Page MenuHomePhabricator
Create Task
Maniphest T407094

Requesting access to analytics-privatedata-users for SKaram-WMF
Closed, ResolvedPublicRequest
Actions

Description

Requestor provided information and prerequisites

  • Wikimedia developer account username: skaramwmf
  • Email address: skaram@wikimedia.org
  • SSH public key: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKFp06a9dgJr3jKhReAR18W+NGdMPAGjtUw523bJ3nef .
  • Requested group membership: analytics-privatedata-users
  • Requested LDAP group membership: wmf
  • Requested kerberos principal: yes
  • Reason for access:

I'd like to request membership for @SKaram-WMF to ‘analytics-privatedata-users’ group. She is a member of the Trust and Safety team at the Foundation and requires those accesses for her regular work. She only needs the view access. I believe the above group would cover it. Specifically some of the workflows she needs to be able to do (and needs this access for):

  • Lookup private information such as user email addresses, usernames, and authentication dates for urgent Trust and Safety related matters and related investigations.
  • Query webserver logs for private information such as IPs that have viewed certain pages.

Sarah has already signed L3 as SKaram-WMF. The Trust and Safety team is under @JanWMF's portfolio. Jan, could you confirm/approve this request by commenting here?

SRE Clinic Duty Confirmation Checklist for Access Requests

This checklist should be used on all access requests to ensure that all steps are covered, including expansion to existing access. Please double check the step has been completed before checking it off.

This section is to be confirmed and completed by a member of the SRE team.

  • - User has signed the L3 Acknowledgement of Wikimedia Server Access Responsibilities Document.
  • - User has a valid NDA on file with WMF legal. (All WMF Staff/Contractor hiring are covered by NDA. Other users can be validated via the NDA tracking sheet)
  • - User has provided the following: developer account username, email address, and full reasoning for access (including what commands and/or tasks they expect to perform)
  • - User has provided a public SSH key. This ssh key pair should only be used for WMF cluster access, and not shared with any other service (this includes not sharing with WMCS access, no shared keys.)
  • - The provided SSH key has been confirmed out of band and is verified not being used in WMCS.
  • - access request (or expansion) has sign off of WMF sponsor/manager (sponsor for volunteers, manager for wmf staff)
  • - access request (or expansion) has sign off of group approver indicated by the approval field in data.yaml

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
admin: add skaramwmf to analytics-private-data-usersoperations/puppetproduction+10 -1
Customize query in gerrit

Event Timeline

Nahid created this task.Oct 13 2025, 8:28 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 13 2025, 8:29 AM
JanWMF added a comment.Oct 13 2025, 11:15 AM

approved

SKaram-WMF updated the task description. (Show Details)Oct 13 2025, 2:05 PM

Added the public key. Thank you all!

Ladsgroup updated the task description. (Show Details)Oct 14 2025, 11:26 AM
Ladsgroup subscribed.Oct 14 2025, 11:29 AM

Hi, I'm on clinic duty this week. Regarding your ssh key, do you prefer not to use RSA? See https://security.stackexchange.com/questions/90077/ssh-key-ed25519-vs-rsa generally I'd recommend ed25519 but if you for any reason prefer RSA with long enough key length, that would work too.

SKaram-WMF updated the task description. (Show Details)Oct 14 2025, 3:43 PM

Hi, thank you for the suggestion. I've replaced it with the ed one. Thank you!

Ladsgroup added a comment.Oct 15 2025, 9:20 AM

I confirm the key is not used in WMCS.

jijiki subscribed.Oct 16 2025, 9:48 AM

Pinged user for out of band key verification

Ladsgroup added a comment.Oct 16 2025, 9:50 AM
In T407094#11280587, @jijiki wrote:

Pinged user for out of band key verification

Thanks!

jijiki added a comment.Oct 21 2025, 8:39 AM

confirmed oob

Raine moved this task from Untriaged to Awaiting User Input on the SRE-Access-Requests board.Oct 23 2025, 12:52 PM
Raine subscribed.Oct 23 2025, 12:55 PM

@SKaram-WMF just to confirm, do you need SSH access or only dashboards and such? Thanks!

Raine added a comment.Oct 23 2025, 12:57 PM
In T407094#11302712, @Raine wrote:

@SKaram-WMF just to confirm, do you need SSH access or only dashboards and such? Thanks!

My bad, I see you requested Kerberos, so presumably yes 😅

Raine updated the task description. (Show Details)Oct 23 2025, 12:58 PM
Raine moved this task from Awaiting User Input to Ready To Go on the SRE-Access-Requests board.
gerritbot added a comment.Oct 23 2025, 1:06 PM

Change #1198325 had a related patch set uploaded (by Kamila Součková; author: Kamila Součková):

[operations/puppet@production] admin: add skaramwmf to analytics-private-data-users

https://gerrit.wikimedia.org/r/1198325

gerritbot added a project: Patch-For-Review.Oct 23 2025, 1:07 PM
Raine moved this task from Ready To Go to Patch in Review on the SRE-Access-Requests board.Oct 23 2025, 1:07 PM
gerritbot added a comment.Oct 27 2025, 9:10 PM

Change #1198325 merged by Dzahn:

[operations/puppet@production] admin: add skaramwmf to analytics-private-data-users

https://gerrit.wikimedia.org/r/1198325

Maintenance_bot removed a project: Patch-For-Review.Oct 27 2025, 9:32 PM
Dzahn closed this task as Resolved.Oct 27 2025, 9:36 PM
Dzahn claimed this task.
Dzahn subscribed.

@SKaram-WMF @Nahid The access should work now. Feel free to try it out and let us know if there are any issues.

Nahid reopened this task as Open.Nov 10 2025, 10:58 AM

Hey all - Thanks for attending this task. I am re-opening the task but please let me know if it needs a new ticket. Sarah is having error [Permission denied (public key)] getting to the server. I think I have pin pointed the issue. It looks like the dot < . > at the end of the public key is missing in the patch. The dot is actually part of the key.

Raine added a comment.Nov 10 2025, 12:38 PM
In T407094#11357931, @Nahid wrote:

It looks like the dot < . > at the end of the public key is missing in the patch. The dot is actually part of the key.

There is a space before the dot in the key as pasted in the task description. The key encoding does not allow spaces, so if the dot is part of the key, then the key as pasted cannot be correct. Can you please paste the correct key?

Thanks.

Dzahn reassigned this task from Dzahn to SKaram-WMF.Nov 10 2025, 6:26 PM
Dzahn moved this task from Patch in Review to Awaiting User Input on the SRE-Access-Requests board.
Dzahn added a comment.EditedNov 10 2025, 6:33 PM

The first space character separates the key from the comment field. It should work with or without the comment field though.

To debug I recommend first verifying if a direct connection to one of the bastion hosts (https://wikitech.wikimedia.org/wiki/Bastion) works.

And to rule out issues with the SSH agent, which are relatively common, to point to the key in the command line. Furthermore specify the user name to rule out other config issues.

So all together, something like this:

ssh -i /path/to/private_key skaramwmf@bast1003.wikimedia.org

If that works but other things don't work then it's an issue with the local ssh config and/or loading the key into the agent.

If that also does not work, please add some -vvv to the command and post the result.

Nahid closed this task as Resolved.Nov 11 2025, 12:21 PM

Thank you for the pointer, @Dzahn. And, thank you, @Raine. Sarah and I had a call, and this works now. Apologies, it was the issue of misconfiguration, configured with an old RSA key.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits