Page MenuHomePhabricator
Create Task
Maniphest T374637

Decide how to make datasets owned by analytics-search-users also readable by analytics-privatedata-users
Closed, ResolvedPublic2 Estimated Story Points
Actions

Description

Some of the data generated and owned by analytics-search-users might be of some value to others, esp. if we're starting to advertise them via datahub (T374118).

Search dataset containing no PII should definitely world readable but the ones containing PII should probably be readable only by analytics-search-users and analytics-privatedata-users.

Possible ideas:

Related Objects

Event Timeline

dcausse created this task.Sep 12 2024, 3:58 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 12 2024, 3:58 PM
Ottomata subscribed.Sep 12 2024, 7:26 PM

I think everyone in analytics-search-users is in analytics-privatedata-users (otherwise no hadoop access).

Can you just chgrp these all to analytics-privatedata-users?

JAllemandou added a comment.Sep 13 2024, 10:04 AM

The reason we originally started using different users/groups was to silo permissions.
I think it's still good to have different writing abilities and read abilities: only search-user can write to this datasets, but we wish all private-data-users to be able to read.

BTullis subscribed.Sep 13 2024, 10:06 AM
CodeReviewBot added a project: Patch-For-Review.Sep 13 2024, 8:26 PM

ebernhardson opened https://gitlab.wikimedia.org/repos/data-engineering/airflow-dags/-/merge_requests/827

search: Standardize created file permissions

EBernhardson added a comment.EditedSep 13 2024, 10:09 PM

For future files created by spark:

  • we set spark.hadoop.fs.permissions.umask-mode: 0022 for explicitly public data. We can set that to 0027 everywhere else and spark should create the files with expected permissions
  • Per hdfs documentation the group of created files and directories is set by the parent directory group. Testing with the pyspark shell this appears to be the case.

For files already in hdfs:

  • In a quick test it appears that hdfs dfs -chmod -R will apply the same permissions to files and directories, but we want 750 on dirs and 640 on files. So we can't use the native recursive chmod directly.
  • hdfs dfs -find does not support -type d or -type f.

The following commands use an alias to become analytics-search:

  • alias krc='sudo -u analytics-search kerberos-run-command analytics-search

Fixing ownership:

/mnt/hdfs/$ krc hdfs dfs -chown -R analytics-search:analytics-privatedata-users /wmf/data/discovery

Fixing current directory permissions:
Updated permissions: drwxr-x---

/mnt/hdfs/$ find wmf/data/discovery/ \
    -type d -print0 \
    | xargs -0 printf -- '/%s\0' \
    | krc xargs -0 hdfs dfs -chmod 750

Fixing current file permissions. In theory we could probably skip this and let the directories handle access, but seems best to make it all nice and tidy:
Updated permissions: -rw-r-----

/mnt/hdfs/$ find wmf/data/discovery/ \
    -type d -print0 \
    | xargs -0 printf -- '/%s\0' \
    | krc xargs -0 hdfs dfs -chmod 640

Then I had to go back and make the directories/files we explicitly mark public (via umask of 0022) back to public, along with their parent directories up to /wmf/data/discovery:

  • /wmf/data/discovery/cirrus/index
  • /wmf/data/discovery/cirrus/index_without_content
  • /wmf/data/discovery/query_service
  • /wmf/data/discovery/wikidata
  • /wmf/data/discovery/wdqs
  • /wmf/data/discovery/wcqs

Via the commands:
Updated permissions: drwxr-xr-x

/mnt/hdfs$ find wmf/data/discovery/{cirrus/index,cirrus/index_without_content,query_service,wikidata,wdqs,wcqs} \
    -type d -print0 \
    | xargs -0 printf -- '/%s\0' \
    | krc xargs -0 hdfs dfs -chmod 755

Updated permissions: -rw-r--r--

/mnt/hdfs$ find wmf/data/discovery/{cirrus/index,cirrus/index_without_content,query_service,wikidata,wdqs,wcqs} \
    -type f -print0 \
    | xargs -0 printf -- '/%s\0' \
    | krc xargs -0 hdfs dfs -chmod 644
dr0ptp4kt moved this task from needs triage to Current work on the Discovery-Search board.Sep 16 2024, 3:29 PM
dr0ptp4kt edited projects, added Discovery-Search (Current work); removed Discovery-Search.
dr0ptp4kt assigned this task to EBernhardson.Sep 16 2024, 3:33 PM
dr0ptp4kt triaged this task as Medium priority.
dr0ptp4kt set the point value for this task to 2.
dr0ptp4kt moved this task from Incoming to In Progress on the Discovery-Search (Current work) board.
CodeReviewBot added a comment.Sep 16 2024, 4:16 PM

ebernhardson merged https://gitlab.wikimedia.org/repos/data-engineering/airflow-dags/-/merge_requests/827

search: Standardize created file permissions

Maintenance_bot removed a project: Patch-For-Review.Sep 16 2024, 4:31 PM
EBernhardson moved this task from In Progress to Needs Reporting on the Discovery-Search (Current work) board.Sep 16 2024, 6:55 PM
Gehel closed this task as Resolved.Sep 20 2024, 9:04 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits