Page MenuHomePhabricator
Create Task
Maniphest T353370

Requesting access to restricted production access and analytics-privatedata-users for Riddy Khan
Closed, ResolvedPublicRequest
Actions

Description

Wikitech username: Rkhan
Preferred shell username: rkhan
Email address: rkhan-ctr@wikimedia.org
SSH Key:

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCnCxkKTSCsICHya+gc5pKMrJyd6mo+FBvczfOSFfnEuyRSFZ4ZZ1WZqktodJJPJvctBJMZ2RDYQz73iwnn+3g0+cz+Izk9v40tElH64iNDwKFcaK2xaRvIHNFj1yYwS+JIBIQ8qFp0InrkGO8gln85yme8JtO73c4Y6cP4xXObESSu2quU1J6kZP6y5FQdDq1wlUJv0j1ci94oizKDu97rhDpc4WSGcNO0/ktQPsyT8PhaKfangIeJWAjtd8IOVCh2nqtpwB4fd3dTMKLm6pMbu4JQldnKO2X4EWPg40HVrtCxh0T73+QFejaShJq98d47PWqdIBxn0kMB7isk54dBjpi+Z4fYGAHjZlftCmxXoiwXe6V5f8cDLbdy755YsALgckjs4h71MfC22mkPvkImhJVeqca3f7rWjzmN88QPYksheNYULHfI0yx8K8c80/cDAwdLiVaFUSTAkTVaI1JaoZIm35qpKkfbkmEz2+vKdoFP0SEF+pyQd1w/LGEQEqrbeHsAvKGm4WBngkSfCAPoSNbjbddwIsGJGCVnKl3BEkNdQHO6x3WRdohrTCJ7E29B9qX0UnffZyPtAr5fb94nBC/S/1AQ/850mbVUW8gE8CXG9pRIf/tQS3h9PYG16QryATWko/kfJBcSMx/hkWXuh4J7dsIcdyLLbcXRYrLwqQ== .

I'd like to request access for @Himejijo to what I believe will be the restricted group and analytics-privatedata-users (the same that @jrbs and @Nahid have). Trust & Safety has had a number of workflows requiring shell access and private analytics logs (hadoop). T&S are transitioning one such such workflow to the Legal Privacy team, which Riddy is on. Riddy has received appropriate training for this workflow from T&S Operations (@jrbs).

Specifically the workflow Riddy will need to be able to perform (and need access for):

  • Lookup private information such as user email addresses when an account is requested for deletion (for identity verification)
  • Run maintenance scripts (mwmaint servers) to: remove a user email address when an account is requested for deletion (after identity verification)

Riddy has already signed the L3 agreement. @LMixter is the Legal Privacy team lead and I can have her comment here in support, if required. Please let me know if there are any issues or questions regarding this request (it's my first time filing it).

SRE Clinic Duty Confirmation Checklist for Access Requests

This checklist should be used on all access requests to ensure that all steps are covered, including expansion to existing access. Please double check the step has been completed before checking it off.

This section is to be confirmed and completed by a member of the SRE team.

  • - User has signed the L3 Acknowledgement of Wikimedia Server Access Responsibilities Document.
  • - User has a valid NDA on file with WMF legal. (All WMF Staff/Contractor hiring are covered by NDA. Other users can be validated via the NDA tracking sheet)
  • - User has provided the following: developer account username, email address, and full reasoning for access (including what commands and/or tasks they expect to perform)
  • - User has provided a public SSH key. This ssh key pair should only be used for WMF cluster access, and not shared with any other service (this includes not sharing with WMCS access, no shared keys.)
  • - The provided SSH key has been confirmed out of band and is verified not being used in WMCS.
  • - access request (or expansion) has sign off of WMF sponsor/manager (sponsor for volunteers, manager for wmf staff)
  • - access request (or expansion) has sign off of group approver indicated by the approval field in data.yaml

For additional details regarding access request requirements, please see https://wikitech.wikimedia.org/wiki/Requesting_shell_access

Details

SubjectRepoBranchLines +/-
admin: add rkhan to analytics-privatedata-usersoperations/puppetproduction+11 -1
Customize query in gerrit

Event Timeline

ANakanishi_WMF created this task.Dec 13 2023, 7:58 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 13 2023, 7:58 PM
jhathaway subscribed.Dec 13 2023, 8:21 PM

@ANakanishi_WMF happy to help, they will first need a developer account, https://idm.wikimedia.org/signup, before I can proceed with this request.

ANakanishi_WMF added a comment.Dec 14 2023, 8:52 PM

@Himejijo can you follow up and create a developer account? Thanks!

Himejijo added a comment.EditedDec 14 2023, 9:15 PM
In T353370#9407923, @ANakanishi_WMF wrote:

@Himejijo can you follow up and create a developer account? Thanks!

Should already be created under rkhan, I think.

EDIT: I think they should be correctly linked now.

jhathaway updated the task description. (Show Details)Dec 15 2023, 8:51 PM

@ANakanishi_WMF please approve

jhathaway added a subscriber: Milimetric.Dec 15 2023, 8:55 PM

@Milimetric please approve

jhathaway moved this task from Untriaged to Awaiting User Input on the SRE-Access-Requests board.Dec 15 2023, 8:56 PM
ANakanishi_WMF added a comment.Dec 16 2023, 1:07 AM

@jhathaway I approve, thanks!

Aklapper added a comment.Dec 17 2023, 5:24 AM

@Himejijo: Hi, if you work for or provide services for WMF, please state so on https://phabricator.wikimedia.org/p/Himejijo/ and please link your LDAP account to your Phabricator account - thanks!

@ANakanishi_WMF: I'd appreciate if you could make sure that this ^ is part of your team's onboarding docs - thanks!

Himejijo added a comment.Dec 17 2023, 6:29 AM

@Aklapper Done and done.

gerritbot added a comment.Dec 18 2023, 4:30 PM

Change 983753 had a related patch set uploaded (by Herron; author: Herron):

[operations/puppet@production] admin: add rkhan to analytics-privatedata-users

https://gerrit.wikimedia.org/r/983753

gerritbot added a project: Patch-For-Review.Dec 18 2023, 4:30 PM
herron added subscribers: odimitrijevic, herron.Dec 18 2023, 4:44 PM

Hi @odimitrijevic , @Milimetric -- could you please review/approve this user addition to the analytics-privatedata-users group? Thanks in advance!

herron triaged this task as Medium priority.Dec 18 2023, 4:44 PM
herron updated the task description. (Show Details)
herron moved this task from Awaiting User Input to Manager/NDA Approval/Confirmation on the SRE-Access-Requests board.
odimitrijevic added a comment.Dec 21 2023, 11:25 PM

Approved

herron updated the task description. (Show Details)Dec 22 2023, 3:14 PM
gerritbot added a comment.Dec 22 2023, 5:26 PM

Change 983753 merged by Herron:

[operations/puppet@production] admin: add rkhan to analytics-privatedata-users

https://gerrit.wikimedia.org/r/983753

Maintenance_bot removed a project: Patch-For-Review.Dec 22 2023, 5:31 PM
herron closed this task as Resolved.Dec 22 2023, 5:37 PM
herron claimed this task.
herron moved this task from Manager/NDA Approval/Confirmation to Ready To Go on the SRE-Access-Requests board.

The requested access has been granted and will be live within the next 30 minutes. Transitioning to resolved, but please don't hesitate to reopen if any followup is needed. Thanks!

MoritzMuehlenhoff subscribed.Jan 2 2024, 9:00 AM

I've corrected the group membership; contractors should be in cn=wmf, the cn=nda LDAP group is for community members with a volunteer NDA.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL