Page MenuHomePhabricator
Create Task
Maniphest T354555

WDQS graph split hosts: Remove throttling/banning mechanisms and investigate external connectivity
Closed, ResolvedPublic
Actions

Description

Per IRC conversation with @dcausse , we have a couple of issues with the graph split hosts:

  • Querying the test hosts is resulting in bans: "You have been banned until 2024-01-09T19:15:34.264Z" . These hosts (all members of the 'test' tier) are not publicly accessible, so throttling/banning mechanisms can be removed.
  • Access to WDQS (from stat machines?) works via only cleartext port. Investigate why we can't access the test hosts' TLS ports.

Details

SubjectRepoBranchLines +/-
wdqs-test: Enable PKIoperations/puppetproduction+33 -15
wdqs: Enable TLS for test tieroperations/puppetproduction+1 -0
wdqs: disable query throttling on test serversoperations/puppetproduction+2 -0
Customize query in gerrit

Related Objects

Event Timeline

bking created this task.Jan 8 2024, 7:56 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 8 2024, 7:56 PM
gerritbot added a comment.Jan 9 2024, 1:56 PM

Change 989186 had a related patch set uploaded (by DCausse; author: DCausse):

[operations/puppet@production] wdqs: disable query throttling on test servers

https://gerrit.wikimedia.org/r/989186

gerritbot added a project: Patch-For-Review.Jan 9 2024, 1:56 PM
gerritbot added a comment.Jan 9 2024, 2:22 PM

Change 989186 merged by Bking:

[operations/puppet@production] wdqs: disable query throttling on test servers

https://gerrit.wikimedia.org/r/989186

Maintenance_bot removed a project: Patch-For-Review.Jan 9 2024, 2:30 PM
Gehel edited projects, added Data-Platform-SRE (2024.01.01 - 2024.01.21); removed Data-Platform-SRE.Jan 9 2024, 2:59 PM
bking updated the task description. (Show Details)Jan 9 2024, 4:45 PM
bking updated the task description. (Show Details)Jan 9 2024, 4:56 PM
bking updated the task description. (Show Details)Jan 9 2024, 5:05 PM
bking renamed this task from WDQS graph split hosts: Remove throttling/banning mechanisms and improve hadoop access to WDQS graph split hosts: Remove throttling/banning mechanisms and investigate external connectivity.Jan 9 2024, 5:09 PM
bking changed the task status from Open to In Progress.EditedJan 9 2024, 5:13 PM
bking moved this task from Backlog to Needs Review on the Data-Platform-SRE (2024.01.01 - 2024.01.21) board.
bking added a subscriber: BTullis.

Per pairing session with @BTullis , the wdqs test hosts are not running envoy, so only the cleartext ports are available. If TLS is required, we can enable it in puppet by inculding the profile::tlsproxy::envoy profile, as we do in modules/role/manifests/wdqs/public.pp.

dcausse let us know if you think we should enable TLS. If not, feel free to close out this ticket.

Update: We're going to take a stab at this for a couple of reasons:

gerritbot added a comment.Jan 9 2024, 7:41 PM

Change 989236 had a related patch set uploaded (by Bking; author: Bking):

[operations/puppet@production] wdqs: Enable TLS for test tier

https://gerrit.wikimedia.org/r/989236

gerritbot added a project: Patch-For-Review.Jan 9 2024, 7:41 PM
gerritbot added a comment.Jan 9 2024, 8:18 PM

Change 989244 had a related patch set uploaded (by Bking; author: Bking):

[operations/puppet@production] wdqs-test: Enable PKI

https://gerrit.wikimedia.org/r/989244

gerritbot added a comment.Jan 9 2024, 9:45 PM

Change 989236 abandoned by Bking:

[operations/puppet@production] wdqs: Enable TLS for test tier

Reason:

superseded by 989244

https://gerrit.wikimedia.org/r/989236

bking moved this task from Needs Review to In Progress on the Data-Platform-SRE (2024.01.01 - 2024.01.21) board.Jan 11 2024, 2:53 PM
gerritbot added a comment.Jan 11 2024, 9:46 PM

Change 989244 merged by Bking:

[operations/puppet@production] wdqs-test: Enable PKI

https://gerrit.wikimedia.org/r/989244

Maintenance_bot removed a project: Patch-For-Review.Jan 11 2024, 10:30 PM
bking closed this task as Resolved.Jan 11 2024, 10:47 PM
bking claimed this task.
bking moved this task from In Progress to Done on the Data-Platform-SRE (2024.01.01 - 2024.01.21) board.

Merging/applying the above patch added TLS to the test hosts, using the domain "wdqs-test.eqiad.wmnet". You can also access individual hosts by their FQDN (such as https://wdqs1022.eqiad.wmnet). Closing...

RKemper mentioned this in T354661: Generate TLS certs for new WDQS endpoints.Jan 16 2024, 7:26 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL