Hal, (@Htriedman) needs to be able to deploy airflow jobs, and so needs to be in the deployment posix group.
User name is htriedman as defined here.
Description
Description
Details
Details
Related Objects
Related Objects
Event Timeline
Comment Actions
@thcipriani you're the approver for the deployment group, are you happy for me to add @Htriedman to it, please?
Comment Actions
You sure that's the correct group? The deploy_airflow keyholder key can be accessed by the following groups:
# Shared deploy ssh key for Data Engineering maintained # Airflow instances. For now, all admins of Airflow instances # can deploy any Airflow instance. deploy_airflow: trusted_groups: - analytics-deployers - research-deployers - platform-eng-deployers - airflow-search-admins
Comment Actions
^ +1 deployment group is for MediaWiki deployment.
All the groups @taavi listed can deploy /srv/deployment/airflow_dags via scap.
Probably analytics-deployers is the right group for this given @Milimetric is here :)
If that seems right to @Milimetric then there's no approval listed for that group, but it probably makes sense to defer to analytics-admins approvers (given they're the only ones in that group currently)—@odimitrijevic and @Ottomata
Comment Actions
Which airflow instance does Hal need to deploy / have access to? This will dictate which group he should be in! Is it airflow-research? If so, then this would be the analytics-research-admins group. If analytics, this would be the analytics-admins group, but analytics-admins also grants sudo -u hdfs powers.
Comment Actions
Hal needs to deploy to the platform-eng Airflow instance. So he needs platform-eng-deployers?
Comment Actions
That's the correct group, yes (although per the comment in https://github.com/wikimedia/operations-puppet/blob/production/hieradata/role/common/deployment_server/kubernetes.yaml#L113 this currently allows deploying to all Airflow instances)
Comment Actions
Yes, and that's okay.
The group Hal should be in then is analytics-platform-eng-admins (which is included in platform-eng-deployers).
Approved.
Comment Actions
@Ottomata We currently lack an "approval" entry list for that group, should that be the group of people currently approving PE-related things (like https://github.com/wikimedia/operations-puppet/blob/production/modules/admin/data/data.yaml#L435) or should this be you and Olja like for other Data Engineering services?
Comment Actions
Hm, that group (as well as analytics-research-admins) gives some sudo rights to a system user (analytics-platform-eng) that does have analytics-privatedata-users access, so I think it does require approval from Olja or me. Probably would also be good to have approval for that from someone in Platform Eng too, but I'm not sure who. Maybe @hnowlan?
Comment Actions
We don't have double approval for any other group, I'm wondering if that's really necessary? From my PoV the combination of owner approval (Olja/you) and the manager signoff of the requesting person seems totally fine. The approving manager will be aware of why the person needs that access anyway.
Comment Actions
I don't really know much about that group unfortunately but based on the group's appearance and the git history I don't think approval from me should be needed.
Comment Actions
Change 899653 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):
[operations/puppet@production] Add approvers for analytics-platform-eng-admins
Comment Actions
Change 899653 merged by Muehlenhoff:
[operations/puppet@production] Add approvers for analytics-platform-eng-admins
Comment Actions
@Ottomata @odimitrijevic With the approval sorted out this needs your approval, then.
Comment Actions
Change 901614 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):
[operations/puppet@production] Add htriedman to analytics-platform-eng-admins
Comment Actions
@Htriedman This also needs approval by your manager on task, then we're good to merge https://gerrit.wikimedia.org/r/901614
Comment Actions
@Jcross asking for approval from you — I need these rights in order to deploy DP scripts that will run on a schedule on airflow
Comment Actions
Change 901614 merged by Muehlenhoff:
[operations/puppet@production] Add htriedman to analytics-platform-eng-admins
Comment Actions
@Htriedman Your access has been enabled (it will take up to 30 minutes to have the change reach all servers), please reopen if you run into any issues.
Comment Actions
@MoritzMuehlenhoff Sorry if this is a silly question, but I've been trying to run commands as analytics-platform-eng on stat machines by using sudo -u analytics-platform-eng <cmd>... and am being prompted for my user password — I don't recall ever having used a password to access my stat machines, and it's not any password I can remember. Do you know where I might be able to go for those credentials?
Comment Actions
Hi @Htriedman and @MoritzMuehlenhoff,
the answer to this riddle is that while the special user "analytics-platform-eng" exists on all stat* machines, the admin group analytics-platform-eng-admins which gives the sudo privileges to run any command AS the special user analytics-platform-eng, exists only on airflow* machines.
so the group is only here:
sudo cumin -x 'an*' 'grep analytics-platform-eng-admins /etc/group'
===== NODE GROUP ===== (3) an-airflow[1003-1004].eqiad.wmnet,an-launcher1002.eqiad.wmnet ----- OUTPUT of 'grep analytics-p...dmins /etc/group' -----
but the special system user is on basically every an* and stat* host.
@Htriedman I think this comes down to a new access request like "add analytics-platform-eng-admins on stat* hosts".
Comment Actions
@Htriedman I think this comes down to a new access request like "add analytics-platform-eng-admins on stat* hosts".
Or ssh to an-airflow1004 and run your sudo cmd there :)