You are browsing a read-only backup copy of Wikitech. The live site can be found at wikitech.wikimedia.org

Analytics/Data access: Difference between revisions

From Wikitech-static
Jump to navigation Jump to search
imported>Milimetric
imported>Milimetric
(56 intermediate revisions by 18 users not shown)
Line 1: Line 1:
In addition to a variety of [[meta:Research:Data|publicly-available data sources]], Wikimedia has a parallel set of private data sources and infrastructure. The main reason for this is to store and provide restricted access to sensitive user data (such as the IP addresses and user agents of readers and editors, stored up to 90 days as permitted by the privacy policy), although these sources also duplicate access to non-sensitive data for ease of use.
In addition to a variety of [[meta:Research:Data|publicly-available data sources]], Wikimedia has a parallel set of private data sources. The main reason is to allows a carefully vetted set of users to perform research and analysis on confidential user data (such as the IP addresses of readers and editors) which is stored according to our [[foundation:Privacy_policy|privacy policy]] and [[metawiki:Data_retention_guidelines|data retention guidelines]]. This private infrastructure also provides duplicate copies of publicly-available data for ease of use.


To get access to this private data, you first need to have signed a non-disclosure agreement with the Wikimedia Foundation. If you're a Foundation employee, this was included as part of your employment agreement; if you're a volunteer, you'll need to demonstrate a need for these resources and find an employee who will sponsor you. This process in explained in [[Volunteer NDA|volunteer NDA article]]. If you're a researcher, you'll have to set up [[mw:Wikimedia_Research/Formal_collaborations|a formal collaboration with the Wikimedia Foundation's Research team]].
== Do you need it? ==
Private data lives in same server cluster that runs Wikimedia's production websites. Often, this means you will need [[production shell access]] to get it.


==Data sources==
However, since this access gets you closer to both those production websites and this confidential data, it is not freely given out. First, you have to demonstrate a need for these resources. Second, you need to have a non-disclosure agreement with the Wikimedia Foundation. If you're a Foundation employee, this was included as part of your employment agreement. If you're a researcher, it's possible to be sponsored through [[mw:Wikimedia_Research/Formal_collaborations|a formal collaboration with the Wikimedia Foundation's Research team]].
 
Data sets and data streams can be found in [https://wikitech.wikimedia.org/wiki/Category:Data_stream Category:Data_stream]
 
=== Data Dashboards. Superset and Turnilo (previously called Pivot) ===
Superset: http://superset.wikimedia.org
Pivot: http://pivot.wikimedia.org
 
You need a wikitech login that is in the "wmf" or "nda" LDAP groups. If you don't have it, please create a task like https://phabricator.wikimedia.org/T160662
 
Before requesting access, please make sure you:
* have a functioning Wikitech login. Get one: https://toolsadmin.wikimedia.org/register/
* are an employee or contractor with wmf OR have signed an NDA
Depending on the above, you can request to be added to the wmf group or the nda group. Please indicate the motivation on the task about why you need access and ping the analytics team if you don't hear any feedback soon from the Opsen on duty.
 
===MediaWiki application data===
You can do a lot of work with the data stored by MediaWiki in the normal course of running itself. This includes data about:
 
*Users' edit counts (consult the <code>user</code> table)
*Edits to a particular page (consult the <code>revision</code> table, joined with the <code>page</code> table if necessary)
*Account creations (consult the <code>logging</code> table)
 
==== Databases ====
You can access this data using the replica MariaDB databases.  These are accessible from the stat100* machines, as [[Analytics/Data_access#Stats_machines|detailed below]].
 
For an overview of how the data is laid out in those databases, consult the [[mediawikiwiki:Manual:Database_layout|database layout manual]].
 
There are a few things that aren't available from the databases replicas. The main example of this is the actual content of pages and revisions. Instead, you can access them [[#API|through the API]] or in the XML dumps, which are both described below.


==== API ====
=== {{Anchor|Responsibilities}}User responsibilities ===
A subset of this application data, which doesn't present privacy concerns, is also publicly accessible through the API (except for ''private'' wikis, which you shouldn't really need to perform research on anyway!). A good way to understand it, and to test queries, is [[Special:ApiSandbox]], which provides a way of easily constructing API calls and testing them. The output includes "Request URL" - a direct URL for making that query in the future, that should work on any and all Wikimedia production wikis.
You '''must''' remember this access is extremely sensitive. '''You have a duty to protect the privacy of our users'''. As Uncle Ben says, "with great power comes great responsibility." Always follow the rules outlined in the [[phab:L3|Acknowledgement of Server Access Responsibilities]], even if you don't have requested ssh access to stat100x clients since it contains good guidelines about how to handle sensitive data.


If you're interested in common API tasks, and don't feel like reinventing the wheel, there are a number of Python-based API wrappers and MediaWiki utilities. Our very own Aaron Halfaker maintains [https://pypi.python.org/pypi/mediawiki-utilities#downloads MediaWiki Utilities], which includes a module dedicated to API interactions. There's no equivalent for R yet.
In addition, keep in mind the following important principles:
* Read data [https://wikitech.wikimedia.org/wiki/Analytics/Data_Access_Guidelines access guidelines], this is important.


====Database dumps====
*'''Be paranoid about personally identifiable information''' (PII). Familiarize yourself with the data you are working on, and determine if it contains any PII. It's better to double and triple check than to assume anything, but if you have any doubt ask the Analytics team (via IRC or email or Phabricator). Please see the [[metawiki:Data_retention_guidelines|data retention guidelines]].
Every month, [http://dumps.wikimedia.org/ XML snapshots] of the databases are generated. Since they're generated monthly, they're always slightly outdated, but make up for it by being incredibly cohesive (and [http://dumps.wikimedia.org/enwiki/20161001/ incredibly large]). They contain both the text of each revision of each page, and snapshots of the database tables. As such, they're a really good way of getting large amounts of diffs or information on revisions without running into the query limits on the API.
*'''Don't copy sensitive data''' (for example, data accessible only by the users in the analytics-privatedata-users) from its origin location to elsewhere (in HDFS or on any other host/support) unless strictly necessary. And most importantly, do it only if you know what you are doing. If you are in doubt, please reach out to the Analytics team first.
*'''Restrict access'''.  If you do need to copy sensitive data somewhere, please make sure that you are the only one able to access the data. For example, if you copy Webrequest data from its location on HDFS to your /user/$your-username directory, make sure that the permissions are set to avoid everybody with access to HDFS to read the data. This is essential to avoid accidental leaks of PII/sensitive data or retention over our guidelines (https://meta.wikimedia.org/wiki/Data_retention_guidelines).
*'''Clean up copies of data'''. Please make sure that any data that you copied is deleted as soon as your work has been done.


Aaron's [https://pypi.python.org/pypi/mediawiki-utilities#downloads MediaWiki-utilities] package contains a set of functions for handling and parsing through the XML dumps, which should drastically simplify dealing with them. They're also stored internally, as well as through dumps.wikimedia.org, and can be found in <code>/mnt/data/xmldatadumps/public</code> on stat1007.
If you ever have any questions or doubts, err on the side of caution and [[Analytics#Contact|contact the Analytics team]]. We are very friendly and happy to help!


===EventLogging data===
== Requesting access ==
One analytics-specific source of data is [[Analytics/EventLogging|EventLogging]]. This allows us to track things we're interested in as researchers that MediaWiki doesn't normally log. Examples include:


#A log of changes to user preferences;
If after reading the above you do need access to WMF analytics data and/or tools, you'll need to submit a request on Phabricator and add the project tag <code>SRE-Access-Requests</code>: Follow the steps at [[Production access#Access Request Process]].
#A/B testing data;
#Clicktracking data.


These datasets are stored in the <code>log</code> database on '''analytics-slave.eqiad.wmnet''' (a CNAME for db1108). The schemas that set out each table, and what they contain, can be found on Meta in the [https://meta.wikimedia.org/w/index.php?title=Special%3AAllPages&from=&to=&namespace=470 Schema namespace].
If you already have access and you only need to get kerberos credentials, it is sufficient to create a task with the project tag <code>Analytics</code>: [https://phabricator.wikimedia.org/maniphest/task/edit/form/1/?title=Requesting%20Kerberos%20access%20for%20%3CYOUR%20USERNAME%3E&description=*%20My%20username%20on%20wikitech.wikimedia.org%20is%3A%20%0D%0A*See%20https%3A%2F%2Fwikitech.wikimedia.org%2Fwiki%2FAnalytics%2FData_access&projects=analytics Create a ticket requesting kerberos credentials].


===Pageviews data===
Read the following sections to figure out what you'll access levels you should request in your ticket.
An important piece of community-facing data is information on our pageviews; what articles are being read, and how much? This is currently stored in [[Analytics/Cluster/Hive#Access|our Hadoop cluster]], which contains [[Analytics/Data/Pageview hourly|aggregated pageview data]] as well as the mostly-raw [[Analytics/Data/Webrequest|database of web requests]]. See the detailed documentation [[Analytics/Data/Pageview_hourly|here]].


==== Turnilo ====
Please follow the instructions [[Production_access#Filing_the_request|Production access request instructions]] for any of the access types.  We need a paper trail and a standard form in order to keep track of requests and understand why they are happening.  When submitting the Phabricator ticket, you may edit the description accordingly to match the request you are asking for. E.g. if you don't need SSH access, you don't need to provide an SSH key.
[[Analytics/Systems/Turnilo-Pivot#Access]]


===Geolocation data===
== Access Levels ==
When you have IP addresses - be they from the RequestLogs, EventLogging or MediaWiki itself - you can do geolocation. This can be a very useful way of understanding user behaviour and evaluating how our ecosystem works. We currently use the MaxMind geolocation services, which are accessible on both stat1006 and stat1007: a full guide to geolocation and some examples of how to do it can be found [[Analytics/Geolocation|on the 'geolocation' page]].
There are a few varying levels and combinations of access that we support.


==Infrastructure==
'analytics-*' groups have access to the [[Analytics/Cluster|Analytics Cluster]] (which mostly means Hadoop) and to stat* servers for local (non distributed) compute resources.  These groups overlap in what servers they grant ssh access to, but further posix permissions restrict access to things like MySQL, Hadoop, and files.


=== Stats machines ===
* LDAP membership in the <tt>wmf</tt> or </tt>nda</tt> LDAP group allow you to log in and authenticate via web tools like Superset and Turnilo.
The production Wikimedia cluster contains several dedicated statistics servers used to do general statistical computation and to access various internal datasources like the MariaDB replicas and the webrequest data in Hadoop.
* Shell (posix) membership in the `analytics-privatedata-users` group allows you to read private data stored in tools like Hadoop, Hive, Presto.
* An ssh key for your shell user allows you to ssh into the analytics client servers (AKA stat boxes) (and access tools like [[Analytics/Systems/Jupyter|Jupyter]] which also needs LDAP membership).
* A Kerberos principal allows you to access data in Hadoop directly.
* Team specific shell (posix) group membership for management of team specific jobs and data.


You may need to access the internet from the stats machines (for example, to download a Python script using <code>pip</code>). By default, this will fail because the machines are tightly firewalled. You'll have to use the [[Http proxy|HTTP proxy]].
This might all be confusing if you are just trying to figure out what to put in your Phabricator SRE-Access-Requests ticket. Here are a few common use cases of what you might be trying to request.


Since these machines are in the production cluster, you'll need production shell access to use them. 
== What access should I request? ==
{| class="wikitable"
!Name
!Hostname
!Access available
|-
|[[stat1007]]
|stat1007.eqiad.wmnet
|Hadoop, MariaDB
|-
|[[stat1006]]
|stat1006.eqiad.wmnet
|MariaDB
|-
|[[stat1004]]
|stat1004.eqiad.wmnet
|Hadoop
|}
Please note: stat1005 has been replaced with stat1007 in [[phab:T205846|T205846]].


===MariaDB replicas===
If you need access to...
The Operations team maintains several dedicated MariaDB replicas. These contain copies of the production [[Mw:Manual:Database layout|MediaWiki databases]] (both actively-used mainstream projects and small internal-facing wikis, like various projects' Arbitration Committees) as well as the [[Analytics/EventLogging|EventLogging]] databases.  


The main one is <code>analytics-store.eqiad.wmnet</code>, known for short as <code>analytics-store</code> (this hostname is actually an alias for <code>dbstore1002.eqiad.wmnet</code>, but it's easier to remember). It contains a <code>flowdb</code> database with a copy of the data stored by the [[mediawikiwiki:Extension:Flow|Flow discussion system]], a <code>staging</code> database in which researchers can create their own tables, [[Analytics/Datasets|a <code>datasets</code> table]] containing useful reference tables. Almost all production wikis are replicated to <code>analytics-store.eqiad.wmnet</code> and you can get a complete list via [Https://meta.wikimedia.org/w/api.php?action=sitematrix the SiteMatrix API]. The Eventlogging log database used to be replicated via custom script, but not anymore (more info [[phab:T156844|T156844]]).  
=== Dashboards in web tools like Turnilo and/or Superset that do not access private data ===
* LDAP membership in the <tt>wmf</tt> or </tt>nda</tt> LDAP group.  


<code>x1-analytics-slave.eqiad.wmnet</code>, known as <code>x1-analytics-slave</code>, used to be an alias for <code>db1031.eqiad.wmnet</code> , containing replicas of the data stored by [[mw:Extension:Echo|Echo]], the notifications system, as well as the Flow data. The domain now points to dbstore1002.eqiad.wmnet.
=== Dashboards in Superset / Hive interfaces (like Hue) that do access private data ===
* LDAP membership in the <tt>wmf</tt> or </tt>nda</tt> LDAP group.
* Shell (posix) membership in the `analytics-privatedata-users` group


You can access these analytics replicas from either stat1007 or stat1006. To use the <code>mysql</code> client interactively, type: <code>mysql -h analytics-store.eqiad.wmnet -A</code>. The <code>-A</code> disables tab autocompletion, which can be bothersome when pasting multi-line queries into the prompt. You'll then be dropped into the MySQL command line.<ref>The stat machines automatically authenticate to the MariaDB replicas using passwords stored in preloaded config (<code>.cnf</code>) files. On stat1006, the file is <code>/etc/mysql/conf.d/research-client.cnf</code>, while on stat1007 it's <code>/etc/mysql/conf.d/analytics-research-client.cnf</code>. These files are automatically referenced from <code>/etc/mysql/my.cnf</code>, which the command line <code>mysql</code> program reads by default. Other programs may not do this automatically, and require an explicit pointer to the underlying <code>.cnf</code> file.</ref>
''Note to SREs granting this access: This can be done by declaring the user in Puppet as usual, but with an empty array of <tt>ssh_keys</tt>.
''


If you'd rather generate a TSV file<ref>The <code>mysql</code> utility doesn't have the ability to generate files in other formats like CSV.</ref> and then retrieve it later, you can also do so from the command line. You can type type:
=== ssh login to analytics client servers (AKA stat boxes) without Hadoop, Hive, Presto access ===
This is a rare need, but you might want it if you just want to use a GPU on a stat box, or access to MediaWiki analytics MariaDB instances.
* LDAP membership in the <tt>wmf</tt> or </tt>nda</tt> LDAP group.
* Shell (posix) membership in the `analytics-privatedata-users` group
* An ssh key for your shell user


<code>mysql -h analytics-store.eqiad.wmnet <nowiki>{{database name}}</nowiki> -e "<nowiki>{{your query;}}</nowiki>" > <nowiki>{{filename}}</nowiki>.tsv</code>
=== ssh login to analytics client servers (AKA stat boxes) with Hadoop, Hive, Presto access ===
* LDAP membership in the <tt>wmf</tt> or </tt>nda</tt> LDAP group.  
* Shell (posix) membership in the `analytics-privatedata-users` group
* An ssh key for your shell user
* A Kerberos principal


It'll go off to generate the file on its own.<ref>The file extension you choose doesn't actually affect the command, but since <code>-e</code> generates a TSV file, you should use the corresponding file extension so other programs load the resulting file correctly.</ref>
=== All of the above ===
If you are a WMF engineer wanting to work with analytics data, most likely you'll want all of these access levels together:


As well as connecting directly, it's also possible to connect automatically from your programming language of choice, be it R or Python. For Python, we have the [http://mysql-python.sourceforge.net/MySQLdb.html MySQLdb] module installed on stat1006 and stat1007. For R, we have [http://cran.r-project.org/web/packages/RMySQL/RMySQL.pdf RMySQL].
* LDAP membership in the <tt>wmf</tt> or </tt>nda</tt> LDAP group.
* Shell (posix) membership in the `analytics-privatedata-users` group
* An ssh key for your shell user
* A Kerberos principal


</noinclude>The page [[MariaDB]] contains detailed internal information about the setup of the slaves.
If needed for work on your team, you may also want Team specific shell (posix) group membership (see below).


===Hadoop===
== Analytics shell (posix) groups explained ==
Finally, we have Hadoop - our storage system for large amounts of data. The easiest way to query the Hadoop data is through [[Analytics/Cluster/Hive|Hive]], which can be accessed from [[stat1005|stat1007]] and stat1004 -  simply type <code>beeline</code> in the terminal, switch to the <code>wmf</code> database, and input your query.


At the moment there are no recommended Hive access packages for R or Python. In the meantime, the best way to get data out of the system is to treat it as you would the Analytics slaves; through the terminal, type:
=== Generic data access (can go together with the Team specific ones) ===
<code>'''analytics-privatedata-users (no kerberos, no ssh)'''</code>


<code>beeline -f my_query.hql > file_name.tsv</code>
The Analytics team offers various UIs to fetch data from Hadoop, like Turnilo and Superset. They are both guarded by CAS authentication (requiring the user to be in either the wmf or the nda LDAP groups), fetching data from Druid (currently not authenticated). Superset is also able to fetch data from Hadoop/Hive on behalf of the logged in user via a (read-only) tool called Presto. There are two use cases:


For information about writing HQL to query this data, see the [https://cwiki.apache.org/confluence/display/Hive/LanguageManual Hive language manual].
* Sql-lab panel: the user is able to make sql-like queries on Hadoop datasets (pageviews/event/etc..) without the need to log in on a stat100x host.
* Dashboards: data visualized in dashboards fetched from Hadoop.


=== SWAP ===
In both cases, Superset works on behalf of the user, so eventually the username will need to hold read permissions for Hadoop data to correctly visualize what requested. This is guaranteed by being into <code>analytics-privatedata-users</code>, that gets deployed on the Hadoop master nodes (without ssh access) to outline user permissions on HDFS. This is why some users might want to be in the group without either kerberos or ssh.
We also have [[SWAP]], an internal [http://jupyter.org/ Jupyter] server that provides a nice notebook interface for crunching data.


== Production access ==
Additionally the user needs to be added to the "wmf" LDAP group. Make sure to add them (if you are an SRE) or mention it on the ticket (if you are the requestor).
To be able to access a number of internal data sources (such as logs, replicas of the production databases, EventLogging data) as well as machines used for data crunching (e.g. <code>stat1006</code>), you will need [[production shell access|shell access to the production Wikimedia cluster]] (see also [https://docs.google.com/document/d/1BwB92e-wNc-y6c5DYfBj7ZxdRFmYlKa-ijzp4t-2f0c/edit these notes] on configuring SSH specifically for the purpose of working with the stats servers). You can read more about that access and how to request it at the link, but keep one thing in mind: '''production shell access is extremely sensitive'''. You ''must'' follow the rules outlined in [[phab:L3|Acknowledgement of Server Access Responsibilities]]. If you have questions or doubt, ask Tech Ops.


=== User responsibilities ===
<code>'''analytics-privatedata-users (no kerberos)'''</code>
Before starting, please read carefully what the Analytics team expects from you. As uncle Ben says, "''with great power comes great responsibility''". When you are given access to Analytics production data, you also take on the duty of protecting the integrity of users' privacy. The following actions should be always taken into consideration while working with sensitive data:


* '''Learn about Personally Identifiable Information (PII)'''.  Familiarize yourself with the data you are working on, and determine if it contains any PII. It's better to double and triple check than to assume anything, but if you have any doubt ask the Analytics team (via IRC or email or Phabricator). Please see https://meta.wikimedia.org/wiki/Data_retention_guidelines for more information, it will help you in thinking about PII and tell you how to handle it if your datasets contain it.
Grants access to the [[Analytics/Systems/Clients|analytics clients]], GPUs and to [[Analytics/Systems/MariaDB|MariaDB replicas]] (using the credentials at <code>/etc/mysql/conf.d/analytics-research-client.cnf</code>).
* '''Don't copy sensitive data''' (for example, data accessible only by the users in the analytics-privatedata-users) from its origin location to elsewhere (in HDFS or on any other host/support) unless strictly necessary.  And most importantly, do it only if you know what you are doing. If you are in doubt, please reach out to the Analytics team first.
;<code>analytics-privatedata-users (with kerberos)</code>
* '''Restrict access'''.  If you do need to copy sensitive data somewhere, please make sure that you are the only one able to access the data. For example, if you copy Webrequest data from its location on HDFS to your /user/$your-username directory, make sure that the permissions are set to avoid everybody with access to HDFS to read the data. This is essential to avoid accidental leaks of PII/sensitive data or retention over our guidelines (https://meta.wikimedia.org/wiki/Data_retention_guidelines).
:Grants access to all the [[Analytics/Systems/Clients|analytics clients]], the [[Analytics/Cluster|analytics cluster]] (Hadoop/Hive) and the '''private''' data hosted there, and to [[Analytics/Systems/MariaDB|MariaDB replicas]], using the credentials at <code>/etc/mysql/conf.d/analytics-research-client.cnf</code>.
* '''Clean up copies of data'''.  Please make sure that any data that you copied is deleted as soon as your work has been done.
:Users in this group also need a [[Analytics/Systems/Kerberos|Kerberos]] authentication principal. If you're already a group member and don't have one, follow the [[Analytics/Systems/Kerberos/UserGuide#Get_a_password_for_Kerberos|instructions in the Kerberos user guide]]. If you're requesting membership in this group, the [[SRE|SRE team]] will [[Analytics/Systems/Kerberos#Create_a_principal_for_a_real_user|create this for you]] when they add you to the group.


Thank you for your patience and willingness to help, this is an essential part of guaranteeing the safety of our users' data.
<code>'''analytics-admins'''</code>


=== Access Groups ===
This and similar groups (like <code>statistics-admins</code>, <code>eventlogging-admins</code>, and <code>statistics-web-users</code>) are for people doing system maintenance and administration, generally as part of a WMF engineering team.  The <code>analytics-admins</code> group, for example, is for people working on the Data Engineering team or collaborating with Data Engineering through a value stream.  The list of users currently in each group is available in this [https://github.com/wikimedia/operations-puppet/blob/production/modules/admin/data/data.yaml configuration file].
When submitting your access request, you will need to specify what access group you need.


'analytics-*' groups have access to the [[Analytics/Cluster|Analytics Cluster]] (which mostly means Hadoop). 'statistics-*' groups get access to stat* servers for local (non distributed) compute resources. These groups overlap in what servers they grant ssh access to, but further posix permissions restrict access to things like MySQL, Hadoop, and files.
=== Team specific (they do not grant access to PII data on Hadoop, for that see analytics-privatedata-users) ===
;<code>analytics-wmde-users</code>
:For [[meta:Wikimedia Deutschland|Wikimedia Deutschland]] employees, mostly used for crons running automation jobs as  the <code>analytics-wmde</code> system user. Grants access to all stat100x hosts, to the [[Analytics/Systems/MariaDB|MariaDB replicas]] via <code>/etc/mysql/conf.d/research-wmde-client.cnf</code> and to the <code>analytics-wmde</code> system user. It is not required that every WMDE user is placed into this group, only those who needs to take care of the aforementioned automation will require access (so they'll ask it explicitly).
;<code>analytics-search-users</code>
: For members of the [[mw:Wikimedia Search Platform|Wikimedia Foundation Search Platform team]] , used for various Analytics-Search jobs). Grants access to all stat100x hosts, an-airflow1001 and to the <code>analytics-search</code> system user.
;<code>analytics-product-users</code>
:For members of the Product Analytics team, used for various analytics jobs. Grants access to all stat100x hosts, and to the <code>analytics-product</code> system user.
;<code>analytics-research-users</code>
:For members of the Research team, used for various jobs. Grants access to all stat100x hosts, an Airflow instance, and to the <code>analytics-research</code> system user.
;<code>analytics-platform-eng-users</code>
:For members of the Research team, used for various jobs. Grants access to all stat100x hosts, an Airflow instance, and to the <code>analytics-platform-eng</code> system user.


Here's a summary of groups you might need (as of 2016-10-18):
=== Groups to avoid (deprecated) ===


;<code>researchers</code>
;<code>researchers</code>
: Access to stat1006 and the credentials for the MariaDB slaves in<code>/etc/mysql/conf.d/research-client.cnf</code>.
;<code>statistics-users</code>
: Access to stat1006 for number crunching and accessing non private log files hosted there.
;<code>statistics-privatedata-users</code>
: Access to stat100[56], public data like sampled Webrequest logs (stored under <code>/a/log/webrequest/archive</code>) and for the MariaDB slaves in <code>/etc/mysql/conf.d/statistics-private-client.cnf</code>
;<code>analytics-wmde</code>
: WMDE specific group (mostly used for crons). Access to stat1007 and to MariaDB slaves in <code>/etc/mysql/conf.d/research-wmde-client.cnf</code>
;<code>analytics-users</code>
;<code>analytics-users</code>
: Access to stat1004 to connect to the [[Analytics/Cluster]] (Hadoop/Hive) (NO HADOOP PRIVATE DATA).
;<code>analytics-privatedata-users</code>
: Access to stat1007 and stat1004 to connect to the [[Analytics/Cluster]] (Hadoop/Hive) and to query '''private''' data hosted there, including webrequest logs. Access to MariaDB slaves in <code>/etc/mysql/conf.d/analytics-research-client.cnf</code>
: If you want Hadoop access you probably want this.
:
The list of users currently in each group is available in this [https://github.com/wikimedia/operations-puppet/blob/production/modules/admin/data/data.yaml configuration file].<ref>Other groups including <code>statistics-admins</code>, <code>analytics-admins</code>, <code>eventlogging-admins</code>, and <code>statistics-web-users</code> are for people doing system maintenance and administration, so you don't need them just to access data.</ref>


=== Host access granted ===
===Host access granted===
{| class="wikitable"
There used to be a lot of differences in what hosts an Analytics POSIX group could have had access to, but now there is none anymore.
!Access Groups
!Access to stat1007
!Access to stat1006
!Access to stat1004
!Access to notebook100[34]
|-
|<code>researchers</code>
|
|X
|
|X
|-
|<code>statistics-users</code>
|
|X
|
|
|-
|<code>statistics-privatedata-users</code>
|X
|X
|
|X
|-
|<code>analytics-users</code>
|X
|
|X
|X
|-
|<code>analytics-privatedata-users</code>
|X
|
|X
|X
|-
|<code>analytics-wmde</code>
|X
|
|
|
|}


=== Data access granted ===
===Data access granted===
{| class="wikitable"
{| class="wikitable"
!Access Groups
!Access Groups
Line 206: Line 130:
!Hadoop access
!Hadoop access
(Private data)
(Private data)
!research-client.cnf
!Mariadb credentials
!statistics-private-client.cnf
!System user
!research-wmde-client.cnf
!Other
!analytics-research-client.cnf
|-
|-
|<code>researchers</code>
|<code>analytics-privatedata-users</code>
|
|<code>yes</code>
|
|<code>yes</code>
|X
|<code>analytics-research-client.cnf</code>
|
|<code>analytics-privatedata</code>
|
|
|
|-
|-
|<code>statistics-users</code>
|<code>analytics-wmde-users</code>
|
|
|
|
|
|
|
|<code>research-wmde-client.cnf (only on stat1007)</code>
|<code>analytics-wmde</code>
|
|
|-
|-
|<code>statistics-privatedata-users</code>
|<code>analytics-search-users</code>
|
|
|
|
|
|X
|
|
|
|
|<code>Airflow admin</code>
|-
|-
|<code>analytics-users</code>
|<code>analytics-product-users</code>
|X
|
|
|
|
|
|
|
|
|-
|<code>analytics-product</code>
|<code>analytics-privatedata-users</code>
|X
|X
|
|
|
|X
|-
|<code>analytics-wmde</code>
|
|
|
|
|X
|
|
|}
|}


== Of special interest for external researchers ==
=== Shell access expiration ===
If you are an external researcher trying to get access to our data you must have signed an NDA.
Data access is given to collaborators and contractors with a time limit. Normally the end date is set to be the contract or collaboration end date. For staff data access terminates upon employment termination unless there is a collaboration in place.
 
Once a user is terminated their home directory is deleted, if the team wishes to preserve some of the user work (work, not data as data as strict guidelines for deletion) it can be done via archiving that work to hadoop. Please file a phab ticket to have this done. Archival to hadoop would happen in the following directory:
/wmf/data/archive/user/<username>
 
== LDAP access ==
Some Analytics systems, including [[Analytics/Systems/Superset|Superset]], [[Analytics/Systems/Turnilo|Turnilo]], and [[Analytics/Systems/Jupyter|Jupyter]], require a [[mw:developer account|developer account]] in the <code>wmf</code> or <code>nda</code> [[LDAP/Groups|LDAP groups]] for access.
 
If you need this access, first make sure you have a working developer account (if you can [[Special:Login|log into this wiki]], you have one). If you need one, you can create one at [[mw:Developer_account]].
 
Note that a developer account comes with ''two'' different usernames; some services need one and some services need the other. You can find both by [[Special:Login|logging into this wiki]] and visiting [[Special:Preferences#mw-prefsection-personal|the "user profile" section of Special:Preferences]]. Your ''Wikitech username'' is listed under "Username", while your ''developer shell username'' is listed under "Instance shell account name". Thankfully, there's only one password!
 
Then, create a Phabricator task: Read and follow [[phab:project/profile/1564/|the instructions for LDAP-access-requests]] to request getting added to the appropriate group. Make sure you include both your usernames.
 
Note that this access has similar requirements to shell access: you will need to either be a Wikimedia Foundation employee or have a signed volunteer NDA.
 
== Accounts and passwords explained: LDAP/Wikitech/MW Developer vs shell/ssh/posix vs Kerberos ==
There are too many different accounts and passwords one has to deal with in order to access analytics systems.  For now it's what we've got.  Let's try to explain them all explicitly.
 
 
 
=== tl;dr ===
* LDAP AKA Wikitech AKA Mediawiki Developer accounts are the same.  There are 2 usernames for this account, but only one password.
* POSIX AKA shell AKA ssh accounts are the same.  The username is the same as your 'shell username' for your LDAP account.  There is no password, only an ssh key pair.
* Kerberos uses your shell username and a separate Kerberos account password, and grants you access to distributed systems like Hadoop.
 
=== LDAP ===
LDAP is used mostly for web logins.  An LDAP account has 2 usernames, the 'Wikitech' username and the shell username, as described above.  The password for these is the same.
Since LDAP account creation is handled by Mediawiki and also allows you to log into Wikitech (this wiki), LDAP accounts are sometimes referred to as your 'Wikitech' account or your 'Mediawiki developer account'.  These terms all mean the same thing.
 
Analytics web UIs (like Jupyter, Turnilo, Superset, etc.) require that you have an LDAP account in specific groups.  Membership in these groups authorize access.
 
=== POSIX ===
To log into a production server, you need an explicit POSIX shell account created for you.  This is handled by SRE.  POSIX user accounts are often also referred to as your shell or ssh account, as ssh allows you to remote login and get a shell (terminal) on a production server.  At WMF, POSIX user accounts do not use passwords.  Instead, you login via ssh using an ssh key pair.
 
Access to specific production servers is managed by membership of your POSIX account in specific groups, e.g. analytics-privatedata-users.
 
=== Kerberos ===
[[Analytics/Systems/Kerberos|Kerberos]] is only needed when using a distributed system like Hadoop.  You can ssh into a single production server with your POSIX account, but other production servers that you are not directly logged into have no way of knowing you are authorized to access them.  Kerberos solves this problem.  After logging into a server with ssh, you authenticate to Kerberos with <tt>kinit</tt> and your Kerberos password (this is a totally different password than your LDAP one).  Then, when using a distributed system, other servers can interact with Kerberos to determine if your access should be authorized.
 
==Infrastructure==
===Analytics clients===
The [[Analytics/Systems/Clients|analytics clients]] are servers in the production cluster where you can run your code and queries. In fact, you ''should'' use them to run all your analysis, so that sensitive data never leaves the production cluster. 
 
They have a number of useful capabilities, from large amounts of memory to [[Analytics/Systems/Jupyter|Jupyter notebooks]].
 
===MariaDB===
The [[Analytics/Systems/MariaDB|Analytics MariaDB cluster]] contains copies of the production [[Mw:Manual:Database layout|MediaWiki databases]] (both actively-used mainstream projects and small internal-facing wikis, like various projects' Arbitration Committees).
 
=== Data Lake===
We store large amounts of data in analysis-friendly formats in the [[Analytics/Data Lake|Data Lake]].
 
==Scripting access==
If you're writing some analysis code, you will probably need to access data first. There are a couple of software packages that have been developed to make this easy. Note that both of them are designed to work on the analytics clients only.
 
For Python, there is [https://github.com/wikimedia/wmfdata-python wmfdata]. It can access data through MariaDB, Hive, Presto, and Spark and has a number of other useful functions, like creating custom Spark sessions.
 
For R, there is [https://github.com/wikimedia/wikimedia-discovery-wmf wmf]. It can access data from MariaDB and Hive and has many other useful functions, particularly for graphing and statistics.
 
==Data sources==
Data sets and data streams can be found in [[wikitech:Category:Data_stream|Category:Data_stream]]
 
===Data Dashboards. Superset and Turnilo===
Superset: http://superset.wikimedia.org
Turnilo: http://turnilo.wikimedia.org
 
You need a wikitech login that is in the "wmf" or "nda" LDAP groups. If you don't have it, please create a Phabricator task by following instructions on [[phab:tag/ldap-access-requests/]].
 
Before requesting access, please make sure you:
*have a functioning Wikitech login. Get one: https://toolsadmin.wikimedia.org/register/
*are an employee or contractor with wmf OR have signed an NDA
Depending on the above, you can request to be added to the wmf group or the nda group. Please indicate the motivation on the task about why you need access and ping the analytics team if you don't hear any feedback soon from the Opsen on duty.
 
===MediaWiki application data===
You can do a lot of work with the data stored by MediaWiki in the normal course of running itself. This includes data about:
 
* Users' edit counts (consult the <code>user</code> table)
*Edits to a particular page (consult the <code>revision</code> table, joined with the <code>page</code> table if necessary)
*Account creations (consult the <code>logging</code> table)
 
====Databases====
You can access this data using the replica MariaDB databases.  These are accessible from the stat100* machines via <code>analytics-mysql <wiki-id></code>. For more details [[Analytics/Systems/MariaDB|see here]].
 
For an overview of how the data is laid out in those databases, consult the [[mediawikiwiki:Manual:Database_layout|database layout manual]].
 
There are a few things that aren't available from the databases replicas. The main example of this is the actual content of pages and revisions. Instead, you can access them [[#API|through the API]] or in the XML dumps, which are both described below.
 
==== API====
A subset of this application data, which doesn't present privacy concerns, is also publicly accessible through the API (except for ''private'' wikis, which you shouldn't really need to perform research on anyway!). A good way to understand it, and to test queries, is [[Special:ApiSandbox]], which provides a way of easily constructing API calls and testing them. The output includes "Request URL" - a direct URL for making that query in the future, that should work on any and all Wikimedia production wikis.
 
If you're interested in common API tasks, and don't feel like reinventing the wheel, there are a number of Python-based API wrappers and MediaWiki utilities. Our very own Aaron Halfaker maintains [https://pypi.python.org/pypi/mediawiki-utilities#downloads MediaWiki Utilities], which includes a module dedicated to API interactions. There's no equivalent for R yet.
 
====Database dumps ====
Every month, [http://dumps.wikimedia.org/ XML snapshots] of the databases are generated. Since they're generated monthly, they're always slightly outdated, but make up for it by being incredibly cohesive (and [http://dumps.wikimedia.org/enwiki/20161001/ incredibly large]). They contain both the text of each revision of each page, and snapshots of the database tables. As such, they're a really good way of getting large amounts of diffs or information on revisions without running into the query limits on the API.
 
Aaron's [https://pypi.python.org/pypi/mediawiki-utilities#downloads MediaWiki-utilities] package contains a set of functions for handling and parsing through the XML dumps, which should drastically simplify dealing with them. They're also stored internally, as well as through dumps.wikimedia.org, and can be found in <code>/mnt/data/xmldatadumps/public</code> on stat1004, stat1005, stat1006, stat1007, and stat1008.
 
===EventLogging data===
One analytics-specific source of data is [[Analytics/EventLogging|EventLogging]]. This allows us to track things we're interested in as researchers that MediaWiki doesn't normally log. Examples include:
 
#A log of changes to user preferences;
# A/B testing data;
#Clicktracking data.
 
These datasets are stored in the <code>event</code> and <code>event_sanitized</code> Hive databases, subject to HDFS access control.
 
===Pageviews data===
An important piece of community-facing data is information on our pageviews; what articles are being read, and how much? This is currently stored in [[Analytics/Cluster/Hive#Access|our Hadoop cluster]], which contains [[Analytics/Data/Pageview hourly|aggregated pageview data]] as well as the mostly-raw [[Analytics/Data/Webrequest|database of web requests]]. See the detailed documentation [[Analytics/Data/Pageview_hourly|here]].
 
====Turnilo====
[[Analytics/Systems/Turnilo-Pivot#Access]]


As any developer at the foundation you will need an account Please follow  the Sign Up link in https://www.mediawiki.org/wiki/Developer_access as per https://wikitech.wikimedia.org/wiki/Production_shell_access.
=== Geolocation data===
When you have IP addresses - be they from the RequestLogs, EventLogging or MediaWiki itself - you can do geolocation. This can be a very useful way of understanding user behaviour and evaluating how our ecosystem works. We currently use the MaxMind geolocation services, which are accessible on stat boxes: a full guide to geolocation and some examples of how to do it can be found [[Analytics/Geolocation|on the 'geolocation' page]].


== Notes ==
==Notes==
<references />
<references />

Revision as of 18:25, 13 September 2022

In addition to a variety of publicly-available data sources, Wikimedia has a parallel set of private data sources. The main reason is to allows a carefully vetted set of users to perform research and analysis on confidential user data (such as the IP addresses of readers and editors) which is stored according to our privacy policy and data retention guidelines. This private infrastructure also provides duplicate copies of publicly-available data for ease of use.

Do you need it?

Private data lives in same server cluster that runs Wikimedia's production websites. Often, this means you will need production shell access to get it.

However, since this access gets you closer to both those production websites and this confidential data, it is not freely given out. First, you have to demonstrate a need for these resources. Second, you need to have a non-disclosure agreement with the Wikimedia Foundation. If you're a Foundation employee, this was included as part of your employment agreement. If you're a researcher, it's possible to be sponsored through a formal collaboration with the Wikimedia Foundation's Research team.

User responsibilities

You must remember this access is extremely sensitive. You have a duty to protect the privacy of our users. As Uncle Ben says, "with great power comes great responsibility." Always follow the rules outlined in the Acknowledgement of Server Access Responsibilities, even if you don't have requested ssh access to stat100x clients since it contains good guidelines about how to handle sensitive data.

In addition, keep in mind the following important principles:

  • Be paranoid about personally identifiable information (PII). Familiarize yourself with the data you are working on, and determine if it contains any PII. It's better to double and triple check than to assume anything, but if you have any doubt ask the Analytics team (via IRC or email or Phabricator). Please see the data retention guidelines.
  • Don't copy sensitive data (for example, data accessible only by the users in the analytics-privatedata-users) from its origin location to elsewhere (in HDFS or on any other host/support) unless strictly necessary. And most importantly, do it only if you know what you are doing. If you are in doubt, please reach out to the Analytics team first.
  • Restrict access. If you do need to copy sensitive data somewhere, please make sure that you are the only one able to access the data. For example, if you copy Webrequest data from its location on HDFS to your /user/$your-username directory, make sure that the permissions are set to avoid everybody with access to HDFS to read the data. This is essential to avoid accidental leaks of PII/sensitive data or retention over our guidelines (https://meta.wikimedia.org/wiki/Data_retention_guidelines).
  • Clean up copies of data. Please make sure that any data that you copied is deleted as soon as your work has been done.

If you ever have any questions or doubts, err on the side of caution and contact the Analytics team. We are very friendly and happy to help!

Requesting access

If after reading the above you do need access to WMF analytics data and/or tools, you'll need to submit a request on Phabricator and add the project tag SRE-Access-Requests: Follow the steps at Production access#Access Request Process.

If you already have access and you only need to get kerberos credentials, it is sufficient to create a task with the project tag Analytics: Create a ticket requesting kerberos credentials.

Read the following sections to figure out what you'll access levels you should request in your ticket.

Please follow the instructions Production access request instructions for any of the access types. We need a paper trail and a standard form in order to keep track of requests and understand why they are happening. When submitting the Phabricator ticket, you may edit the description accordingly to match the request you are asking for. E.g. if you don't need SSH access, you don't need to provide an SSH key.

Access Levels

There are a few varying levels and combinations of access that we support.

'analytics-*' groups have access to the Analytics Cluster (which mostly means Hadoop) and to stat* servers for local (non distributed) compute resources. These groups overlap in what servers they grant ssh access to, but further posix permissions restrict access to things like MySQL, Hadoop, and files.

  • LDAP membership in the wmf or nda LDAP group allow you to log in and authenticate via web tools like Superset and Turnilo.
  • Shell (posix) membership in the `analytics-privatedata-users` group allows you to read private data stored in tools like Hadoop, Hive, Presto.
  • An ssh key for your shell user allows you to ssh into the analytics client servers (AKA stat boxes) (and access tools like Jupyter which also needs LDAP membership).
  • A Kerberos principal allows you to access data in Hadoop directly.
  • Team specific shell (posix) group membership for management of team specific jobs and data.

This might all be confusing if you are just trying to figure out what to put in your Phabricator SRE-Access-Requests ticket. Here are a few common use cases of what you might be trying to request.

What access should I request?

If you need access to...

Dashboards in web tools like Turnilo and/or Superset that do not access private data

  • LDAP membership in the wmf or nda LDAP group.

Dashboards in Superset / Hive interfaces (like Hue) that do access private data

  • LDAP membership in the wmf or nda LDAP group.
  • Shell (posix) membership in the `analytics-privatedata-users` group

Note to SREs granting this access: This can be done by declaring the user in Puppet as usual, but with an empty array of ssh_keys.

ssh login to analytics client servers (AKA stat boxes) without Hadoop, Hive, Presto access

This is a rare need, but you might want it if you just want to use a GPU on a stat box, or access to MediaWiki analytics MariaDB instances.

  • LDAP membership in the wmf or nda LDAP group.
  • Shell (posix) membership in the `analytics-privatedata-users` group
  • An ssh key for your shell user

ssh login to analytics client servers (AKA stat boxes) with Hadoop, Hive, Presto access

  • LDAP membership in the wmf or nda LDAP group.
  • Shell (posix) membership in the `analytics-privatedata-users` group
  • An ssh key for your shell user
  • A Kerberos principal

All of the above

If you are a WMF engineer wanting to work with analytics data, most likely you'll want all of these access levels together:

  • LDAP membership in the wmf or nda LDAP group.
  • Shell (posix) membership in the `analytics-privatedata-users` group
  • An ssh key for your shell user
  • A Kerberos principal

If needed for work on your team, you may also want Team specific shell (posix) group membership (see below).

Analytics shell (posix) groups explained

Generic data access (can go together with the Team specific ones)

analytics-privatedata-users (no kerberos, no ssh)

The Analytics team offers various UIs to fetch data from Hadoop, like Turnilo and Superset. They are both guarded by CAS authentication (requiring the user to be in either the wmf or the nda LDAP groups), fetching data from Druid (currently not authenticated). Superset is also able to fetch data from Hadoop/Hive on behalf of the logged in user via a (read-only) tool called Presto. There are two use cases:

  • Sql-lab panel: the user is able to make sql-like queries on Hadoop datasets (pageviews/event/etc..) without the need to log in on a stat100x host.
  • Dashboards: data visualized in dashboards fetched from Hadoop.

In both cases, Superset works on behalf of the user, so eventually the username will need to hold read permissions for Hadoop data to correctly visualize what requested. This is guaranteed by being into analytics-privatedata-users, that gets deployed on the Hadoop master nodes (without ssh access) to outline user permissions on HDFS. This is why some users might want to be in the group without either kerberos or ssh.

Additionally the user needs to be added to the "wmf" LDAP group. Make sure to add them (if you are an SRE) or mention it on the ticket (if you are the requestor).

analytics-privatedata-users (no kerberos)

Grants access to the analytics clients, GPUs and to MariaDB replicas (using the credentials at /etc/mysql/conf.d/analytics-research-client.cnf).

analytics-privatedata-users (with kerberos)
Grants access to all the analytics clients, the analytics cluster (Hadoop/Hive) and the private data hosted there, and to MariaDB replicas, using the credentials at /etc/mysql/conf.d/analytics-research-client.cnf.
Users in this group also need a Kerberos authentication principal. If you're already a group member and don't have one, follow the instructions in the Kerberos user guide. If you're requesting membership in this group, the SRE team will create this for you when they add you to the group.

analytics-admins

This and similar groups (like statistics-admins, eventlogging-admins, and statistics-web-users) are for people doing system maintenance and administration, generally as part of a WMF engineering team. The analytics-admins group, for example, is for people working on the Data Engineering team or collaborating with Data Engineering through a value stream. The list of users currently in each group is available in this configuration file.

Team specific (they do not grant access to PII data on Hadoop, for that see analytics-privatedata-users)

analytics-wmde-users
For Wikimedia Deutschland employees, mostly used for crons running automation jobs as the analytics-wmde system user. Grants access to all stat100x hosts, to the MariaDB replicas via /etc/mysql/conf.d/research-wmde-client.cnf and to the analytics-wmde system user. It is not required that every WMDE user is placed into this group, only those who needs to take care of the aforementioned automation will require access (so they'll ask it explicitly).
analytics-search-users
For members of the Wikimedia Foundation Search Platform team , used for various Analytics-Search jobs). Grants access to all stat100x hosts, an-airflow1001 and to the analytics-search system user.
analytics-product-users
For members of the Product Analytics team, used for various analytics jobs. Grants access to all stat100x hosts, and to the analytics-product system user.
analytics-research-users
For members of the Research team, used for various jobs. Grants access to all stat100x hosts, an Airflow instance, and to the analytics-research system user.
analytics-platform-eng-users
For members of the Research team, used for various jobs. Grants access to all stat100x hosts, an Airflow instance, and to the analytics-platform-eng system user.

Groups to avoid (deprecated)

researchers
analytics-users

Host access granted

There used to be a lot of differences in what hosts an Analytics POSIX group could have had access to, but now there is none anymore.

Data access granted

Access Groups Hadoop access

(No private data)

Hadoop access

(Private data)

Mariadb credentials System user Other
analytics-privatedata-users yes yes analytics-research-client.cnf analytics-privatedata
analytics-wmde-users research-wmde-client.cnf (only on stat1007) analytics-wmde
analytics-search-users Airflow admin
analytics-product-users analytics-product

Shell access expiration

Data access is given to collaborators and contractors with a time limit. Normally the end date is set to be the contract or collaboration end date. For staff data access terminates upon employment termination unless there is a collaboration in place.

Once a user is terminated their home directory is deleted, if the team wishes to preserve some of the user work (work, not data as data as strict guidelines for deletion) it can be done via archiving that work to hadoop. Please file a phab ticket to have this done. Archival to hadoop would happen in the following directory:

/wmf/data/archive/user/<username>

LDAP access

Some Analytics systems, including Superset, Turnilo, and Jupyter, require a developer account in the wmf or nda LDAP groups for access.

If you need this access, first make sure you have a working developer account (if you can log into this wiki, you have one). If you need one, you can create one at mw:Developer_account.

Note that a developer account comes with two different usernames; some services need one and some services need the other. You can find both by logging into this wiki and visiting the "user profile" section of Special:Preferences. Your Wikitech username is listed under "Username", while your developer shell username is listed under "Instance shell account name". Thankfully, there's only one password!

Then, create a Phabricator task: Read and follow the instructions for LDAP-access-requests to request getting added to the appropriate group. Make sure you include both your usernames.

Note that this access has similar requirements to shell access: you will need to either be a Wikimedia Foundation employee or have a signed volunteer NDA.

Accounts and passwords explained: LDAP/Wikitech/MW Developer vs shell/ssh/posix vs Kerberos

There are too many different accounts and passwords one has to deal with in order to access analytics systems. For now it's what we've got. Let's try to explain them all explicitly.


tl;dr

  • LDAP AKA Wikitech AKA Mediawiki Developer accounts are the same. There are 2 usernames for this account, but only one password.
  • POSIX AKA shell AKA ssh accounts are the same. The username is the same as your 'shell username' for your LDAP account. There is no password, only an ssh key pair.
  • Kerberos uses your shell username and a separate Kerberos account password, and grants you access to distributed systems like Hadoop.

LDAP

LDAP is used mostly for web logins. An LDAP account has 2 usernames, the 'Wikitech' username and the shell username, as described above. The password for these is the same. Since LDAP account creation is handled by Mediawiki and also allows you to log into Wikitech (this wiki), LDAP accounts are sometimes referred to as your 'Wikitech' account or your 'Mediawiki developer account'. These terms all mean the same thing.

Analytics web UIs (like Jupyter, Turnilo, Superset, etc.) require that you have an LDAP account in specific groups. Membership in these groups authorize access.

POSIX

To log into a production server, you need an explicit POSIX shell account created for you. This is handled by SRE. POSIX user accounts are often also referred to as your shell or ssh account, as ssh allows you to remote login and get a shell (terminal) on a production server. At WMF, POSIX user accounts do not use passwords. Instead, you login via ssh using an ssh key pair.

Access to specific production servers is managed by membership of your POSIX account in specific groups, e.g. analytics-privatedata-users.

Kerberos

Kerberos is only needed when using a distributed system like Hadoop. You can ssh into a single production server with your POSIX account, but other production servers that you are not directly logged into have no way of knowing you are authorized to access them. Kerberos solves this problem. After logging into a server with ssh, you authenticate to Kerberos with kinit and your Kerberos password (this is a totally different password than your LDAP one). Then, when using a distributed system, other servers can interact with Kerberos to determine if your access should be authorized.

Infrastructure

Analytics clients

The analytics clients are servers in the production cluster where you can run your code and queries. In fact, you should use them to run all your analysis, so that sensitive data never leaves the production cluster.

They have a number of useful capabilities, from large amounts of memory to Jupyter notebooks.

MariaDB

The Analytics MariaDB cluster contains copies of the production MediaWiki databases (both actively-used mainstream projects and small internal-facing wikis, like various projects' Arbitration Committees).

Data Lake

We store large amounts of data in analysis-friendly formats in the Data Lake.

Scripting access

If you're writing some analysis code, you will probably need to access data first. There are a couple of software packages that have been developed to make this easy. Note that both of them are designed to work on the analytics clients only.

For Python, there is wmfdata. It can access data through MariaDB, Hive, Presto, and Spark and has a number of other useful functions, like creating custom Spark sessions.

For R, there is wmf. It can access data from MariaDB and Hive and has many other useful functions, particularly for graphing and statistics.

Data sources

Data sets and data streams can be found in Category:Data_stream

Data Dashboards. Superset and Turnilo

Superset: http://superset.wikimedia.org Turnilo: http://turnilo.wikimedia.org

You need a wikitech login that is in the "wmf" or "nda" LDAP groups. If you don't have it, please create a Phabricator task by following instructions on phab:tag/ldap-access-requests/.

Before requesting access, please make sure you:

Depending on the above, you can request to be added to the wmf group or the nda group. Please indicate the motivation on the task about why you need access and ping the analytics team if you don't hear any feedback soon from the Opsen on duty.

MediaWiki application data

You can do a lot of work with the data stored by MediaWiki in the normal course of running itself. This includes data about:

  • Users' edit counts (consult the user table)
  • Edits to a particular page (consult the revision table, joined with the page table if necessary)
  • Account creations (consult the logging table)

Databases

You can access this data using the replica MariaDB databases. These are accessible from the stat100* machines via analytics-mysql <wiki-id>. For more details see here.

For an overview of how the data is laid out in those databases, consult the database layout manual.

There are a few things that aren't available from the databases replicas. The main example of this is the actual content of pages and revisions. Instead, you can access them through the API or in the XML dumps, which are both described below.

API

A subset of this application data, which doesn't present privacy concerns, is also publicly accessible through the API (except for private wikis, which you shouldn't really need to perform research on anyway!). A good way to understand it, and to test queries, is Special:ApiSandbox, which provides a way of easily constructing API calls and testing them. The output includes "Request URL" - a direct URL for making that query in the future, that should work on any and all Wikimedia production wikis.

If you're interested in common API tasks, and don't feel like reinventing the wheel, there are a number of Python-based API wrappers and MediaWiki utilities. Our very own Aaron Halfaker maintains MediaWiki Utilities, which includes a module dedicated to API interactions. There's no equivalent for R yet.

Database dumps

Every month, XML snapshots of the databases are generated. Since they're generated monthly, they're always slightly outdated, but make up for it by being incredibly cohesive (and incredibly large). They contain both the text of each revision of each page, and snapshots of the database tables. As such, they're a really good way of getting large amounts of diffs or information on revisions without running into the query limits on the API.

Aaron's MediaWiki-utilities package contains a set of functions for handling and parsing through the XML dumps, which should drastically simplify dealing with them. They're also stored internally, as well as through dumps.wikimedia.org, and can be found in /mnt/data/xmldatadumps/public on stat1004, stat1005, stat1006, stat1007, and stat1008.

EventLogging data

One analytics-specific source of data is EventLogging. This allows us to track things we're interested in as researchers that MediaWiki doesn't normally log. Examples include:

  1. A log of changes to user preferences;
  2. A/B testing data;
  3. Clicktracking data.

These datasets are stored in the event and event_sanitized Hive databases, subject to HDFS access control.

Pageviews data

An important piece of community-facing data is information on our pageviews; what articles are being read, and how much? This is currently stored in our Hadoop cluster, which contains aggregated pageview data as well as the mostly-raw database of web requests. See the detailed documentation here.

Turnilo

Analytics/Systems/Turnilo-Pivot#Access

Geolocation data

When you have IP addresses - be they from the RequestLogs, EventLogging or MediaWiki itself - you can do geolocation. This can be a very useful way of understanding user behaviour and evaluating how our ecosystem works. We currently use the MaxMind geolocation services, which are accessible on stat boxes: a full guide to geolocation and some examples of how to do it can be found on the 'geolocation' page.

Notes