Request for access to stat1003 for Sam Tarling
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	TheresNoTime
	Feb 7 2017, 8:29 PM

Description

Hi all, I'd like access to the ExternalLinksChange data on stat1003 per T115119 for the purposes of building a tool I've been discussing with @Samwalton9

Full name: Samuel Tarling
Instance shell account name: samtar

Public key:

---- BEGIN SSH2 PUBLIC KEY ----
Comment: "samtar-wmf-stat1003"
AAAAB3NzaC1yc2EAAAABJQAAAQEAthC8yN9ImF+F6DQsI4GqYdAKhEtwfZ/+S7xB
g2V5Kz5LLrN/KWUN9uiKsUZJfyl2xD12mpu5Mf3nU7c9QoSyZz40Z2GCN/J3IsYL
I+6bPFKM7iA65lWHkWcX93JBH0QBlvua9wOAEMMndzeZrloVzJW3PwDa42UikznW
YSyoaF60L6eEh+cUs91zZk14GS1gpD+5h+99nzNlBBmgv5aTv53q5JqzdaWXA83X
7sZAjQNfLjpT1EDna0z97Agt7DKcKhHbhJqQ67EEZyVH66DtaoNod2cgn0Os74MD
X6aNXu69u4pBxGHD7Oh/TY63kY9sB6pHuZ44X5iC2RbhvKSBjw==
---- END SSH2 PUBLIC KEY ----

Details

Subject	Repo	Branch	Lines +/-
correct samtar's stat1003 access	operations/puppet	production	+2 -2
Update SSH for Sam Tarling	operations/puppet	production	+1 -1
Sam Tarling shell access + statistics-users	operations/puppet	production	+10 -1

Customize query in gerrit

Related Objects

Mentioned In: T186344: NDA request for Samtar
T157485: Investigate a TWL/ExternalLinksChange tool
Mentioned Here: T115119: Create a feed or log of changed links on Wikimedia projects

Event Timeline

TheresNoTime created this task.Feb 7 2017, 8:29 PM

Restricted Application added a project: SRE. · View Herald TranscriptFeb 7 2017, 8:29 PM

Restricted Application added a subscriber: Aklapper. · View Herald Transcript

TheresNoTime updated the task description. (Show Details)Feb 7 2017, 8:30 PM

Just to note I've signed L3 :-)

I'm on ops clinic duty this week, so I'll process this request on the ops side of things.

@Samtar: Would you be able to review https://wikitech.wikimedia.org/wiki/Analytics/Data_access#Access_Groups and identify which specific user groups you would need access to? It seems like you need 'statistics-users' but I want to ensure that is correct before I prepare the patchset. Since that user group doesn't include private data, there doesn't appear to be any need for an NDA for that access. (If it ends up requiring private data access, then an NDA is likely required.)

I apologize for not knowing in advance, but it appears you are a volunteer, not staff, which is why I mention the NDA item above. If you are staff, we would request your manager to approve the shell access request. As a volunteer, we typically try to get the endorsement of a staff member. Since you mentioned you are working on this with @Samwalton9, I'm going to assume they are ideal for the endorsement.

Once you are able to confirm the groups needed from the above link, please assign this to @Samwalton9 for feedback.

@Samwalton9: Would you please review and attach your endorsement for this request?

Please assign this task back to me for implementation once the above is done, thanks!

The same key in OpenSSH format:

$ ssh-keygen -f STarling -i
ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAthC8yN9ImF+F6DQsI4GqYdAKhEtwfZ/+S7xBg2V5Kz5LLrN/KWUN9uiKsUZJfyl2xD12mpu5Mf3nU7c9QoSyZz40Z2GCN/J3IsYLI+6bPFKM7iA65lWHkWcX93JBH0QBlvua9wOAEMMndzeZrloVzJW3PwDa42UikznWYSyoaF60L6eEh+cUs91zZk14GS1gpD+5h+99nzNlBBmgv5aTv53q5JqzdaWXA83X7sZAjQNfLjpT1EDna0z97Agt7DKcKhHbhJqQ67EEZyVH66DtaoNod2cgn0Os74MDX6aNXu69u4pBxGHD7Oh/TY63kY9sB6pHuZ44X5iC2RbhvKSBjw==

@RobH no problems from me! I'm a part-time contractor so consider this endorsed if I'm able to do so, but if not @Ocaasi_WMF should be happy to.

In T157483#3007630, @Samwalton9 wrote:

@RobH no problems from me! I'm a part-time contractor so consider this endorsed if I'm able to do so, but if not @Ocaasi_WMF should be happy to.

It can't hurt (to have @Ocaasi_WMF endorse)!

@RobH 'statistics-users' seems to be what I need! I'll assign this to Ocaasi for endorsement :-)

In T157483#3007481, @RobH wrote:

@Samtar: Would you be able to review https://wikitech.wikimedia.org/wiki/Analytics/Data_access#Access_Groups and identify which specific user groups you would need access to? It seems like you need 'statistics-users' but I want to ensure that is correct before I prepare the patchset. Since that user group doesn't include private data, there doesn't appear to be any need for an NDA for that access. (If it ends up requiring private data access, then an NDA is likely required.)

This does need an NDA. @Samtar , can you please provide a contact email address? Someone from Legal will get in touch with you for that.

@MoritzMuehlenhoff Sure can - [email protected]

TheresNoTime mentioned this in T157485: Investigate a TWL/ExternalLinksChange tool.Feb 8 2017, 9:21 AM

I stand corrected.

So this access request still is outstanding two items:

approval from @Ocaasi_WMF
NDA verification from Legal (which is why @MoritzMuehlenhoff asked for which email to have legal contact you at.)

Once those are done, we can process the shell request.

Thanks!

The NDA for Samtar has been signed and is on file with legal. Thank you!

@RStallman-legalteam: Thanks!

If we can get endorsement from @Ocaasi_WMF, and then have this assigned back to me, and I'll merge access live.

Approved by me! Thanks!

RobH claimed this task.Feb 8 2017, 11:50 PM

@Samtar: I forgot one more thing. New requirements mean we need to list an email account with the new shell account. What email address would you like used?

Additionally, this also has a 3 day waiting period. Your access (barring objections on this task) should merge live this Friday.

@RobH Awesome, thank you - [email protected] would be my preferred email to be listed

Change 336875 had a related patch set uploaded (by RobH):
Sam Tarling shell access statistics-users

https://gerrit.wikimedia.org/r/336875

gerritbot added a project: Patch-For-Review.Feb 9 2017, 7:44 PM

I've prepared the patchset and it is ready for merge as long as no objections are noted on this task.

I'll merge first thing tomorrow in my AM, as today is the last day of the 3 day wait. Stalling until then.

RobH moved this task from Untriaged to 3 Business Day Wait on the SRE-Access-Requests board.Feb 9 2017, 7:45 PM

Change 336875 merged by RobH:
Sam Tarling shell access statistics-users

https://gerrit.wikimedia.org/r/336875

Ok, access has been merged live. It'll take ~30 minutes for the user addition to filter though all the bastions plus stat1003.

@RobH looks like there may have been an issue with the patch. The above converted public key and the added key to https://gerrit.wikimedia.org/r/#/c/336875/3/modules/admin/data/data.yaml does not match.

/J3IsYLI+6bPFKM7 => /J3IsYLI6bPFKM7, 14GS1gpD+5h+99nzNlBBm => 14GS1gpD5h99nzNlBBm

I'm having my key rejected and I imagine it's probably down to this?

TheresNoTime assigned this task to RobH.Feb 13 2017, 10:32 AM

Change 337379 had a related patch set uploaded (by Muehlenhoff):
Update SSH for Sam Tarling

https://gerrit.wikimedia.org/r/337379

Change 337379 merged by Muehlenhoff:
Update SSH for Sam Tarling

https://gerrit.wikimedia.org/r/337379

@Samtar : There was a copy&paste error in the patch to add your key, please try again.

RobH closed this task as Resolved.Feb 13 2017, 3:57 PM

RobH removed RobH as the assignee of this task.

[fingers crossed this is the last time I reopen this!] Completely my fault, I didn't realise I would need access to /etc/mysql/conf.d/research-client.cnf which is granted by researchers. I only need access to stat1003 and research-client.cnf and by the principle of least privilege researchers is the only appropriate user group. I've confirmed with @Samwalton9 that this would be allow access to the EventLogging data

Please change my access group from statistics-users to researchers

Change 337445 had a related patch set uploaded (by RobH):
correct samtar's stat1003 access

https://gerrit.wikimedia.org/r/337445

Change 337445 merged by RobH:
correct samtar's stat1003 access

https://gerrit.wikimedia.org/r/337445

I've merged the requested change and puppet has run on stat1003. This should be working at this time.

I'm reopening this task, because it turns out I made a mistake when we first setup Sam Tarlings account.

During the process, we now have expiry date and notification fields for all non-staff who sign an NDA. As such, we need to put that refresh/end date in our access controls, so when it nears that account will be flags for review.

For Sam's access, I need to know that date and who at WMF should get the email. On another task, @RStallman-legalteam was able to provide, perhaps she can on this as well? (If not, sorry to bug you!)

I chatted with @RStallman-legalteam about this, and Sam Tarling's NDA doesn't actually have an expiry date.

I'm not sure if we want to put users in with no expiry, and no review process for expiry/use, or if some other auditing for account use is planned. Since this seems like a Mortiz question, I've assigned this task to him.

Mortiz: Should Sam's access in data.yaml have any kind of expiry noted when the volunteer NDA doesn't have one? (I'd assume having one would trigger a review of the access and if it is still needed, which is a plus, but it may not be the intended use of the expiry field in data.yaml.)

@RobH: Yes, having his entry in data.yaml without an expiry date is just fine, all volunteers have that. The expiry date is only needed for accounts where it's forseeable that somone will finish a task within a given time frame (like a research project requiring access to PII data, GSoC internship, short term contractor).

Thanks! I just wanted to make sure (and having it on a task now for reference makes future triage of new accounts easier.)

Thank you =]

TheresNoTime mentioned this in T186344: NDA request for Samtar.Feb 2 2018, 7:08 PM

Request for access to stat1003 for Sam TarlingClosed, ResolvedPublicActions

Description

Details

Related Objects

Event Timeline

Request for access to stat1003 for Sam Tarling
Closed, ResolvedPublic
Actions