Page MenuHomePhabricator
Create Task
Maniphest T414660

Requesting access to L3 data access for kimpham (developer name Kim.pham)
Closed, ResolvedPublicRequest
Actions

Description

Requestor provided information and prerequisites

Complete ALL items below as the individual person who is requesting access:

  • Wikimedia developer account username: Kim.pham
  • Email address: kim.pham@wikimedia.de
  • SSH public key (must be a separate key from Wikimedia cloud SSH access): ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBI32mUvVy41VnzSfZq3z/dLmGXN7saWm2LNWD5MRqnS prod-superset
  • Requested group membership: level 3
  • Reason for access: I would like to be in the analytics_privatedata_users level 3 group, to access data e.g. Superset and Hadoop, including querying it with Spark/Hive.
  • Name of approving party (manager for WMF/WMDE staff): @WMDE-leszek
  • Ensure you have signed the L3 Wikimedia Server Access Responsibilities document: yes
  • Please coordinate obtaining a comment of approval on this task from the approving party.

SRE Clinic Duty Confirmation Checklist for Access Requests

This checklist should be used on all access requests to ensure that all steps are covered, including expansion to existing access. Please double check the step has been completed before checking it off.

This section is to be confirmed and completed by a member of the SRE team.

  • - User has signed the L3 Acknowledgement of Wikimedia Server Access Responsibilities Document.
  • - User has a valid NDA on file with WMF legal. (All WMF Staff/Contractor hiring are covered by NDA. Other users can be validated via the NDA tracking sheet)
  • - User has provided the following: developer account username, email address, and full reasoning for access (including what commands and/or tasks they expect to perform)
  • - User has provided a public SSH key. This ssh key pair should only be used for WMF cluster access, and not shared with any other service (this includes not sharing with WMCS access, no shared keys.)
  • - The provided SSH key has been confirmed out of band and is verified not being used in WMCS.
  • - access request (or expansion) has sign off of WMF sponsor/manager (sponsor for volunteers, manager for wmf staff)
  • - access request (or expansion) has sign off of group approver indicated by the approval field in data.yaml

For additional details regarding access request requirements, please see https://wikitech.wikimedia.org/wiki/Requesting_shell_access

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
admin: add the krb flag to the pham useroperations/puppetproduction+1 -0
admin: add pham to analytics-privatedata-usersoperations/puppetproduction+9 -5
Customize query in gerrit

Event Timeline

kimpham created this task.Jan 15 2026, 9:04 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 15 2026, 9:04 AM
WMDE-leszek added a comment.Jan 15 2026, 11:37 AM

I approve this request on WMDE's end. Thank you

FCeratto-WMF updated the task description. (Show Details)Jan 16 2026, 9:44 AM
FCeratto-WMF updated the task description. (Show Details)Jan 16 2026, 9:48 AM
FCeratto-WMF subscribed.Jan 16 2026, 9:53 AM

Pending out of band SSH verification.

FCeratto-WMF updated the task description. (Show Details)Jan 16 2026, 10:35 AM
FCeratto-WMF changed the task status from Open to In Progress.Jan 19 2026, 10:40 AM
FCeratto-WMF added subscribers: Ahoelzl, Ottomata, Milimetric.Jan 19 2026, 10:44 AM

Hello @Milimetric @Ahoelzl @Ottomata - can you please review this access request for analytics-privatedata-users? Thanks

Milimetric added a comment.Jan 19 2026, 12:42 PM

approved

FCeratto-WMF updated the task description. (Show Details)Jan 19 2026, 12:42 PM
gerritbot added a comment.Jan 19 2026, 12:48 PM

Change #1228481 had a related patch set uploaded (by Federico Ceratto; author: Federico Ceratto):

[operations/puppet@production] admin: add pham to analytics-privatedata-users

https://gerrit.wikimedia.org/r/1228481

gerritbot added a project: Patch-For-Review.Jan 19 2026, 12:48 PM
gerritbot added a comment.Jan 20 2026, 12:18 PM

Change #1228481 merged by Federico Ceratto:

[operations/puppet@production] admin: add pham to analytics-privatedata-users

https://gerrit.wikimedia.org/r/1228481

Maintenance_bot removed a project: Patch-For-Review.Jan 20 2026, 12:31 PM
FCeratto-WMF closed this task as Resolved.Jan 20 2026, 1:29 PM
FCeratto-WMF claimed this task.

Change deployed, closing task.

Novem_Linguae subscribed.Jan 20 2026, 3:44 PM

I don't see krb: present in the patch, so looks like this was done as level 2 instead of the requested level 3. Is this correct?

FCeratto-WMF removed FCeratto-WMF as the assignee of this task.Feb 3 2026, 8:36 AM
gerritbot added a comment.Feb 3 2026, 10:06 AM

Change #1236249 had a related patch set uploaded (by Elukey; author: Elukey):

[operations/puppet@production] admin: add the krb flag to the pham user

https://gerrit.wikimedia.org/r/1236249

gerritbot added a project: Patch-For-Review.Feb 3 2026, 10:06 AM
elukey subscribed.Feb 3 2026, 10:25 AM
In T414660#11537922, @Novem_Linguae wrote:

I don't see krb: present in the patch, so looks like this was done as level 2 instead of the requested level 3. Is this correct?

Yep! I am going to add the krb credentials :)

gerritbot added a comment.Feb 3 2026, 10:33 AM

Change #1236249 merged by Elukey:

[operations/puppet@production] admin: add the krb flag to the pham user

https://gerrit.wikimedia.org/r/1236249

Maintenance_bot removed a project: Patch-For-Review.Feb 3 2026, 10:35 AM
elukey added a comment.Feb 3 2026, 10:58 AM
elukey@krb1002:~$ sudo manage_principals.py create pham --email_address=kim.pham@wikimedia.de
Principal successfully created. Make sure to update data.yaml in Puppet.
Successfully sent email to kim.pham@wikimedia.de

@kimpham Hi! You should have received an email with a temporary kerberos password. You can ssh to any statXXX host and run kinit to change it to a new one. You'll be required to kinit with the new password anytime you'll use the hadoop cluster (launching jobs via spark, using hive, etc..). Lemme know if you have questions!

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits