Please add the research airflow system user to the stat machines (e.g. to see yarn logs), as for other similar users.
$ ls /etc/security/keytabs/ analytics-ml analytics-privatedata analytics-product analytics-search analytics-wmde
Description
Description
Details
Details
Related Changes in Gerrit:
Event Timeline
Comment Actions
Change #1193117 had a related patch set uploaded (by Stevemunene; author: Stevemunene):
[operations/puppet@production] Add the analytics-research keytab to the stat boxes
Comment Actions
Change #1193314 had a related patch set uploaded (by Stevemunene; author: Stevemunene):
[labs/private@master] Add dummy keytabs for analytics-research on stat servers
Comment Actions
created the keytabs for the stat hosts and added them
stat1008.eqiad.wmnet,create_princ,analytics-research stat1008.eqiad.wmnet,create_keytab,analytics-research stat1010.eqiad.wmnet,create_princ,analytics-research stat1010.eqiad.wmnet,create_keytab,analytics-research stat1009.eqiad.wmnet,create_princ,analytics-research stat1009.eqiad.wmnet,create_keytab,analytics-research stat1011.eqiad.wmnet,create_princ,analytics-research stat1011.eqiad.wmnet,create_keytab,analytics-research stevemunene@krb1002:~$ sudo generate_keytabs.py --realm WIKIMEDIA research.txt analytics-research/stat1008.eqiad.wmnet@WIKIMEDIA Entry for principal analytics-research/stat1008.eqiad.wmnet@WIKIMEDIA with kvno 1, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/srv/kerberos/keytabs/stat1008.eqiad.wmnet/analytics-research/analytics-research.keytab. analytics-research/stat1010.eqiad.wmnet@WIKIMEDIA Entry for principal analytics-research/stat1010.eqiad.wmnet@WIKIMEDIA with kvno 1, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/srv/kerberos/keytabs/stat1010.eqiad.wmnet/analytics-research/analytics-research.keytab. analytics-research/stat1009.eqiad.wmnet@WIKIMEDIA Entry for principal analytics-research/stat1009.eqiad.wmnet@WIKIMEDIA with kvno 1, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/srv/kerberos/keytabs/stat1009.eqiad.wmnet/analytics-research/analytics-research.keytab. analytics-research/stat1011.eqiad.wmnet@WIKIMEDIA Entry for principal analytics-research/stat1011.eqiad.wmnet@WIKIMEDIA with kvno 1, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/srv/kerberos/keytabs/stat1011.eqiad.wmnet/analytics-research/analytics-research.keytab.
Comment Actions
Change #1193314 merged by Stevemunene:
[labs/private@master] Add dummy keytabs for analytics-research on stat servers
Comment Actions
Change #1193117 merged by Stevemunene:
[operations/puppet@production] Add the analytics-research keytab to the stat boxes
Comment Actions
analytics-research user has been added to stat hosts, @fkaelin please confirm that this works as expected
stevemunene@cumin1003:~$ sudo cumin 'stat1*.eqiad.wmnet' 'ls /etc/security/keytabs/' 4 hosts will be targeted: stat[1008-1011].eqiad.wmnet OK to proceed on 4 hosts? Enter the number of affected hosts to confirm or "q" to quit: 4 ===== NODE GROUP ===== (4) stat[1008-1011].eqiad.wmnet ----- OUTPUT of 'ls /etc/security/keytabs/' ----- analytics-ml analytics-privatedata analytics-product analytics-research analytics-search analytics-wmde ================ PASS |██████████████████████████████████████████████████████████████████████████████████████████████████| 100% (4/4) [00:00<00:00, 7.63hosts/s] FAIL | | 0% (0/4) [00:00<?, ?hosts/s] 100.0% (4/4) success ratio (>= 100.0% threshold) for command: 'ls /etc/security/keytabs/'. 100.0% (4/4) success ratio (>= 100.0% threshold) of nodes successfully executed all commands. stevemunene@cumin1003:~$
Comment Actions
Change #1193412 had a related patch set uploaded (by Stevemunene; author: Stevemunene):
[operations/puppet@production] Add the analytics-research-admin group to stat admins
Comment Actions
Thank you for the update. I think /etc/sudoers.d/ also has to be updated, i.e. sudo -u analytics-research ls still asks for a password.
$ ls /etc/sudoers.d/analytics-* /etc/sudoers.d/analytics-admins /etc/sudoers.d/analytics-ml-users /etc/sudoers.d/analytics-privatedata-users /etc/sudoers.d/analytics-product-users /etc/sudoers.d/analytics-search-users /etc/sudoers.d/analytics-wmde-users
Comment Actions
Change #1193412 merged by Stevemunene:
[operations/puppet@production] Add the analytics-research-admin group to stat admins
Comment Actions
Thanks @fkaelin this has been updated.
stevemunene@cumin1003:~$ sudo cumin 'stat1*.eqiad.wmnet' 'ls /etc/sudoers.d/analytics-*' 4 hosts will be targeted: stat[1008-1011].eqiad.wmnet OK to proceed on 4 hosts? Enter the number of affected hosts to confirm or "q" to quit: 4 ===== NODE GROUP ===== (4) stat[1008-1011].eqiad.wmnet ----- OUTPUT of 'ls /etc/sudoers.d/analytics-*' ----- /etc/sudoers.d/analytics-admins /etc/sudoers.d/analytics-ml-users /etc/sudoers.d/analytics-privatedata-users /etc/sudoers.d/analytics-product-users /etc/sudoers.d/analytics-research-admins /etc/sudoers.d/analytics-search-users /etc/sudoers.d/analytics-wmde-users ================ PASS |███████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████| 100% (4/4) [00:00<00:00, 7.47hosts/s] FAIL | | 0% (0/4) [00:00<?, ?hosts/s] 100.0% (4/4) success ratio (>= 100.0% threshold) for command: 'ls /etc/sudoers.d/analytics-*'. 100.0% (4/4) success ratio (>= 100.0% threshold) of nodes successfully executed all commands.