Add Kelton Hurd to deployment and analytics-privatedata-users groups
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	sbassett
	Nov 28 2022, 6:47 PM

Description

Requestor provided information and prerequisites

This section is to be completed by the individual requesting access.

Wikitech username: KHurd1
Email address: khurd@wikimedia.org
SSH public key (must be a separate key from Wikimedia cloud SSH access): ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFtgHw4rO9V8nK9jQnLxFMi37cal2FVuzL6XDj4hYxOP khurd@wmf3229
Requested group membership: analytics-privatedata-users (@odimitrijevic / @Ottomata)
Reason for access: new security engineer who will need acccess for IR research
Name of approving party (manager for WMF/WMDE staff): @Jcross
Ensure you have signed the L3 Wikimedia Server Access Responsibilities document: Done!
Please coordinate obtaining a comment of approval on this task from the approving party.

SRE Clinic Duty Confirmation Checklist for Access Requests

This checklist should be used on all access requests to ensure that all steps are covered, including expansion to existing access. Please double check the step has been completed before checking it off.

This section is to be confirmed and completed by a member of the SRE team.

- User has signed the L3 Acknowledgement of Wikimedia Server Access Responsibilities Document.
- User has a valid NDA on file with WMF legal. (All WMF Staff/Contractor hiring are covered by NDA. Other users can be validated via the NDA tracking sheet)
- User has provided the following: wikitech username, email address, and full reasoning for access (including what commands and/or tasks they expect to perform)
- User has provided a public SSH key. This ssh key pair should only be used for WMF cluster access, and not shared with any other service (this includes not sharing with WMCS access, no shared keys.)
- access request (or expansion) has sign off of WMF sponsor/manager (sponsor for volunteers, manager for wmf staff)
- access request (or expansion) has sign off of group approver indicated by the approval field in data.yaml
- merge patchset for access

For additional details regarding access request requirements, please see https://wikitech.wikimedia.org/wiki/Requesting_shell_access

Details

Subject	Repo	Branch	Lines +/-
Readd kelhurd to LDAP access table	operations/puppet	production	+4 -0
Revert "admin: Add kelhurd to analytics-privatedata-users"	operations/puppet	production	+5 -6
admin: Add kelhurd to analytics-privatedata-users	operations/puppet	production	+9 -5

Customize query in gerrit

Related Objects
Search...

		Status	Subtype	Assigned	Task
		Resolved		sbassett	T318841 Onboard Kelton to Security Team
		Resolved		• KHurd-WMF	T323943 Add Kelton Hurd to deployment and analytics-privatedata-users groups

Event Timeline

sbassett created this task.Nov 28 2022, 6:47 PM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 28 2022, 6:47 PM

sbassett added projects: SRE, SRE-Access-Requests.Nov 28 2022, 6:48 PM

sbassett mentioned this in T318841: Onboard Kelton to Security Team.

Missing a few fields so far.

Marostegui moved this task from Untriaged to Awaiting User Input on the SRE-Access-Requests board.Nov 29 2022, 11:50 AM

sbassett moved this task from Incoming to Watching on the Security-Team board.Dec 5 2022, 5:15 PM

sbassett added a project: SecTeam-Processed.

Hello @sbassett, I see we are still missing some input here, any updates?

sbassett updated the task description. (Show Details)Dec 14 2022, 3:49 PM

In T323943#8466964, @akosiaris wrote:

Hello @sbassett, I see we are still missing some input here, any updates?

Correct. We've got the wikitech username/shell name now (I've updated the task description) but @KHurd-WMF still needs to create a request for shell access (see parent task) and then their key pair.

Hi all,

I apologize for the latency, I will be working on this today.

Thanks teammates,

Kelton Hurd
Wikimedia Foundation - Security team
khurd@wikimedia.org

{F35864439}

sbassett updated the task description. (Show Details)Dec 19 2022, 5:47 PM

sbassett added subscribers: odimitrijevic, Ottomata.

sbassett updated the task description. (Show Details)Dec 19 2022, 5:52 PM

• KHurd-WMF added a comment.Dec 19 2022, 5:54 PM

This comment was removed by • KHurd-WMF.

• KHurd-WMF updated the task description. (Show Details)Dec 19 2022, 6:11 PM

sbassett updated the task description. (Show Details)Dec 19 2022, 6:12 PM

Approved

Approved.

This looks ssh + kerberos access too.

In T323943#8479265, @Ottomata wrote:

This looks ssh + kerberos access too.

Yes.

@KHurd-WMF your private key was disclosed. Please make sure to generate another pair of private/public key

In T323943#8479804, @Marostegui wrote:

@KHurd-WMF your private key was disclosed. Please make sure to generate another pair of private/public key

We are aware of this and I believe they already have. The public key currently within the task description should not correspond to the exposed private key.

Excellent! Thank you for clarifying it!

Yes, sorry for my noobness. That is a new key.

Everything should be completed on my end, at this point.

Dzahn moved this task from Awaiting User Input to Manager/NDA Approval/Confirmation on the SRE-Access-Requests board.Dec 20 2022, 11:12 PM

BCornwall changed the task status from Stalled to In Progress.Dec 21 2022, 7:33 PM

BCornwall claimed this task.

BCornwall updated the task description. (Show Details)

Change 870708 had a related patch set uploaded (by BCornwall; author: BCornwall):

[operations/puppet@production] admin: Add kelhurd to analytics-privatedata-users

https://gerrit.wikimedia.org/r/870708

gerritbot added a project: Patch-For-Review.Dec 21 2022, 8:01 PM

Change 870708 merged by BCornwall:

[operations/puppet@production] admin: Add kelhurd to analytics-privatedata-users

https://gerrit.wikimedia.org/r/870708

Is anything left to do for this ticket?

Maintenance_bot removed a project: Patch-For-Review.Dec 23 2022, 7:30 PM

In T323943#8488828, @BCornwall wrote:

Is anything left to do for this ticket?

Just for @KHurd-WMF to confirm they can shell into the stat machines. But nothing from SRE/Analytics, no.

Volans moved this task from Manager/NDA Approval/Confirmation to Awaiting User Input on the SRE-Access-Requests board.Jan 3 2023, 8:48 AM

@KHurd-WMF does your access works as expected (like SSH into stat machine)? Feel free to close the task.

Hey @Jelto, I've been working with Scott Bassett on trying to gain access. Unfortunately, I am not able to login at this time. We've tried the usernames khurd and khurd1 both prompt for a password when attempting to login into stat1007. Please assist, if you need any printouts, let me know.

In T323943#8513231, @KHurd-WMF wrote:

Hey @Jelto, I've been working with Scott Bassett on trying to gain access. Unfortunately, I am not able to login at this time. We've tried the usernames khurd and khurd1 both prompt for a password when attempting to login into stat1007. Please assist, if you need any printouts, let me know.

According to the change the username should be kelhurd. Does this work for you (both access-wise and naming-wise)? Renaming a shell user is possible, but quite a bit of work.

Ah, thank you @Jelto, that's what I needed to know. That username allowed me to login.

@Ottomata can I have you add me to kerberos on stat1007 please?

Done, you should have an email at khurd@wikimedia.org with instructions.

Everyone, you all are awesome. Thank you for all the help and assistance. I will close this ticket!

• KHurd-WMF closed this task as Resolved.Jan 10 2023, 9:08 PM

sbassett moved this task from Watching to Our Part Is Done on the Security-Team board.Jan 10 2023, 9:52 PM

Change 890848 had a related patch set uploaded (by JMeybohm; author: SBassett):

[operations/puppet@production] Revert "admin: Add kelhurd to analytics-privatedata-users"

https://gerrit.wikimedia.org/r/890848

gerritbot added a project: Patch-For-Review.Mar 2 2023, 8:46 AM

Change 890848 merged by JMeybohm:

[operations/puppet@production] Revert "admin: Add kelhurd to analytics-privatedata-users"

https://gerrit.wikimedia.org/r/890848

Maintenance_bot removed a project: Patch-For-Review.Mar 2 2023, 9:31 AM

Change 893992 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[operations/puppet@production] Readd kelhurd to LDAP access table

https://gerrit.wikimedia.org/r/893992

Change 893992 merged by Muehlenhoff: