[14:21:01] <average_1rifter>	 hello !
[14:21:16] <average_1rifter>	 if anyone is interested in my current progress or what I'm working on, please add this page to your watchlist
[14:21:19] <average_1rifter>	 http://www.mediawiki.org/wiki/User:Spetrea
[14:21:43] <average_1rifter>	 if anyone is interested in my current progress or what I'm working on, please add this page to your watchlist
[14:21:46] <average_1rifter>	 http://www.mediawiki.org/wiki/User:Spetrea
[14:21:54] <average_1rifter>	 anytime you find yourself asking the question "I wonder what Stefan is doing ?" you can just check that page
[16:17:14] <louisdang>	 Drdee around?
[16:21:01] <ottomata>	 i think he's on an airplane
[16:21:06] <louisdang>	 K
[16:39:40] <average_1rifter>	 It wouldn't hurt if I knew some R
[16:39:47] <average_1rifter>	 but I don't :|
[16:41:44] <erosen>	 average_1rifter: don't have context for your desire to know R, but I will say that Python Pandas has been a pretty nice experience and has basically the same functionality, plus being in python
[16:48:27] <average_1rifter>	 erosen: I need to do various charts. I'm not tied down to any language or framework
[16:48:29] <average_1rifter>	 I know some Python too
[16:48:47] <average_1rifter>	 but right now I'm a bit tied down to js & perl to do them
[16:48:59] <erosen>	 i see
[16:49:06] <erosen>	 i bet there is a decent js lib somewhere
[16:49:13] <erosen>	 but don't know of one myself
[16:49:29] <average_1rifter>	 erosen: can Panda render in HTML ?
[16:49:31] <average_1rifter>	 or SVG ?
[16:49:46] <average_1rifter>	 or Canvas or using some 3rd party js lib for charting ?
[16:49:54] <erosen>	 it is part of the a suite of tools know as pydata I belive
[16:49:55] <erosen>	 e
[16:50:03] <erosen>	 it uses matplotlib to plot
[16:50:09] <erosen>	 and i'm pretty sure you can render to almost anything
[16:50:42] <erosen>	 I've also heard of a d3 interface
[16:50:55] <average_1rifter>	 that d3 interface would make my eyes glow
[16:51:44] <erosen>	 this seems pretty legit
[16:51:44] <erosen>	 https://github.com/mikedewar/d3py
[16:51:56] <erosen>	 and uses the PyData tools pandas and numpy
[17:01:29] <milimetric>	 ottomata - do we have a doc somewhere to configure services that want to talk to our LDAP?
[17:01:43] <milimetric>	 I wanted to get this Redmine instance I put up to do that
[17:01:48] <ottomata>	 oh yeah sorry
[17:01:49] <ottomata>	 barely
[17:01:52] <ottomata>	 where is it hosted?
[17:01:57] <milimetric>	 labs
[17:02:11] <ottomata>	 (i'm working on ldap stuff right now too :p )
[17:02:12] <ottomata>	 um
[17:02:22] <ottomata>	 i had to ask Ryan Lane for most of the details
[17:02:25] <ottomata>	 but let's see...
[17:02:27] <milimetric>	 in windows world i used to just use a basic account that had read access
[17:03:17] <ottomata>	 here are some helpful details: https://github.com/wikimedia-incubator/operations-puppet/blob/analytics/modules/kraken/manifests/hue.pp
[17:04:23] <milimetric>	 ah cool, at first look that's all I need
[17:04:29] <milimetric>	 I'll bug you if there's other stuff
[17:04:31] <milimetric>	 thanks!
[17:04:34] <ottomata>	 yup!
[17:13:03] <milimetric>	 OK, ottomata, two questions:
[17:13:03] <milimetric>	 Is the port 636 on ldaps://virt0.wikimedia.org?
[17:13:03] <milimetric>	 Any idea what the first name / last name / email attributes are?  uid is the username attribute for example
[17:14:37] <average_1rifter>	 brb 50m
[17:16:24] <ottomata>	 hmmmmmmmmmm
[17:16:29] <ottomata>	 i think you can perform a search against those
[17:16:35] <ottomata>	 i think you can do it anonymously
[17:16:37] <ottomata>	 errggggh
[17:16:37] <ottomata>	 using
[17:16:39] <ottomata>	 ldapsearch
[17:17:05] <ottomata>	 checking...
[17:17:16] <ottomata>	 oh maybe you can't do it anonymously
[17:17:17] <ottomata>	 i thought you could
[17:17:18] <ottomata>	 hmmm
[17:18:25] <ottomata>	 i'm not sure
[17:18:33] <ottomata>	 ok there is a password you need, but I don't think I can give it to you
[17:18:38] <ottomata>	 you'll have to ask Ryan Lane
[17:18:49] <ottomata>	 there is a test ldap instance though
[17:18:51] <ottomata>	 uhhhhh
[17:19:03] <ottomata>	 don't remember where it is though
[17:19:42] <erosen>	 ottomata,milimetric: whatch'y'all working on?
[17:20:29] <milimetric>	 ldap configuration for an instance of Redmine I set up
[17:21:04] <milimetric>	 I wanted to see if it was viable to modify an existing trello - like open source project.  Redmine + this plugin called Redminebacklogs looks to be the closest thing
[17:21:15] <erosen>	 nice
[17:21:22] <erosen>	 good luck
[17:22:23] <milimetric>	 ok, ottomata, thanks, I'll talk to Ryan when he's around.  Know if he's particularly busy this week?
[17:22:53] <ottomata>	 dunno :/
[17:26:16] <jeremyb_>	 grrrrrr, why doesn't oliver hang out in the right channels? :)
[17:33:54] <DarTar>	 hey milimetric
[17:33:55] <DarTar>	 hang out?
[17:34:00] <milimetric>	 hi
[17:34:06] <milimetric>	 yep, I invited your personal email
[17:34:16] <DarTar>	 k, one sec
[17:59:29] <ottomata>	 bwerp bwerp
[17:59:30] <ottomata>	 https://plus.google.com/hangouts/_/2da993a9acec7936399e9d78d13bf7ec0c0afdbc
[18:03:08] <milimetric>	 erosen - standupy?
[18:13:57] <dschoon>	 yo.
[18:13:59] <dschoon>	 scrum happening?
[18:14:01] <dschoon>	 i'm looking for diederik here
[18:14:03] <dschoon>	 but i guess he's not in yet
[18:14:14] <erosen>	 i've got a grant making meeting
[18:14:21] <erosen>	 so i'll be skipping
[18:14:33] <dschoon>	 ottomata, milimetric ?
[18:14:39] <milimetric>	 howdy
[18:14:47] <milimetric>	 yeah, you missed scrum
[18:14:48] <dschoon>	 shall we wait on scrum?
[18:14:51] <dschoon>	 oh, ok
[18:15:05] <dschoon>	 i was late anyway
[18:15:10] <dschoon>	 but there's no diederik
[18:15:11] <dschoon>	 so!
[18:15:16] <milimetric>	 diederik's in the airport
[18:15:21] <dschoon>	 ja
[18:15:22] <milimetric>	 so otto and I scrummed
[18:15:29] <milimetric>	 and erosen's gone missing, probably hunting bears
[18:15:30] <dschoon>	 coolio
[18:15:34] <milimetric>	 but like not killing them
[18:15:36] <dschoon>	 he said he has a gp meeting
[18:15:40] <milimetric>	 oh
[18:16:26] <milimetric>	 so I'm migrating Dario's dashboard and ottomata's working on LDAP-ing our stuff
[18:16:31] <dschoon>	 sweet
[18:16:36] <milimetric>	 whatcha doin?
[18:16:44] <dschoon>	 we have the security meeting tomrorow
[18:16:56] <dschoon>	 so i'm going to spend some time today doing a dry run with diederik
[18:17:01] <dschoon>	 to see if there are any loose ends.
[18:17:01] <milimetric>	 this is me live-editing notes that I need to make DarTar's graphs btw: http://etherpad.wmflabs.org/pad/p/EEDashboards
[18:17:11] <milimetric>	 and this is the repo it'll end up in: https://github.com/wikimedia/limn-editor-engagement
[18:17:20] <dschoon>	 it'd be great if people looked over https://www.mediawiki.org/wiki/Analytics/Kraken/Security_Review_Meeting
[18:17:22] <dschoon>	 cool
[18:17:31] <milimetric>	 ok, yeah, I agree that's important
[18:17:35] <milimetric>	 I'll take a look when I'm done
[18:17:57] <dschoon>	 aiight. i'm going to grab breakfast right quick
[18:18:01] <dschoon>	 bus was crazy late
[18:18:03] <dschoon>	 brb
[18:26:03] <dschoon>	 mk
[18:26:32] <ottomata>	 lunchtime!
[20:05:39] <dschoon>	 anyone have other thoughts about things i should look into and add to the security review page?
[20:06:15] <dschoon>	 I can't think of anything, but that doesn't mean much :P
[20:09:20] <ottomata>	 !log restarting namenode to test out ldap settings
[20:09:24] <ottomata>	 (dschoon, will look in a bit)
[20:09:29] <milimetric>	 dschoon - looking at it now
[20:09:31] <dschoon>	 kk
[20:09:48] <milimetric>	 maybe listing out any precautions we can take against DDOS?
[20:11:29] <milimetric>	 any access we provide to mysql slaves?
[20:11:41] <milimetric>	 how's wikihadoop do that?
[20:11:49] <dschoon>	 it imports dumps
[20:12:00] <dschoon>	 research slaves aren't in the cluster
[20:12:05] <dschoon>	 (separate questions/answers)
[20:12:49] <milimetric>	 in the data retention, are we considering cookies for anything still?
[20:13:36] <milimetric>	 ok, I gotta run to the bank, that's the only stuff that stood out to me, but I'm thinking I don't understand the audience of this meeeting.  Perhaps drafting a short description of the audience would be useful
[20:14:55] <ottomata>	 dschoon, (not looking at document), we should talk about authentication, particularly the fact that anyone that has root powers on any node that can talk to analytics1010 can pretend to be hdfs superuser
[20:15:16] <dschoon>	 hm.
[20:15:31] <ottomata>	 also, dschoon, we might have a research slave in our cluster eventually, if we need a dedicated one for sqoop
[20:15:40] <dschoon>	 ottomata: is that different from having root on any other system?
[20:15:41] <ottomata>	 so as not to intefere with analyst queries
[20:15:45] <dschoon>	 sure
[20:15:47] <ottomata>	 yes
[20:15:53] <ottomata>	 issue described well here:
[20:15:56] <ottomata>	 http://blog.cloudera.com/blog/2012/03/authorization-and-authentication-in-hadoop/
[20:16:04] <dschoon>	 ok, will read
[20:16:10] <ottomata>	 read the bit starting at Authorization
[20:16:22] <ottomata>	 oh
[20:16:22] <ottomata>	 sorry
[20:16:22] <ottomata>	 no
[20:16:25] <ottomata>	 authentication
[20:18:08] <dschoon>	 i will read it all :)
[20:23:17] <dschoon>	 oh. i didn't realize unix users/groups were identical with hdfs users/groups
[20:23:21] <dschoon>	 ottomata ^^
[20:23:32] <dschoon>	 is this true in mysql as well?
[20:23:52] <dschoon>	 like, even if i have a password in mysql, if i'm logged in as that user, do i automatically authenticate?
[20:24:25] <ottomata>	 no
[20:24:37] <ottomata>	 mysql is separate
[20:24:40] <ottomata>	 hdfs just decided to do that
[20:24:57] <ottomata>	 its kinda nice, because then you can rely on whatever system you already have in place for user permissions
[20:25:04] <ottomata>	 and it maps better to hdfs usage than mysql usage
[20:25:08] <ottomata>	 because hdfs is a file system
[20:25:20] <ottomata>	 and actually
[20:25:24] <ottomata>	 they aren't identical in hdfs
[20:25:38] <ottomata>	 its just the default
[20:26:00] <ottomata>	 the unix user that is currently running the hdfs command will be the user that is running in hdfs
[20:26:05] <ottomata>	 but that's it
[20:26:07] <ottomata>	 and its only based on textual username
[20:26:09] <ottomata>	 so
[20:26:26] <ottomata>	 if an 'hdfs' user is running an hdfs command
[20:26:35] <ottomata>	 hadoop will say "oh look, it is the hdfs user"
[20:26:42] <ottomata>	 and give whatever permissions are relevant for that
[20:27:09] <ottomata>	 if all commands are only run on the namenode, this isn't a problem
[20:27:23] <ottomata>	 because assumedly the hdfs user on the namenode is the correct superuser
[20:27:25] <dschoon>	 yeah, feh.
[20:27:30] <ottomata>	 but, on some remote node, who knows what it is
[20:27:42] <dschoon>	 okay.
[20:27:44] <ottomata>	 hadoop recommends kerberos to solve this problem
[20:27:52] <dschoon>	 surely there is a normal process for this?
[20:28:06] <dschoon>	 and also, users not having root helps :P
[20:28:24] <ottomata>	 ja, but this would be on any node that could talk to an10
[20:28:28] <ottomata>	 (namenode)
[20:28:35] <dschoon>	 ah.
[20:28:37] <dschoon>	 true.
[20:28:39] <ottomata>	 so maybe someone has sudo powers on some node in our system we don't know about
[20:28:43] <ottomata>	 they could create an hdfs user
[20:29:00] <ottomata>	 set up hadoop config files to point at an10 namenode
[20:29:00] <dschoon>	 yes yes.
[20:29:00] <ottomata>	 and then talk to hadoop as hdfs
[20:29:00] <ottomata>	 aye
[20:29:00] <dschoon>	 i see.
[20:29:10] <dschoon>	 the problem is that ssh doesn't mediate hadoop transactions
[20:29:24] <dschoon>	 for most applications, you need shell access on the *target* node
[20:29:33] <dschoon>	 here you do not, due to the nature of hdfs.
[20:42:11] <ottomata>	 right, exactly
[20:49:40] <ottomata>	 dschoon, in services access and needs
[20:49:46] <dschoon>	 well
[20:49:47] <ottomata>	 there are two pieces to the ldap thing
[20:49:51] <dschoon>	 sure
[20:49:54] <dschoon>	 go ahead
[20:49:59] <ottomata>	 hue uses ldap to authenticate you when you sign in
[20:50:04] <ottomata>	 but file access is done by hadoop, not hue
[20:50:04] <dschoon>	 (though you might want to just add them yourself :))
[20:50:18] <ottomata>	 i can rearrange
[20:50:27] <dschoon>	 i was going to suggest that perhaps we ACL away the ability for non-cluster nodes to connect to us?
[20:50:34] <dschoon>	 firewall off those ports
[20:50:56] <ottomata>	 yeah, i suggested that too, we can even do that ourselves via iptables
[20:51:02] <dschoon>	 i can't think of any reason that's a good idea otherwise
[20:51:03] <dschoon>	 yes.
[20:51:04] <ottomata>	 when I was talking to faidon
[20:51:05] <dschoon>	 agreed.
[20:51:07] <ottomata>	 we talked about that a bit
[20:51:18] <ottomata>	 there might be occasions we want to connect to hadoop from stat1
[20:51:20] <dschoon>	 iptables is probably smarter
[20:51:21] <dschoon>	 right
[20:51:22] <ottomata>	 but we'll deal with that when needed
[20:51:31] <dschoon>	 at least it makes it easier for us to modify
[20:51:34] <ottomata>	 yeha
[21:05:55] <dschoon>	 erosen: q about your impressive array of datasources
[21:06:01] <erosen>	 sup
[21:06:52] <dschoon>	 do your definitions of "editor" and "edit" conform to the canonical definitions in https://www.mediawiki.org/wiki/Analytics/Metric_definitions#Actors ?
[21:07:04] <dschoon>	 Do you filter bots etc?
[21:07:14] <erosen>	 yeah
[21:07:25] <erosen>	 I don't do anything super fancy with the bots
[21:07:40] <erosen>	 just the bots user_group
[21:07:48] <erosen>	 and an outdated list of global bots from ErikZ
[21:07:53] <dschoon>	 *nod*
[21:08:02] <dschoon>	 that problem in particular is hard.
[21:08:06] <erosen>	 ya
[21:08:25] <dschoon>	 also: you forgot to link to the dashboards themselves :)
[21:08:32] <erosen>	 there is a table on s1 in the "prod" db which is slated as a canonical up to date copy
[21:08:47] <erosen>	 whoops
[21:08:50] <erosen>	 i'll reply now
[21:09:51] <erosen>	 wait
[21:10:00] <dschoon>	 it's okay
[21:10:01] <erosen>	 dschoon: you mean on the message to you?
[21:10:03] <dschoon>	 no need to do anything.
[21:10:07] <erosen>	 gotcah
[21:10:07] <dschoon>	 yeah.
[21:10:11] <dschoon>	 i assume it's gp
[21:10:29] <erosen>	 yeha
[21:10:32] <erosen>	 they are all the same
[21:10:49] <erosen>	 gp-dev, gp and global-dev all use the same data repo
[21:11:10] <erosen>	 the gp-dev one just has a quick sed command run on the datasources to account for the differences in directory structure
[21:13:48] <dschoon>	 word.
[21:13:51] <dschoon>	 yeah
[21:17:02] <erosen>	 quick limn q
[21:17:08] <erosen>	 dschoon ^
[21:17:19] <dschoon>	 i'm sitting behind you, to
[21:17:20] <dschoon>	 *y
[22:48:35] <average_drifter>	 drdee: hi !
[22:49:05] <drdee>	 hi
[22:49:13] <average_drifter>	 http://stat1.wikimedia.org/spetrea/new_pageview_mobile_reports/r26-only-december-added-diagnostics-mimetype-density-barchart/pageviews.html
[22:49:21] <drdee>	 relocating to office be online in 15 minutes
[22:49:25] <average_drifter>	 the density of mimetypes 1-14dec 14-31dec
[22:49:39] <drdee>	 nice!
[22:49:43] <average_drifter>	 these are only the processed mimetypes
[22:49:49] <average_drifter>	 so the ones that passed all our filters
[22:50:28] <drdee>	 so there is massive increase in requests with mime type '-'
[22:50:39] <drdee>	 can you make a sample of a couple 1000 of such requests?
[22:50:41] <dschoon>	 drdee, ohello
[22:50:46] <drdee>	 in hotel
[22:50:50] <dschoon>	 coolio.
[22:50:51] <drdee>	 leaving now
[22:50:52] <dschoon>	 in office.
[22:51:04] <average_drifter>	 drdee: yes
[23:04:27] <ottomata>	 i'm out for the eve
[23:04:30] <ottomata>	 laters all!
[23:05:45] <dschoon>	 dieds and i are gonna get food. he hasn't had lunch
[23:05:55] <dschoon>	 (i had a smoothie)
[23:05:57] <dschoon>	 so brb!
[23:11:24] <erosen>	 milimetric: limn q
[23:11:45] <erosen>	 do you know if limn will assign colors if they are left as default
[23:11:46] <milimetric>	 hey erosen - I'm here
[23:12:11] <milimetric>	 limn currently should assign default colors if nothing is specified
[23:12:17] <erosen>	 great
[23:12:38] <milimetric>	 but there are more "if else" type statements than you'd imagine, so if you have any trouble let me know
[23:12:39] <erosen>	 i'm rewriting the graph generation (python) code and I am going to have the default not assign colors
[23:12:42] <erosen>	 and hope limn can handle that
[23:12:58] <erosen>	 sounds good
[23:17:02] <milimetric>	 k, gonna go cook dinner now.  Shoot me an email if you need me.
[23:18:36] <erosen>	 word thanks