Page MenuHomePhabricator
Create Task
Maniphest T370424

Streamline Data Platform access approvals for WMF staff
Closed, ResolvedPublic
Actions

Description

WMF staff often need access to Data Platform systems. There are varying levels of possible access. We always rubber stamp approve WMF staff access. Sometimes we need to clarify which access they need, but we always approve.

Proposal: Instead of requiring approval for this access (especially analytics-privatedata-users group), automatically approve WMF staff access requests.

The current list of approvers for analytics-privatedata-users is here:

https://github.com/wikimedia/operations-puppet/blob/b7f385bf82811e65c45fc7768efc1abb44fee42b/modules/admin/data/data.yaml#L408-L413

NOTE: We should not change approvers for admin groups.

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
admin - explicit approval not needed for analytics-privatedata-usersoperations/puppetproduction+5 -0
Customize query in gerrit

Related Objects

Event Timeline

Ottomata created this task.Jul 18 2024, 2:58 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 18 2024, 2:58 PM
Ottomata added a subscriber: Dzahn.Jul 18 2024, 3:07 PM
odimitrijevic added a comment.Jul 18 2024, 3:52 PM

Thanks @Ottomata. Ftr, I approve the proposal.

SLyngshede-WMF removed a project: SRE-Access-Requests.Aug 5 2024, 1:22 PM
SLyngshede-WMF subscribed.

@Ottomata I'm just removing the SRE-Access-Requests tag to remove this from the Clinic Duty dashboard.

BTullis subscribed.Aug 8 2024, 2:33 PM

This sounds sensible to me, too.
Given that we have approval for the proposal as it stands, how do we proceed?

Do we just need to update the guidelines on Wikitech?

Should we still retain the list of approvers, for when nda or other non-staff members might request access?

Ottomata added a comment.Aug 8 2024, 3:13 PM

That and maybe some comments in puppet admin data.yaml to instruct SREs on the right thing to do?

Gehel triaged this task as Medium priority.Aug 14 2024, 8:38 AM
Gehel moved this task from Incoming to Access request / user management on the Data-Platform-SRE board.
Ottomata claimed this task.Oct 17 2024, 5:55 PM
Ahoelzl edited projects, added Data-Engineering (Q2 2024 October 1st - December 31th); removed Data-Engineering.Oct 17 2024, 5:55 PM
gerritbot added a comment.Oct 24 2024, 5:40 PM

Change #1082826 had a related patch set uploaded (by Ottomata; author: Ottomata):

[operations/puppet@production] admin data.yaml - explicit approval is not needed for analytics-privatedata-users

https://gerrit.wikimedia.org/r/1082826

gerritbot added a project: Patch-For-Review.Oct 24 2024, 5:40 PM
Ottomata added a comment.Oct 24 2024, 5:41 PM

Updated docs:
https://wikitech.wikimedia.org/w/index.php?title=SRE%2FProduction_access&diff=2238869&oldid=2235497

Submitted patch with comment in admin data.yaml puppet:
https://gerrit.wikimedia.org/r/c/operations/puppet/+/1082826/1/modules/admin/data/data.yaml#459

Ottomata moved this task from Next Up to In Review on the Data-Engineering (Q2 2024 October 1st - December 31th) board.Oct 24 2024, 5:42 PM
MoritzMuehlenhoff subscribed.Oct 25 2024, 6:35 AM
In T370424#10051517, @BTullis wrote:

This sounds sensible to me, too.
Given that we have approval for the proposal as it stands, how do we proceed?

Do we just need to update the guidelines on Wikitech?

Should we still retain the list of approvers, for when nda or other non-staff members might request access?

For now updating wikitech and a comment in data.yaml are fine. Mid-term the approval management will move to Bitu/idm.wikimedia.org and there is already support for auto-approvals based on prior conditions (such has "has a @wikimedia.org address" and "has active NDA")

MoritzMuehlenhoff added a comment.Oct 25 2024, 6:40 AM

What's the rationale for treating non-staff different? Is it intentional? If they have signed the necessary NDAs (which is validated independently anyway), why does that still need explicit approval as opposed to staff.

Historically this approval step was introduced because there was a case where someone ran a very heavy Hadoop query which had impact on other users of the cluster. And the approval was introduced to make sure that new Hadoop users familiarise themselves with the constraints of running queries. But I'd expect that for non-staff (let's say a researcher working with an existing staff analyst), the same introduction would happen anyway?

Ottomata added a comment.Oct 25 2024, 1:05 PM

Mid-term the approval management will move to Bitu/idm.wikimedia.org

COOL!

What's the rationale for treating non-staff different?

Good question. I think it was just easier to justify non approval for staff. There are more staff asking for approval and we always just auto approve, so it made sense to streamline. Non staff requests are less frequent, and I kind of like knowing about non staff that get access.

You are right though/ I don't think there are any safety reasons to need approval for non staff, and tagging Data-Engineering in the phab request should be sufficient for notification.

gerritbot added a comment.Oct 29 2024, 5:56 PM

Change #1082826 merged by Ottomata:

[operations/puppet@production] admin - explicit approval not needed for analytics-privatedata-users

https://gerrit.wikimedia.org/r/1082826

Ottomata added a comment.Oct 29 2024, 5:56 PM

Merged!

Ottomata moved this task from In Review to Done on the Data-Engineering (Q2 2024 October 1st - December 31th) board.Oct 29 2024, 5:56 PM
Maintenance_bot removed a project: Patch-For-Review.Oct 29 2024, 6:31 PM
Ottomata added a comment.Oct 29 2024, 6:39 PM

Also updated docs here:
https://wikitech.wikimedia.org/w/index.php?title=SRE%2FClinic_Duty%2FAccess_requests&diff=2239783&oldid=2224064

Scott_French mentioned this in T380994: Requesting access to analytics-privatedata-users for Suzanne Wood (WMDE).Dec 9 2024, 10:11 PM
Scott_French mentioned this in T381824: Data Platform access streamlining for WMDE staff.Dec 9 2024, 10:53 PM
Scott_French subscribed.

See T381824 for potentially extending the same streamlining to WMDE staff.

Ahoelzl closed this task as Resolved.Jan 18 2025, 12:26 AM
isarantopoulos mentioned this in T384239: Requesting access to analytics-privatedata-users & Kerberos identity & deployment POSIX group & ml-team-admins for Georgios Kyziridis.Jan 21 2025, 10:10 AM
Gehel edited projects, added Data-Platform-SRE (2025.02.10 - 2025.02.28); removed Data-Platform-SRE.Feb 11 2025, 2:09 PM
Gehel moved this task from Backlog - project to Done on the Data-Platform-SRE (2025.02.10 - 2025.02.28) board.
Gehel moved this task from Done to Reported on the Data-Platform-SRE (2025.02.10 - 2025.02.28) board.Feb 14 2025, 8:22 AM
Raine mentioned this in T407605: Requesting access to analytics-privatedata-users for vicaplet-wmde.Oct 23 2025, 12:32 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits