Requesting access to analytics-privatedata-users & Kerberos identity and wmf LDAP group for GWeld
Closed, ResolvedPublicRequest
Actions

Assigned To

Authored By

	GWeld
	May 7 2026, 6:58 PM

Project Tags

Referenced Files

None

Subscribers

Description

Requestor provided information and prerequisites

Complete ALL items below as the individual person who is requesting access:

Wikimedia developer account username: GWeld @GWeld
Email address: gweld@wikimedia.org
SSH public key (must be a separate key from Wikimedia cloud SSH access): ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICoH6yj5ZBS5sR4WrCFUsYLJIgaMAZzlweb/KpyzYD33 galen@wmf3836
Requested group membership:
- analytics-privatedata-users
- wmf LDAP group
- Kerberos identity (level 3)
Reason for access: new staff member (Research Scientist on Applied Science team)
Name of approving party (manager for WMF/WMDE staff): Miriam Redi @Miriam
Ensure you have signed the L3 Wikimedia Server Access Responsibilities document:
Please coordinate obtaining a comment of approval on this task from the approving party.

SRE Clinic Duty Confirmation Checklist for Access Requests

This checklist should be used on all access requests to ensure that all steps are covered, including expansion to existing access. Please double check the step has been completed before checking it off.

This section is to be confirmed and completed by a member of the SRE team.

- User has signed the L3 Acknowledgement of Wikimedia Server Access Responsibilities Document.
- User has a valid NDA on file with WMF legal. (All WMF Staff/Contractor hiring are covered by NDA. Other users can be validated via the NDA tracking sheet)
- User has provided the following: developer account username, email address, and full reasoning for access (including what commands and/or tasks they expect to perform)
- User has provided a public SSH key. This ssh key pair should only be used for WMF cluster access, and not shared with any other service (this includes not sharing with WMCS access, no shared keys.)
- The provided SSH key has been confirmed out of band and is verified not being used in WMCS.
- access request (or expansion) has sign off of WMF sponsor/manager (sponsor for volunteers, manager for wmf staff)
- access request (or expansion) has sign off of group approver indicated by the approval field in data.yaml

For additional details regarding access request requirements, please see https://wikitech.wikimedia.org/wiki/Requesting_shell_access

Details

Related Changes in Gerrit:

	Subject	Repo	Branch	Lines +/-
	admin: upgrade user gweld to shell, analytics-privatedata and kerberos	operations/puppet	production	+10 -5

Customize query in gerrit

Event Timeline

GWeld created this task.May 7 2026, 6:58 PM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 7 2026, 6:58 PM

Marostegui updated the task description. (Show Details)May 8 2026, 5:03 AM

Marostegui updated the task description. (Show Details)

@GWeld for the wmf ldap group please check: https://wikitech.wikimedia.org/wiki/SRE/LDAP/Groups/Request_access#Using_the_Wikimedia_Identity_Management_System
Also please coordinate the manager approval for this access request.

Marostegui triaged this task as Medium priority.May 8 2026, 5:13 AM

Marostegui moved this task from Untriaged to Awaiting User Input on the SRE-Access-Requests board.

ssh key confirmed out of band

Marostegui updated the task description. (Show Details)May 8 2026, 6:08 AM

Marostegui moved this task from Awaiting User Input to Manager/NDA Approval/Confirmation on the SRE-Access-Requests board.

@Marostegui @GWeld this is approved on my end, thank you!

Marostegui updated the task description. (Show Details)May 8 2026, 8:40 AM

Change #1285413 had a related patch set uploaded (by Dzahn; author: Dzahn):

[operations/puppet@production] admin: add user gweld with shell access, analytics-privatedata and kerberos

https://gerrit.wikimedia.org/r/1285413

gerritbot added a project: Patch-For-Review.May 8 2026, 5:03 PM

Confirmed user in LDAP and Dayforce.

Group approver not needed because user is wmf staff.

Used the key that was already verified by Manuel.

Patch uploaded for review.

Dzahn changed the task status from Open to In Progress.May 8 2026, 5:07 PM

Dzahn moved this task from Manager/NDA Approval/Confirmation to Patch in Review on the SRE-Access-Requests board.

In T425727#11903197, @Dzahn wrote:

Confirmed user in LDAP and Dayforce.

Group approver not needed because user is wmf staff.

Used the key that was already verified by Manuel.

Patch uploaded for review.

thanks Daniel. I'm out Monday for on call compensation. so I can merge Tuesday if you don't want to do it yourself on Monday.

thanks a lot

Change #1285413 merged by Dzahn:

[operations/puppet@production] admin: upgrade user gweld to shell, analytics-privatedata and kerberos

https://gerrit.wikimedia.org/r/1285413

No problem, Manuel. With your +1 I merged and deployed it.

Then I created the Kerberos principal.

[krb1002:~] $ sudo manage_principals.py create gweld --email_address=gweld@wikimedia.org
Principal successfully created. Make sure to update data.yaml in Puppet.
Successfully sent email to gweld@wikimedia.org

@GWeld Please check your email. You should have received one about setting up the Kerberos. ^

Other than that, this is resolved now. You have been added as requested.

Dzahn closed this task as Resolved.May 11 2026, 3:58 PM

Dzahn claimed this task.

Maintenance_bot removed a project: Patch-For-Review.May 11 2026, 4:31 PM

Requesting access to analytics-privatedata-users & Kerberos identity and wmf LDAP group for GWeldClosed, ResolvedPublicRequestActions