Page MenuHomePhabricator

Requesting access to wmf for arinaigum
Closed, ResolvedPublicRequest


Requestor provided information and prerequisites

Complete ALL items below as the individual person who is requesting access:

  • Wikimedia developer account username: arinaigum
  • Email address:
  • SSH public key (must be a separate key from Wikimedia cloud SSH access): ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBzNo2UCmxKiKKfgMve02fZ/hGCYsWr+mI3D/rHeOsT2 arina@wmf3439
  • Requested group membership: wmf, analytics-privatedata-users
  • Reason for access: New staff member on the Community Growth team, analyzing data on readers, editors and content.
  • Name of approving party (manager for WMF/WMDE staff): Rebecca Maung
  • Ensure you have signed the L3 Wikimedia Server Access Responsibilities document: yes
  • Please coordinate obtaining a comment of approval on this task from the approving party.

SRE Clinic Duty Confirmation Checklist for Access Requests

This checklist should be used on all access requests to ensure that all steps are covered, including expansion to existing access. Please double check the step has been completed before checking it off.

This section is to be confirmed and completed by a member of the SRE team.

  • - User has signed the L3 Acknowledgement of Wikimedia Server Access Responsibilities Document.
  • - User has a valid NDA on file with WMF legal. (All WMF Staff/Contractor hiring are covered by NDA. Other users can be validated via the NDA tracking sheet)
  • - User has provided the following: developer account username, email address, and full reasoning for access (including what commands and/or tasks they expect to perform)
  • - User has provided a public SSH key. This ssh key pair should only be used for WMF cluster access, and not shared with any other service (this includes not sharing with WMCS access, no shared keys.)
  • - The provided SSH key has been confirmed out of band and is verified not being used in WMCS.
  • - access request (or expansion) has sign off of WMF sponsor/manager (sponsor for volunteers, manager for wmf staff)
  • - access request (or expansion) has sign off of group approver indicated by the approval field in data.yaml

For additional details regarding access request requirements, please see

Event Timeline

@Arinaigu can you add analytics-privatedata-users to "Requested group membership"

Arinaigu updated the task description. (Show Details)
Arinaigu updated the task description. (Show Details)

There seems to be a problem with my developer account as well. I created my developer account through the IDM signup page last week, but I haven't received a confirmation email or any other notification that my developer account has been created. So, I am not sure whether my developer account has been created.
Here's what happens when I try to use my developer/wikitech account:

  • if I follow a link to a WikiTech page like this one, I can see the content on it, and in the top right corner I see a login button, which suggests that I am not logged in.
  • when I click on that login button and try to login on this page with my developer account credentials, I get an error message saying that my password or username is incorrect.
  • when I click the link at the top of that page to reset my password via, I get to this page and see this:
    image.png (1×1 px, 60 KB)
  • There's no option to log out.

I seem to be both logged out and logged in at the same time. It is quite possible that I did something wrong when I created my developer account during my first few days of onboarding. Not having my developer account will probably impede this ticket, so I am adding this information here. If it's better to create a separate ticket for troubleshooting my developer/wikitech account creation, I am happy to do that.

An update on my attempts to figure out my developer/wikitech account creation issue:

I don't know what the difference is between IDM and IDP in terms of account creation, and I wonder if I used the wrong link to create my developer account.

For more context, if I go to the IDM login page and click on the "Wikimedia Developer Single Sign On" button, I get this:

image.png (1×2 px, 260 KB)

There seems to be a problem with my developer account as well.

Hi! It seems the problem is there is an account "Arinaugu" without the trailing "m". (vs arinaigum which you listed here on the ticket).

Feel free to just make a new user at the IDM login page.

Hi! I created the account Arinaigu for Meta Wikimedia and MediaWiki. Then I created a separate developer/Wikitech account arinaigum. I think I read somewhere in the documentation that those accounts' usernames should be different, though I could have misinterpreted something in my first week here. The way I created them, those two accounts are separate, and the developer/Wikitech account is spelled correctly on the ticket: arinaigum.

You do have a developer account, and the fact that you can log in to and confirms that. The problem with logging in to seems to be that your account was created when T355615 allowed the creation of accounts with usernames that do not meet MediaWiki/Wikitech requirements, I will let @SLyngshede-WMF follow up on how to fix that.

Hi! It seems the problem is there is an account "Arinaugu" without the trailing "m". (vs arinaigum which you listed here on the ticket).

I do not see how that is related? (Nor do I see an account with that name in the developer account directory.)

Hi @Arinaigu, let's try to untangle what is going wrong :-)

You have two username, as you point out: because that's what the guides tell you to.
One username is for and everythings related to that, e.g. OfficeWiki, Wikipedia, things like that. In your case that is "arinaigu". We don't need to worry anymore about this account. You can go to and try to sign in, hopefully that should just work.

The other username is for Wikitech and various systems you'll be needing for data analysis, that is the "arinaugum" username, this is also the one that needs the extra privileges. This is also the account that's referred to as your developer account.

Could you try to sign into, I believe that fixes the error on your account, if not I'll deal with that bit.

I'll check with clinic duty and see if we can get your permissions applied.

Arnoldokoth changed the task status from Open to In Progress.Jan 26 2024, 11:07 AM
Arnoldokoth updated the task description. (Show Details)

Hi @SLyngshede-WMF , I've tried logging in with the "arinaigum" (not "arinaugum" as you have in your comment, I assumed that was a typo) again this morning, and I am still getting the same error.

image.png (1×2 px, 216 KB)

@Arinaigu Your account should be fixed now. Please try to login to using "Arinaigum" as your username.

@SLyngshede-WMF it worked! I can login to wikitech now.

Just tagging @Eevans and @BBlack as I believe you are the Clinic duty SREs?

for clinic duty: this ticket mixes an LDAP access request (wmf) and a shell access request ( analytics-privatedata-users), which are different types of groups and usually different processes/tickets.

so this is both and in a single ticket

Though the for the latter, see "The analytics-privatedata-users Unix group is one of the more confusing groups as it can be configured in three different ways. Either: no ssh (no shell) and no Kerberos; no Kerberos (standard admin.yaml) or as a shell account with Kerberos. ".

I think the next step isto find out which of the 3 options it is.

Thank you @Dzahn -- this would be a shell account with Kerberos.

What are our next steps here? Is there something else we need to do on our end or is it up to the Clinic SRE now?

I've asked for off band validation of the SSH Key then will be proceeding with the patch and the next steps

The SSH public key I provided on the ticket is newly created and has not been used for WMCS or anything else. What else is needed to do the off band validation?

The SSH public key I provided on the ticket is newly created and has not been used for WMCS or anything else. What else is needed to do the off band validation?

Confirming the key is valid via anything that matches ~ "via a direct communication outside of Phabricator.".

Change 995006 had a related patch set uploaded (by Arnaudb; author: Arnaudb):

[operations/puppet@production] admin: add arinaigum to users

Change 995006 merged by Arnaudb:

[operations/puppet@production] admin: add arinaigum to users

ABran-WMF claimed this task.

everything should be settled now