@gsingers Please review and approve if you are fine with it.

Approved.

Hi Leila,

I'm the SRE clinic duty person this week :)

When looking at this task, i noticed a few odd things:

• The wikitech user leila doesn't have a wikimedia.org email address set: https://ldap.toolforge.org/user/leila
  • If this is the wikitech user you are using, can you update it to your wikimedia.org email, please?
• There are 2 other wikitech users which _do_ use leila@wikimedia.org. If these are not in use, is it ok to remove them?
  • https://ldap.toolforge.org/user/labello
  • https://ldap.toolforge.org/user/leizi
• You seem to already have a shell account (https://github.com/wikimedia/puppet/blob/production/modules/admin/data/data.yaml#L1476-L1484)
  • This account has an ssh key associated with it. Do you still have access to that old key? If not we can replace it with the new key.
  • The account is in the analytics-privatedata-users group. Is that the access you need?

In T264472#6517631, @Kormat wrote:

Hi Leila,

I'm the SRE clinic duty person this week :)

lovely. thanks for helping me. :)

When looking at this task, i noticed a few odd things:

• The wikitech user leila doesn't have a wikimedia.org email address set: https://ldap.toolforge.org/user/leila
  • If this is the wikitech user you are using, can you update it to your wikimedia.org email, please?
• There are 2 other wikitech users which _do_ use leila@wikimedia.org. If these are not in use, is it ok to remove them?
  • https://ldap.toolforge.org/user/labello
  • https://ldap.toolforge.org/user/leizi

hmm. this is bad. So here is how I'd like to clear this up, thanks for your help:

• let's keep leila separate from leila@wikimedia. I use that for the volunteer work I do and I'd rather not have it mixed.
• labello: please remove it. (it's a cute username though.;)
• leizi can remain my wmf wikitech account.

• You seem to already have a shell account (https://github.com/wikimedia/puppet/blob/production/modules/admin/data/data.yaml#L1476-L1484)
  • This account has an ssh key associated with it. Do you still have access to that old key? If not we can replace it with the new key.

Yes. actually I only need the SSH key replaced, perhaps. (I don't have access to the old key.) (I understand that this means my shell account name will be different than my wmf wikitech username. I can live with this inconsistency.)

• The account is in the analytics-privatedata-users group. Is that the access you need?

That plus researchers.

Thank you!

I know that it seems strange but the researchers group is not needed for you @leila, it is an old one that we'll deprecate :)

Hi Leila,

Thanks for your reply, things are a lot clearer now :)

The existing shell account is associated with your volunteer wikitech account (User:Leila). After some discussion with my colleagues, the best way to proceed at this point is to mark that shell account as closed, and create a new one that's associated with your wmf wikitech account (User:Leizi). What is your preferred name for this new shell account? It needs to be different than leila, unfortunately.

I've sent you a message on gchat to confirm the ssh key with you.

You are already a member of the analytics-privatedata-users group, but it looks like a requirement for a kerberos authentication principal has been added in the meantime (https://wikitech.wikimedia.org/wiki/Analytics/Data_access#Access_Groups). Given the circumstances, i'll create the principal for you once you've confirmed your preferred shell account name :)

@elukey ok. :)

@Kormat let's go with leizi. Thanks! :)

Change 632726 had a related patch set uploaded (by Kormat; owner: Kormat):
[operations/puppet@production] admin: Replace leila with leizi

https://gerrit.wikimedia.org/r/632726

@leila: Ok, we're almost ready to go. The only remaining thing is to confirm your ssh key over a medium we have more confidence in (due to the sensitive nature of production access). I've sent you a message on google chat, and on WMF slack. If you can reply to either of those with your ssh public key, then I can submit https://gerrit.wikimedia.org/r/632726 and you'll be good to go.

I've created your kerberos principal earlier today, you should receive an email telling you how to set the password for it.

Cheers :)

@Kormat thanks. I just confirmed the ssh key through the slack message I had received about it.

Change 632726 merged by Kormat:
[operations/puppet@production] admin: Replace leila with leizi

https://gerrit.wikimedia.org/r/632726

@leila: Your access should now be active. Please let me know if you run into any issues.

I've opened a couple of subtasks to cover cleanup of the old state.

The "leila" account also needs to be removed from the wmf LDAP group.

In T264472#6531651, @MoritzMuehlenhoff wrote:

The "leila" account also needs to be removed from the wmf LDAP group.

Good catch, done.

In T264472#6525167, @Kormat wrote:

I've created your kerberos principal earlier today, you should receive an email telling you how to set the password for it.

@leila have you received the email with the kerberos temporary password? If so you should follow up and change it (see https://wikitech.wikimedia.org/wiki/Analytics/Systems/Kerberos/UserGuide#Authenticate_via_Kerberos)

@elukey I did receive the kerberos temp password and just changed it. thanks!

Is this fully done?