Requesting access to wmf for arinaigum
Closed, ResolvedPublicRequest
Actions

Assigned To

Authored By

	Arinaigu
	Jan 22 2024, 7:35 PM

Description

Requestor provided information and prerequisites

Complete ALL items below as the individual person who is requesting access:

Wikimedia developer account username: arinaigum
Email address: aigumenshcheva@wikimedia.org
SSH public key (must be a separate key from Wikimedia cloud SSH access): ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBzNo2UCmxKiKKfgMve02fZ/hGCYsWr+mI3D/rHeOsT2 arina@wmf3439

Requested group membership: wmf, analytics-privatedata-users
Reason for access: New staff member on the Community Growth team, analyzing data on readers, editors and content.
Name of approving party (manager for WMF/WMDE staff): Rebecca Maung
Ensure you have signed the L3 Wikimedia Server Access Responsibilities document: yes
Please coordinate obtaining a comment of approval on this task from the approving party.

SRE Clinic Duty Confirmation Checklist for Access Requests

This checklist should be used on all access requests to ensure that all steps are covered, including expansion to existing access. Please double check the step has been completed before checking it off.

This section is to be confirmed and completed by a member of the SRE team.

- User has signed the L3 Acknowledgement of Wikimedia Server Access Responsibilities Document.
- User has a valid NDA on file with WMF legal. (All WMF Staff/Contractor hiring are covered by NDA. Other users can be validated via the NDA tracking sheet)
- User has provided the following: developer account username, email address, and full reasoning for access (including what commands and/or tasks they expect to perform)
- User has provided a public SSH key. This ssh key pair should only be used for WMF cluster access, and not shared with any other service (this includes not sharing with WMCS access, no shared keys.)
- The provided SSH key has been confirmed out of band and is verified not being used in WMCS.
- access request (or expansion) has sign off of WMF sponsor/manager (sponsor for volunteers, manager for wmf staff)
- access request (or expansion) has sign off of group approver indicated by the approval field in data.yaml

For additional details regarding access request requirements, please see https://wikitech.wikimedia.org/wiki/Requesting_shell_access

Details

	Subject	Repo	Branch	Lines +/-
	admin: add arinaigum to users	operations/puppet	production	+10 -1

Customize query in gerrit

Related Objects

Mentioned Here: T355615: Bitu allows creating usernames with first character lowercase

Event Timeline

Arinaigu created this task.Jan 22 2024, 7:35 PM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 22 2024, 7:35 PM

@Arinaigu can you add analytics-privatedata-users to "Requested group membership"

Arinaigu updated the task description. (Show Details)Jan 22 2024, 10:08 PM

Arinaigu updated the task description. (Show Details)

I approve!

There seems to be a problem with my developer account as well. I created my developer account through the IDM signup page last week, but I haven't received a confirmation email or any other notification that my developer account has been created. So, I am not sure whether my developer account has been created.
Here's what happens when I try to use my developer/wikitech account:

if I follow a link to a WikiTech page like this one, I can see the content on it, and in the top right corner I see a login button, which suggests that I am not logged in.
when I click on that login button and try to login on this page with my developer account credentials, I get an error message saying that my password or username is incorrect.
when I click the link at the top of that page to reset my password via idm.wikimedia.org, I get to this page and see this:
There's no option to log out.

I seem to be both logged out and logged in at the same time. It is quite possible that I did something wrong when I created my developer account during my first few days of onboarding. Not having my developer account will probably impede this ticket, so I am adding this information here. If it's better to create a separate ticket for troubleshooting my developer/wikitech account creation, I am happy to do that.

An update on my attempts to figure out my developer/wikitech account creation issue:

When I go to the IDP login page, I get this:

I don't know what the difference is between IDM and IDP in terms of account creation, and I wonder if I used the wrong link to create my developer account.

For more context, if I go to the IDM login page and click on the "Wikimedia Developer Single Sign On" button, I get this:

In T355591#9486355, @Arinaigu wrote:

There seems to be a problem with my developer account as well.

Hi! It seems the problem is there is an account "Arinaugu" without the trailing "m". (vs arinaigum which you listed here on the ticket).

Feel free to just make a new user at the IDM login page.

Hi! I created the account Arinaigu for Meta Wikimedia and MediaWiki. Then I created a separate developer/Wikitech account arinaigum. I think I read somewhere in the documentation that those accounts' usernames should be different, though I could have misinterpreted something in my first week here. The way I created them, those two accounts are separate, and the developer/Wikitech account is spelled correctly on the ticket: arinaigum.

You do have a developer account, and the fact that you can log in to https://idm.wikimedia.org and https://idp.wikimedia.org confirms that. The problem with logging in to https://wikitech.wikimedia.org seems to be that your account was created when T355615 allowed the creation of accounts with usernames that do not meet MediaWiki/Wikitech requirements, I will let @SLyngshede-WMF follow up on how to fix that.

In T355591#9489328, @Dzahn wrote:

Hi! It seems the problem is there is an account "Arinaugu" without the trailing "m". (vs arinaigum which you listed here on the ticket).

I do not see how that is related? (Nor do I see an account with that name in the developer account directory.)

Hi @Arinaigu, let's try to untangle what is going wrong :-)

You have two username, as you point out: because that's what the guides tell you to.
One username is for meta.wikimedia.org and everythings related to that, e.g. OfficeWiki, Wikipedia, things like that. In your case that is "arinaigu". We don't need to worry anymore about this account. You can go to https://meta.wikimedia.org/ and try to sign in, hopefully that should just work.

The other username is for Wikitech and various systems you'll be needing for data analysis, that is the "arinaugum" username, this is also the one that needs the extra privileges. This is also the account that's referred to as your developer account.

Could you try to sign into https://wikitech.wikimedia.org, I believe that fixes the error on your account, if not I'll deal with that bit.

I'll check with clinic duty and see if we can get your permissions applied.

Arnoldokoth changed the task status from Open to In Progress.Jan 26 2024, 11:07 AM

Arnoldokoth updated the task description. (Show Details)

Hey @odimitrijevic / @Milimetric Kindly approve.

Hi @SLyngshede-WMF , I've tried logging in with the "arinaigum" (not "arinaugum" as you have in your comment, I assumed that was a typo) again this morning, and I am still getting the same error.

Dzahn moved this task from Untriaged to In Discussion on the SRE-Access-Requests board.Jan 26 2024, 11:55 PM

Dzahn moved this task from In Discussion to Manager/NDA Approval/Confirmation on the SRE-Access-Requests board.

@Arinaigu Your account should be fixed now. Please try to login to https://wikitech.wikimedia.org/ using "Arinaigum" as your username.

@SLyngshede-WMF it worked! I can login to wikitech now.

Approved.

Just tagging @Eevans and @BBlack as I believe you are the Clinic duty SREs?

Oops, or @ABran-WMF

Dzahn added a project: LDAP-Access-Requests.Jan 30 2024, 8:12 PM

for clinic duty: this ticket mixes an LDAP access request (wmf) and a shell access request ( analytics-privatedata-users), which are different types of groups and usually different processes/tickets.

so this is both https://wikitech.wikimedia.org/wiki/SRE/Clinic_Duty/Access_requests#WMF_Group and https://wikitech.wikimedia.org/wiki/SRE/Clinic_Duty/Access_requests#analytics-privatedata-users in a single ticket

Though the for the latter, see "The analytics-privatedata-users Unix group is one of the more confusing groups as it can be configured in three different ways. Either: no ssh (no shell) and no Kerberos; no Kerberos (standard admin.yaml) or as a shell account with Kerberos. ".

I think the next step isto find out which of the 3 options it is.

Thank you @Dzahn -- this would be a shell account with Kerberos.

ACK, thanks for confirming that @Rmaung

Eevans unsubscribed.Jan 30 2024, 9:41 PM

What are our next steps here? Is there something else we need to do on our end or is it up to the Clinic SRE now?

I've asked for off band validation of the SSH Key then will be proceeding with the patch and the next steps

The SSH public key I provided on the ticket is newly created and has not been used for WMCS or anything else. What else is needed to do the off band validation?

In T355591#9503106, @Arinaigu wrote:

The SSH public key I provided on the ticket is newly created and has not been used for WMCS or anything else. What else is needed to do the off band validation?

Confirming the key is valid via anything that matches ~ "via a direct communication outside of Phabricator.".

Change 995006 had a related patch set uploaded (by Arnaudb; author: Arnaudb):

[operations/puppet@production] admin: add arinaigum to users

https://gerrit.wikimedia.org/r/995006

gerritbot added a project: Patch-For-Review.Feb 1 2024, 9:33 AM

ABran-WMF updated the task description. (Show Details)Feb 1 2024, 9:33 AM

Change 995006 merged by Arnaudb: