analytics-wmde-users would be a better choice, as per here.

I know that analytics-privatedata-users would be required for access to the detailed yarn logs, but again both ssh and kerberos would also be required. If we're only talking about giving kpayne access to the Airflow user interface for job monitoring and viewing airflow task logs, then I think that a different group (e.g. analytics-wmde-users) could probably be used for that. I could be wrong though, so please feel free to correct me if my assumptions are incorrect.

We can see from here the groups of which kpayne is already a member. https://ldap.toolforge.org/user/kpayne
Critically, this includes nda which is helpful.

I hope that this doesn't come across as obstructive; I'm simply trying to find the best way forward and the most appropriate set of privileges for @karapayneWMDE

analytics-wmde-users would be a better choice

Thank you @BTullis, your suggestion makes sense to me!

What do you think, @karapayneWMDE?

this sounds fine to me

BTullis renamed this task from Requesting access to analytics-privatedata-users (no kerberos, no ssh) for karapayneWMDE to Requesting access to analytics-wmde-users (no kerberos, with ssh) for karapayneWMDE.Jul 31 2023, 9:14 AM

BTullis updated the task description. (Show Details)

Here is the LDAP uidNumber for kpayne

btullis@seaborgium:~$ ldapsearch -x uid=kpayne uidNumber
# extended LDIF
#
# LDAPv3
# base <dc=wikimedia,dc=org> (default) with scope subtree
# filter: uid=kpayne
# requesting: uidNumber 
#

# kpayne, people, wikimedia.org
dn: uid=kpayne,ou=people,dc=wikimedia,dc=org
uidNumber: 32212

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
btullis@seaborgium

@Stevemunene you'll need this when moving the kpayne user around in data.yaml
Since she will need SSH access, her account has to be moved from the ldap_only_users key to the users key.

You'll need to know the uidNumber and also you'll need an SSH public key for this access.
@karapayneWMDE could you follow the guidelines here please? https://wikitech.wikimedia.org/wiki/SRE/Production_access#Generating_your_SSH_key - You'll keep the secret part of the key and share with us the public part, at which point we can use it to permit you SSH access to the new airflow instance. Thanks.

BTullis triaged this task as Medium priority.Jul 31 2023, 9:22 AM

BTullis added a project: Data-Platform-SRE.

BTullis moved this task from Incoming to In Progress on the Data-Platform-SRE board.

Gehel moved this task from In Progress to Blocked / Waiting on the Data-Platform-SRE board.Aug 8 2023, 3:49 PM

AndrewTavis_WMDE subscribed.Aug 8 2023, 3:50 PM

Gehel added a parent task: T340648: [Airflow] Setup Airflow instance for WMDE.Aug 9 2023, 9:53 AM

hello, apologies for the delay (was on holiday)

public key is: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN2rcD7HPKDRY5qREx2jQ7ls4McLYYCEiWS94r/GeF70 kapa@C363

In T342546#9089720, @karapayneWMDE wrote:

hello, apologies for the delay (was on holiday)

public key is: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN2rcD7HPKDRY5qREx2jQ7ls4McLYYCEiWS94r/GeF70 kapa@C363

Thanks @karapayneWMDE moving this back into progress.

Stevemunene updated the task description. (Show Details)Aug 14 2023, 12:34 PM

Change 948568 had a related patch set uploaded (by Stevemunene; author: Stevemunene):

[operations/puppet@production] Grant Kara Payne shell access

https://gerrit.wikimedia.org/r/948568

gerritbot added a project: Patch-For-Review.Aug 14 2023, 1:46 PM

Stevemunene updated the task description. (Show Details)Aug 14 2023, 1:47 PM

jbond updated the task description. (Show Details)Aug 14 2023, 2:46 PM

colewhite moved this task from Untriaged to Patch in Review on the SRE-Access-Requests board.Aug 14 2023, 9:51 PM

Change 948568 merged by Stevemunene:

[operations/puppet@production] Grant Kara Payne shell access

https://gerrit.wikimedia.org/r/948568