Page MenuHomePhabricator
Create Task
Maniphest T359645

Requesting ssh & kerberos access to analytics-privatedata-users (with ssh & kerberos) for bdgreenlee
Closed, ResolvedPublicRequest
Actions

Description

This is a follow-up to https://phabricator.wikimedia.org/T359417
Turns out I need ssh & kerberos access (to be able to query Hive). I'm not sure what the process is for just requesting that, as I'm already in analytics-privatedata-users.

Requestor provided information and prerequisites

Complete ALL items below as the individual person who is requesting access:

  • Wikimedia developer account username: bdgreenlee
  • Email address: bgreenlee-ctr@wikimedia.org
  • SSH public key (must be a separate key from Wikimedia cloud SSH access):

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC6WHdbLSyRkSQO7hKVB11nKkkYkTtw0eZmbQcNaX9rb1c4Bi2+4SiitEi1VJld+ZyF2yZjVYGHdjPbQ94gHx5uvMfR7kdAfzFnDMiicjMy2ZDUQhoIbg9YBg4La9P8E7qTI22I7IDM5i3QOrwP/m4r9GuUU1GaIbwsvvsi4FzHSSDVV4EGSaQ381vAZ44hVqhmvZoFvokeiL0eItt2BnskdDOS1/VDnq+iPEeSKBPPSgzGTvGfvUB2Qvw5a8qsWHrAMNUdCvibMVJ8iLcCJVvA9LoJjVn2RvTh8PfOKJEGa4SOLPGhfcEdie5BwDthJ3hdvBDJN94vw6LCUmae0Z2tvnFQHT0fbAEXN8axDYbuCLuLnmt8Duv2m6flEuYKIis1i6vuW2h7a4Oml/NKrrNe1VhyFqfjh72aKgd0CZSQdTTDvSuLD0AboDxMVUC96G78DP0+v3vHSrIFfEC0NXaGFGFbgYD2ovlQ7DLQQWiJmI4U0rkRH+JoiPONKQMDjaS7CRoL4woGDlTw4GRfNxtlfR8MDgdSIttOHTEk8vk78I0TE/efMCCgTK4YmWo3A3tuifQT1ZSKwOo3nEvy/huRFRjIgWeywSIPRMKh6ZTZlKdrgJPXJoxpShXy9GjLYDhmoHfnVXl8uYxVBkzOmvehUFCndshennRCatJwjs8QIw== bgreenlee-ctr@wikimedia.org

  • Requested group membership: analytics-privatedata-users (with ssh & kerberos)
  • Reason for access: Data modeling
  • Name of approving party (manager for WMF/WMDE staff): @odimitrijevic
  • Ensure you have signed the L3 Wikimedia Server Access Responsibilities document: Yes
  • Please coordinate obtaining a comment of approval on this task from the approving party.

SRE Clinic Duty Confirmation Checklist for Access Requests

This checklist should be used on all access requests to ensure that all steps are covered, including expansion to existing access. Please double check the step has been completed before checking it off.

This section is to be confirmed and completed by a member of the SRE team.

  • - User has signed the L3 Acknowledgement of Wikimedia Server Access Responsibilities Document.
  • - User has a valid NDA on file with WMF legal. (All WMF Staff/Contractor hiring are covered by NDA. Other users can be validated via the NDA tracking sheet)
  • - User has provided the following: developer account username, email address, and full reasoning for access (including what commands and/or tasks they expect to perform)
  • - User has provided a public SSH key. This ssh key pair should only be used for WMF cluster access, and not shared with any other service (this includes not sharing with WMCS access, no shared keys.)
  • - The provided SSH key has been confirmed out of band and is verified not being used in WMCS.
  • - access request (or expansion) has sign off of WMF sponsor/manager (sponsor for volunteers, manager for wmf staff)
  • - access request (or expansion) has sign off of group approver indicated by the approval field in data.yaml

For additional details regarding access request requirements, please see https://wikitech.wikimedia.org/wiki/Requesting_shell_access

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Add SSH and kerberos access for bdgreenleeoperations/puppetproduction+3 -1
Customize query in gerrit

Related Objects

Event Timeline

bdgreenlee created this task.Mar 8 2024, 4:24 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 8 2024, 4:24 PM
odimitrijevic added a comment.Mar 8 2024, 4:48 PM

Approved!

BTullis claimed this task.Mar 8 2024, 11:11 PM
BTullis added a comment.Mar 8 2024, 11:32 PM

I have created the patch to add an SSH key and record the kerberos status.
Set the patch to -1 until I ave verified the SSH key by another channel.

I have also generated a Kerberos principal.

btullis@krb1001:~$ sudo manage_principals.py create bdgreenlee --email_address=bdgreenlee-ctr@wikimedia.org
Principal successfully created. Make sure to update data.yaml in Puppet.
Successfully sent email to bdgreenlee-ctr@wikimedia.org
gerritbot added a comment.Mar 8 2024, 11:33 PM

Change 1009810 had a related patch set uploaded (by Btullis; author: Btullis):

[operations/puppet@production] Add SSH and kerberos access for bdgreenlee

https://gerrit.wikimedia.org/r/1009810

gerritbot added a project: Patch-For-Review.Mar 8 2024, 11:33 PM
gerritbot added a comment.Mar 8 2024, 11:35 PM

Change 1009810 merged by Btullis:

[operations/puppet@production] Add SSH and kerberos access for bdgreenlee

https://gerrit.wikimedia.org/r/1009810

BTullis closed this task as Resolved.Mar 8 2024, 11:37 PM
BTullis updated the task description. (Show Details)
BTullis moved this task from Untriaged to Ready To Go on the SRE-Access-Requests board.
BTullis added a comment.Mar 8 2024, 11:44 PM

I accidentally used the wrong email address for the kerberos principal creation.

Deleted it and re-sent it.

btullis@krb1001:~$ sudo manage_principals.py delete bdgreenlee
Principal successfully deleted. Since the principal seems to be related to a user, make sure to update the krb flag in Puppet's data.yaml.
btullis@krb1001:~$ sudo manage_principals.py create bdgreenlee --email_address=bgreenlee-ctr@wikimedia.org
Principal successfully created. Make sure to update data.yaml in Puppet.
Successfully sent email to bgreenlee-ctr@wikimedia.org
Maintenance_bot removed a project: Patch-For-Review.Mar 9 2024, 12:30 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits