Page MenuHomePhabricator
Create Task
Maniphest T366146

Create a sanitarium redaction cookbook
Closed, ResolvedPublic
Actions

Description

Once a new wiki is created we need to sanitize the data and create grants on sanitarium hosts. This process should ideally done via cookbook, the process would be something like:

cookbook $HOSTS $SECTION $WIKINAME -t $TASKID

Hosts: Sanitarium hosts
Section: The section where the new wiki was created (by default as of today is s5 but this could change)
Wikiname: The wiki to be sanitized
Phabricator task regarding to the wiki storage creation, example task: T314645

  • Locally: Run the following on each host: redact_sanitarium.sh -d $WIKI -S /run/mysqld/mysqld.$SECTION.sock | mysql -S /run/mysqld/mysqld.$SECTION.sock $WIKI
  • Locally: Run the following on each host: check_private_data.py -S /run/mysqld/mysqld.$SECTION.sock | mysql -S /run/mysqld/mysqld.$SECTION.sock
  • Locally: Double check all private data is gone by running: check_private_data.py -S /run/mysqld/mysqld.$SECTION.sock

If the above is successful run the following - if the data isn't sanitized or any of the above steps above it should abort and never continue with the following steps:

  • Remotely (can be done from cumin hosts by doing db-mysql $HOST:$PORT: Connect to the sanitarium host section and grab the clouddb hosts that hang from them by running: "show slave hosts"
  • Remotely connect to those clouddb hosts and run the following commands:
set session sql_log_bin=0;
create database $WIKI_p;
GRANT SELECT, SHOW VIEW ON `$WIKI_p`.* TO `labsdbuser`;

Once the above is done, if possible create an automated comment on the phabricator task saying:

  • Wiki sanitized
  • Database "_p" created
  • Grants assigned to labsdbuser
  • Wiki ready for views creation

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
sanitize-wiki.py: Improve loggingoperations/cookbooksmaster+12 -9
sre.mysql.sanitize-wiki - handle multiple hostsoperations/cookbooksmaster+11 -8
sre.mysql.sanitize-wiki: sanitize wiki cookbookoperations/cookbooksmaster+189 -0
aliases.yaml: add db-clouddb-sanitzationoperations/puppetproduction+1 -0
Customize query in gerrit

Related Objects

Event Timeline

Marostegui created this task.May 29 2024, 9:29 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 29 2024, 9:29 AM
ABran-WMF claimed this task.May 29 2024, 10:05 AM
ABran-WMF triaged this task as Medium priority.
ABran-WMF moved this task from Triage to Ready on the DBA board.

thanks for the creation @Marostegui !

ABran-WMF moved this task from Ready to Blocked on the DBA board.Jun 12 2024, 8:17 AM
ABran-WMF added a project: Data-Persistence-Automations.Aug 21 2024, 7:06 AM
ABran-WMF removed ABran-WMF as the assignee of this task.Sep 3 2024, 10:32 AM
ABran-WMF mentioned this in T371759: Prepare and check storage layer for bdrwiki.Sep 9 2024, 8:29 AM
BTullis subscribed.Sep 9 2024, 8:33 AM
ABran-WMF merged a task: T377174: Cookbook PII cleaner.Oct 15 2024, 2:13 PM
ABran-WMF moved this task from Todo to Doing on the Data-Persistence-Automations board.
ABran-WMF added subscribers: Ladsgroup, elukey.
gerritbot added a comment.Oct 15 2024, 2:15 PM

Change #1080129 had a related patch set uploaded (by Arnaudb; author: Arnaudb):

[operations/cookbooks@master] mariadb: pii cleaner cookbook

https://gerrit.wikimedia.org/r/1080129

gerritbot added a project: Patch-For-Review.Oct 15 2024, 2:15 PM
ABran-WMF moved this task from Doing to External dep/In review on the Data-Persistence-Automations board.Oct 17 2024, 9:30 AM
ABran-WMF claimed this task.Oct 24 2024, 7:36 AM
ABran-WMF removed a project: DBA.

cookbook has been tested T375016#10257795 and other newly created wikis that were alarming on PII
pending review to be merged

ABran-WMF changed the task status from Open to Stalled.Oct 24 2024, 7:37 AM
Marostegui added a project: DBA.Nov 6 2024, 11:39 AM
Marostegui moved this task from Blocked to In progress on the DBA board.
gerritbot added a comment.Nov 13 2024, 2:11 PM

Change #1090859 had a related patch set uploaded (by Arnaudb; author: Arnaudb):

[operations/puppet@production] aliases.yaml: add db-clouddb-sanitzation

https://gerrit.wikimedia.org/r/1090859

ABran-WMF changed the task status from Stalled to In Progress.Nov 13 2024, 2:23 PM
gerritbot added a comment.Dec 2 2024, 12:50 PM

Change #1090859 merged by Arnaudb:

[operations/puppet@production] aliases.yaml: add db-clouddb-sanitzation

https://gerrit.wikimedia.org/r/1090859

ABran-WMF removed ABran-WMF as the assignee of this task.Jan 13 2025, 3:44 PM
FCeratto-WMF subscribed.Jan 20 2025, 10:49 AM
FCeratto-WMF claimed this task.Jan 22 2025, 2:20 PM
ABran-WMF unsubscribed.Jan 23 2025, 8:30 AM
FCeratto-WMF added a comment.Feb 24 2025, 9:29 AM

I'm taking over the already existing CR https://gerrit.wikimedia.org/r/c/operations/cookbooks/+/1080129

gerritbot added a comment.Feb 25 2025, 3:37 PM

Change #1080129 merged by Federico Ceratto:

[operations/cookbooks@master] sre.mysql.sanitize-wiki: sanitize wiki cookbook

https://gerrit.wikimedia.org/r/1080129

Marostegui added a comment.Feb 25 2025, 3:54 PM
$ sudo cookbook sre.mysql.sanitize-wiki
usage: cookbook [GLOBAL_ARGS] sre.mysql.sanitize-wiki [-h] --wiki WIKI [--check-only] --task TASK [--only-grant-and-view]
cookbook [GLOBAL_ARGS] sre.mysql.sanitize-wiki: error: the following arguments are required: --wiki, --task

Nice :)
I think this task can be resolved until we test it, if there's something missing/wrong, we can reopen

Maintenance_bot removed a project: Patch-For-Review.Feb 25 2025, 4:31 PM
Marostegui closed this task as Resolved.Feb 27 2025, 6:38 AM
Maintenance_bot moved this task from In progress to Done on the DBA board.Feb 27 2025, 7:29 AM
Marostegui mentioned this in T388652: Prepare and check storage layer for tlwikisource.Mar 12 2025, 12:24 PM
gerritbot added a comment.Apr 25 2025, 1:35 PM

Change #1139035 had a related patch set uploaded (by Federico Ceratto; author: Federico Ceratto):

[operations/cookbooks@master] sre.mysql.sanitize-wiki - handle multiple hosts

https://gerrit.wikimedia.org/r/1139035

gerritbot added a project: Patch-For-Review.Apr 25 2025, 1:35 PM
gerritbot added a comment.May 21 2025, 9:00 AM

Change #1139035 merged by Federico Ceratto:

[operations/cookbooks@master] sre.mysql.sanitize-wiki - handle multiple hosts

https://gerrit.wikimedia.org/r/1139035

Maintenance_bot removed a project: Patch-For-Review.May 21 2025, 9:31 AM
gerritbot added a comment.Sep 26 2025, 1:31 PM

Change #1191689 had a related patch set uploaded (by Federico Ceratto; author: Federico Ceratto):

[operations/cookbooks@master] sanitize-wiki.py: Improve logging

https://gerrit.wikimedia.org/r/1191689

gerritbot added a project: Patch-For-Review.Sep 26 2025, 1:31 PM
gerritbot added a comment.Oct 14 2025, 8:17 AM

Change #1191689 merged by Federico Ceratto:

[operations/cookbooks@master] sanitize-wiki.py: Improve logging

https://gerrit.wikimedia.org/r/1191689

Maintenance_bot removed a project: Patch-For-Review.Oct 14 2025, 8:32 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits