Page MenuHomePhabricator
Create Task
Maniphest T398075

Requesting access to airflow-an and statboxes for htriedman
Closed, ResolvedPublicRequest
Actions

Description

Requestor provided information and prerequisites

Complete ALL items below as the individual person who is requesting access:

  • Wikimedia developer account username: htriedman
  • Email address: htriedman-ctr@wikimedia.org
  • SSH public key (must be a separate key from Wikimedia cloud SSH access):
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJHZXGVblGTOgm+IWr1kL109Zchw3pgG97PioMWLP0JS haltriedman@MacBook-Pro.local

(Looking at my ssh config, I believe this is the same as my previous ssh public key. Happy to make a new one if necessary.)

  • Requested group membership: analytics-privatedata-users with Kerberos + airflow hosts
  • Reason for access: Currently working on developing and maintaining airflow scripts for collating and joining existing datasets for WME, which requires access to statboxes, spark, HDFS, and airflow. See wme-pageviews repo and differential-privacy repo, for example. Also previously had access to the requested resources from 2021-2025.
  • Name of approving party (manager for WMF/WMDE staff): @FNavas-foundation (can also tag someone higher-up if need be)
  • Ensure you have signed the L3 Wikimedia Server Access Responsibilities document: Signed this a long time ago but please let me know if I need to sign again.
  • Please coordinate obtaining a comment of approval on this task from the approving party.

SRE Clinic Duty Confirmation Checklist for Access Requests

This checklist should be used on all access requests to ensure that all steps are covered, including expansion to existing access. Please double check the step has been completed before checking it off.

This section is to be confirmed and completed by a member of the SRE team.

  • - User has signed the L3 Acknowledgement of Wikimedia Server Access Responsibilities Document.
  • - User has a valid NDA on file with WMF legal. (All WMF Staff/Contractor hiring are covered by NDA. Other users can be validated via the NDA tracking sheet)
  • - User has provided the following: developer account username, email address, and full reasoning for access (including what commands and/or tasks they expect to perform)
  • - User has provided a public SSH key. This ssh key pair should only be used for WMF cluster access, and not shared with any other service (this includes not sharing with WMCS access, no shared keys.)
  • - The provided SSH key has been confirmed out of band and is verified not being used in WMCS. (already on file)
  • - access request (or expansion) has sign off of WMF sponsor/manager (sponsor for volunteers, manager for wmf staff)

[] - access request (or expansion) has sign off of group approver indicated by the approval field in data.yaml

For additional details regarding access request requirements, please see https://wikitech.wikimedia.org/wiki/Requesting_shell_access

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
admin::data: Update access for htriedmanoperations/puppetproduction+2 -2
Customize query in gerrit

Related Objects

Event Timeline

Htriedman created this task.Jun 27 2025, 6:29 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 27 2025, 6:29 PM
FNavas-foundation added a subscriber: HShaikh.Jun 27 2025, 6:35 PM

yes please, confirming @Htriedman need. @HShaikh fyi

Clement_Goubert changed the task status from Open to In Progress.Jun 30 2025, 10:41 AM
Clement_Goubert triaged this task as Medium priority.
Clement_Goubert added a project: Data-Engineering.
Clement_Goubert subscribed.

Hi,

As far as I can tell, you have access to the analytics-platform-eng-admins. Tagging Data-Engineering to clarify if additional access is required and to which groups.

Clement_Goubert updated the task description. (Show Details)Jun 30 2025, 10:43 AM

An old version of the L3 document was signed, could you sign the updated version as well, please?

Clement_Goubert claimed this task.Jun 30 2025, 10:45 AM
Clement_Goubert added a project: LDAP-Access-Requests.Jun 30 2025, 10:49 AM
Clement_Goubert moved this task from Backlog to Awaiting User Input on the LDAP-Access-Requests board.
Htriedman added a comment.Jun 30 2025, 10:06 PM

Hi @Clement_Goubert! When I navigate to the L3 document page, there's no option to sign again — any way I can be purged from the system on your end and/or reset that on my end?

Clement_Goubert added subscribers: brouberol, BTullis.Jul 1 2025, 10:58 AM
In T398075#10961146, @Htriedman wrote:

Hi @Clement_Goubert! When I navigate to the L3 document page, there's no option to sign again — any way I can be purged from the system on your end and/or reset that on my end?

Hmm there doesn't seem to be a way, I guess it's actually not necessary/possible to update signature. I'll tick that box then.

@BTullis @brouberol Could you advise on what access is needed for @Htriedman to have access to airflow? I will add the analytics-privatedata-users with Kerberos access.

gerritbot added a comment.Jul 1 2025, 11:01 AM

Change #1165485 had a related patch set uploaded (by Clément Goubert; author: Clément Goubert):

[operations/puppet@production] admin::data: Update access for htriedman

https://gerrit.wikimedia.org/r/1165485

gerritbot added a project: Patch-For-Review.Jul 1 2025, 11:01 AM
Clement_Goubert updated the task description. (Show Details)Jul 1 2025, 11:02 AM
brouberol added a comment.Jul 1 2025, 11:49 AM

@Clement_Goubert: @Htriedman should have access to all airflow instances as part of being part of the wmf and nda LDAP groups. If he needs elevated permissions on a specific airflow instance, he'll need to be added to the associated airflow-<instance>-ops LDAP group as well.

Clement_Goubert added a comment.Jul 1 2025, 11:51 AM
In T398075#10962776, @brouberol wrote:

@Clement_Goubert: @Htriedman should have access to all airflow instances as part of being part of the wmf and nda LDAP groups. If he needs elevated permissions on a specific airflow instance, he'll need to be added to the associated airflow-<instance>-ops LDAP group as well.

Thanks @brouberol

@Htriedman can you confirm that your access is functional and resolve the task please?

gerritbot added a comment.Jul 1 2025, 12:03 PM

Change #1165485 merged by Clément Goubert:

[operations/puppet@production] admin::data: Update access for htriedman

https://gerrit.wikimedia.org/r/1165485

Maintenance_bot removed a project: Patch-For-Review.Jul 1 2025, 12:30 PM
Htriedman closed this task as Resolved.Jul 1 2025, 3:31 PM

@Clement_Goubert just verified that I can get into stat10XX and an-airflow100Y! Changing status to resolved now. Thanks for the help :)

Htriedman mentioned this in T398501: Requesting a kerberos identity - htriedman.Jul 2 2025, 8:06 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits