Page MenuHomePhabricator

Requesting access to analytics-privatedata-users for ahoelzl
Closed, ResolvedPublicRequest

Description

Requestor provided information and prerequisites

I'm a new Engineering Manager in the Data Platform Engineering org, managing the Data Engineering team.
I will need access to the data and analytics systems.
I already signed the L3 agreement.

This section is to be completed by the individual requesting access.

  • Wikimedia developer account username: ahoelzl
  • Email address: ahoelzl@wikimedia.org
  • SSH public key (must be a separate key from Wikimedia cloud SSH access): https://office.wikimedia.org/wiki/User:AHoelzl-WMF
  • Requested group membership: analytics-privatedata-users
  • Reason for access: Engineering data systems and data pipelines as part of the core Data Platform Engineering team
  • Name of approving party (manager for WMF/WMDE staff): Olja Dimitrijevic - odimitrijevic@wikimedia.org
  • Ensure you have signed the L3 Wikimedia Server Access Responsibilities document: I did.
  • Please coordinate obtaining a comment of approval on this task from the approving party.

SRE Clinic Duty Confirmation Checklist for Access Requests

This checklist should be used on all access requests to ensure that all steps are covered, including expansion to existing access. Please double check the step has been completed before checking it off.

This section is to be confirmed and completed by a member of the SRE team.

  • - User has signed the L3 Acknowledgement of Wikimedia Server Access Responsibilities Document.
  • - User has a valid NDA on file with WMF legal. (All WMF Staff/Contractor hiring are covered by NDA. Other users can be validated via the NDA tracking sheet)
  • - User has provided the following: developer account username, email address, and full reasoning for access (including what commands and/or tasks they expect to perform)
  • - User has provided a public SSH key. This ssh key pair should only be used for WMF cluster access, and not shared with any other service (this includes not sharing with WMCS access, no shared keys.)
  • - The provided SSH key has been confirmed out of band and is verified not being used in WMCS.
  • - access request (or expansion) has sign off of WMF sponsor/manager (sponsor for volunteers, manager for wmf staff)
  • - access request (or expansion) has sign off of group approver indicated by the approval field in data.yaml

For additional details regarding access request requirements, please see https://wikitech.wikimedia.org/wiki/Requesting_shell_access

Event Timeline

Hi (and welcome)! The Phabricator account @Ahoelzl is currently connected to a personal MediaWiki account and not to a MediaWiki account created by WMF ITS. This makes future verification of several types of requests harder, and makes it less transparent who provides services for WMF.
@odimitrijevic, @Ahoelzl: Please make sure that the onboading documentation of the Data Engineering team gets fixed.
@Ahoelzl: Per https://office.wikimedia.org/wiki/User_account_policy , please also connect your Wikimedia Developer (LDAP) account to your Phabricator account, then log into your Phabricator account via "Developer Log in - Wikitech Account (LDAP)", go to https://phabricator.wikimedia.org/settings/panel/external/ , remove your personal "MediaWiki - OAuth1 Account", and connect your MediaWiki account created by WMF ITS as your "MediaWiki - OAuth1 Account". Thanks a lot for your help! :)

Hi @Ahoelzl, welcome to the Foundation! SRE here, I'll be able to set you up with production access.

The SSH key you provided is the same one you're already using for WMCS (Wikimedia Cloud). For security reasons you'll need to generate a second SSH key for production, and not use it for anything else. There are instructions on Wikitech, or feel free to ping me if you have questions. Posting the public key on your officewiki user page is a perfectly good way to share it out-of-band, so feel free to do that again and just post here when it's updated.

(@Aklapper is also correct. Once the key is sorted out we can proceed with this request since you've confirmed you're a staff member by other means, but separately you should get this Phab account attached to your staff MediaWiki account by following the steps he gave you. Sorry, it's a lot of hoops to jump through in your first couple of weeks!)

Thanks for the feedback.
@Aklapper I connected my Wikimedia Developer (LDAP) account with the Phabricator account and subsequently removed the personal MediaWiki account. However I'm having trouble adding the "AHoelzl-WMF" WMF ITS account. Is my "AHoelzl-WMF" account disabled after too many login attempts?

@RLazarus Here is the new production (non-shared) public key:

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMPHBC2pHhz+O20hwTYOU/fnSWTIKS0V5o6Pg8ZU3boAX3OC8yUNE/xJXAa2G1kp3hWYNTBYHUDd73dr4lbUgTTPc4axRejfj6b80JSGulHd+JBzvu2AhjNZO8DiEvMbjVlOJh9L6dtFknZ6KWEDM8I2WQIljCmSD4VZApRZOOwoSo1ZzjBGKzfrqbeFBtXohO3JVi8s6ieBxYWrk6ImCGO2ti1LDjs97fPUd72CTlOc8EBQeSH5kvpqtPDOJk8OLeKd+oG5NIW06M7W3vUOGNi72X8y4sfMMXXlukzLup829Vl7PBbfjSvFI7cDhrWIcZXZCSRZAjglmm43pK7VGIAVCgcP8PI3JlQV88KzZ7NPPukN+Vi1FWiNTIPxMCGOcYg7uAZNnsFQwIKLrzHbw88Eo1579bt6kh/x9X2ffpTb5a31ezv3lsdu/g67e5PqGa2bde7oKyesIkMWW62N6tCAmXSpgrhAieQWkAavYP0ww6Csawl27ctzJrJjyTmNKJb0o+JPxvg8PNW0VuM0llj5vy3Mm42Y4OojCcglZonNPO1UERRck+Rs5YhG0kS8rL7R0G5jckYHqzXIZTDrVmMHQDtECvz4OBIpqUrtGjVtESS2FgnwX61EF4/dLKdXvHFExKfyOfQxFKePTDQDtLJdl429p9GzLZ9Y2ltgIoLw== ahoelzl@wikimedia.org

Update:
"AHoelzl-WMF" is not disabled, I can log in here: https://office.wikimedia.org/wiki/User:AHoelzl-WMF

https://phabricator.wikimedia.org/settings/user/Ahoelzl/page/external/
only lets me link my personal "Ahoelzl" mediawiki account, login in with the "AHoelzl-WMF" credentials does not work.

Advise appreciated.

Thanks for the feedback.
@Aklapper I connected my Wikimedia Developer (LDAP) account with the Phabricator account and subsequently removed the personal MediaWiki account. However I'm having trouble adding the "AHoelzl-WMF" WMF ITS account. Is my "AHoelzl-WMF" account disabled after too many login attempts?

@Ahoelzl: Thanks a lot! As this is about your SUL account "AHoelzl-WMF" on https://www.mediawiki.org : If you cannot log in to that account, please try https://www.mediawiki.org/wiki/Special:PasswordReset . If that still does not help and you don't get an email within 24h, this would require WMF ITS or WMF T&S.
Note that your internal WMF account on office.wikimedia.org is separate from / unrelated to your one SUL account on both mediawiki.org && meta.wikimedia.org.

@RLazarus Here is the new production (non-shared) public key:
[...]

Thanks! That's a good key, we just need it verified outside of Phabricator in the same way you did your first one. If you can paste it to your officewiki user page, we'll be all set.

Regarding public keys:
Both are now published on the office wiki: https://office.wikimedia.org/wiki/User:AHoelzl-WMF

I don't seem to have a MediaWiki AHoelzl-WMF account:

Screenshot 2023-09-18 at 1.42.43 PM.png (2×2 px, 846 KB)

The username AHoelzl-WMF is not registered on this wiki

@Ahoelzl: I apologize, my previous comments were likely confusing. (You cannot reset a password on mediawiki.org as it is a global SUL account and thus resets would have to happen on meta.wikimedia.org instead - sorry!)
https://meta.wikimedia.org/wiki/Special:CentralAuth?target=AHoelzl-WMF now lists mediawiki.org which it did not before. I think that implies that you have successfully logged into mediawiki.org? I'd expect the steps above in T345959#9156080 to function now, and you could link the MediaWiki account "AHoelzl-WMF" to your Phabricator account via https://phabricator.wikimedia.org/settings/panel/external/ ? Thanks. And sorry!

Thanks. With help of tech support I claimed my mediawiki.org AHoelzl-WMF account. It wasn't straightforward though ...
I was able to link it to Phabricator.

Are you unblocked from my side granting me access?
Thanks for your support.

It seems like this fell through the cracks between last week's SRE clinic duty (mine) and this week's. Let me finish it up for you, thanks for your patience.

Change 959843 had a related patch set uploaded (by RLazarus; author: RLazarus):

[operations/puppet@production] admin: Add ahoelzl to analytics-privatedata-users

https://gerrit.wikimedia.org/r/959843

Change 959843 merged by RLazarus:

[operations/puppet@production] admin: Add ahoelzl to analytics-privatedata-users

https://gerrit.wikimedia.org/r/959843

RLazarus claimed this task.

Done:

  • Added you to the wmf LDAP group.
  • Added you to the WMF-NDA Phabricator project.
  • Created your shell user ahoelzl and added it to the analytics-privatedata-users POSIX group.
  • Created your Kerberos principal.

It will take up to 30 minutes for your SSH access to be enabled fleetwide, so wait at least that long and then try logging in. You should also have an email with instructions to change the password on your Kerberos principal; you may need to wait out that 30 minutes (even though you got the email already), then you should do that.

I'm resolving the ticket, but feel free to reopen it (or ping me directly on IRC or Slack) if your new access doesn't work for any reason. Sorry about the delay.