Page MenuHomePhabricator
Create Task
Maniphest T148048

Store Wikimedia unified account name (SUL) in LDAP directory
Open, MediumPublic
Actions

Description

The mapping between an LDAP account and an SUL account is currently stored in Striker's local mysql database as part of the labsauth_labsuser table. This is convenient for Striker, but not convenient for other LDAP consumers who may want to use the same data.

The WMF corp LDAP schema was recently extended to support a wikimediaPerson object class (rOPUP6386a7a, rOPUP2ce2697). Something similar could be done for the labs/prod LDAP servers to give us a class and attribute for storing the SUL account. Striker would then be updated to add the new object class and attribute to an LDAP account when linking accounts.

Details

SubjectRepoBranchLines +/-
[WIP] Store SUL information in LDAPlabs/strikermaster+117 -3
P:openldap Extend wmf-user schema with global account.operations/puppetproduction+11 -1
Customize query in gerrit

Related Objects
Search...

StatusSubtypeAssignedTask
 ResolvedPRODUCTION ERRORTgrT195253 Special:Notifications gives a consistent PHP exception on load ("The trash icon is not registered") for users with OpenStackManager notifications
 OpenNoneT106123 Extensions needing to be removed from Wikimedia wikis
 OpenNoneT189531 All Wikimedia developer services should use single sign-on
 StalledNoneT147864 Support OAuth for login onto gerrit.wikimedia.org
 OpenNoneT363125 sustainability of wikitech.wikimedia.org
 OpenNoneT161859 Make Wikitech an SUL wiki
 OpentaaviT161553 Remove OpenStackManager from Wikitech
 ResolvedAndrewT150091 Support project creation without OpenStackManager
 ResolvedAndrewT159021 Wikitech error when adding users to projects
 ResolvedAndrewT162097 Create a Horizon panel for managing per-project sudo policies
 ResolvedAndrewT194191 Allow projectadmins to change project roles in Horizon
 ResolvedMarcoAurelioT194670 Copy maintenance/attachLdapUser.php to another extension
 ResolvedAndrewT194794 Add new users to Bastion group whenever they join a project
 ResolvedtaaviT196171 Developer account creation without OpenStackManager
 DeclinedNoneT179463 Create a single application to provision and manage developer (LDAP) accounts
 DuplicateNoneT189639 Separate LDAP account creation bits from Striker to create a new identity management platform
 OpenNoneT319405 Create an IDM for Wikimedia developer accounts
 ResolvedSLyngshede-WMFT320603 IDM milestone 2 "Initial limited deployment"
 OpentaaviT338477 `Nova Resource:` namespace should be declared in wmf-config, not in Extension:OpenStackManager
 OpentaaviT359544 Disable SSH key management on Wikitech
 ResolvedFeatureSLyngshede-WMFT359543 Allow enabling a key directly when adding it
 ResolvedBUG REPORTSLyngshede-WMFT360634 Bitu not importing key changes directly in LDAP
 OpenNoneT237773 Move Wikitech onto the production MW cluster
 ResolvedMarosteguiT167973 Move database for wikitech (labswiki) to a main cluster section
 ResolvedAndrewT188029 Move labswiki database to m5
ResolvedMarosteguiT282074 Audit labswiki grants
 ResolvedAndrewT282209 Enable connection from labweb1001/labweb1002 to s6
 DeclinedAndrewT282573 Move labweb/cloudweb hosts to private IPs
 ResolvedAndrewT284106 Replicate & sanitize wikitech data
 ResolvedAndrewT284108 Bring labswiki database tables up to date
 ResolvedLadsgroupT269348 wikitech database has almost all of its varbinary fields wrong
 DuplicateNoneT284736 Create views on labswiki on clouddb* hosts
 Resolved BstormT287442 Create views for labswiki (wikitech)
 DeclinedNoneT237889 Install php-ldap on all MW appservers
 ResolvedtaaviT237890 Remove and empty useless user groups
 ResolvedJdforrester-WMFT196466 Remove 'shell user' right on wikitech
 DeclinedNoneT246405 On wikitech, make sysops unable to edit site JS, and then retire contentadmin
 OpenjijikiT292707 Migrate Wikitech to Kubernetes
 OpenNoneT359551 Replace wikitech as source of two-factor auth protection for developer accounts
 OpenFeatureNoneT359554 Use IDP for authentication in Striker
 StalledFeatureNoneT359590 Use IDP for authentication in Horizon
 OpenFeatureSLyngshede-WMFT359552 Enable self-service IDP two-factor authentication management
 OpenNoneT142815 Enhance account handling (meta bug)
 OpenNoneT148048 Store Wikimedia unified account name (SUL) in LDAP directory
 OpentaaviT359428 Striker should use ID instead of username to identify SUL accounts

Event Timeline

bd808 created this task.Oct 13 2016, 4:06 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 13 2016, 4:06 PM
MoritzMuehlenhoff added a project: SRE.Oct 13 2016, 4:13 PM
MoritzMuehlenhoff subscribed.
bd808 triaged this task as Medium priority.Oct 14 2016, 10:42 PM
MoritzMuehlenhoff added a comment.Oct 17 2016, 7:14 AM

I think we should use the same wmf-user.schema file across the labs and corp servers, but introduce a separate object class for storing the SUL mapping. This allows us to extend staff-specific attributes independantly and it the corp LDAP needs the SUL mapping at some point we can add the new object class to corp user accounts.

AlexMonk-WMF added a parent task: T142815: Enhance account handling (meta bug).Dec 10 2016, 2:25 PM
MoritzMuehlenhoff mentioned this in T142830: Require/track Phabricator username.Mar 10 2017, 9:59 AM
bd808 mentioned this in T113792: Change LDAP cn to something more useful (was Rename "Dzahn" to "Daniel Zahn" in Gerrit).Apr 14 2017, 9:15 PM
bd808 added subscribers: Volans, faidon.Jun 11 2017, 3:23 AM

@faidon, @Volans, and I talked about this at the Vienna hackathon. Moving this data from Striker's local DB to LDAP would be a useful step in an as yet undocumented project to create an LDAP management portal to replace the current mix of wikitech, Striker, and cli tools used by SRE.

bd808 added a parent task: T161859: Make Wikitech an SUL wiki.Jun 20 2017, 10:21 PM
Tgr mentioned this in T147864: Support OAuth for login onto gerrit.wikimedia.org.Feb 6 2018, 11:46 PM
Tgr mentioned this in T189531: All Wikimedia developer services should use single sign-on.Mar 12 2018, 10:13 PM
bd808 added a subscriber: colewhite.Aug 31 2018, 12:21 AM
Phabricator_maintenance moved this task from Backlog to Acknowledged on the SRE board.Jan 26 2019, 8:51 PM
GTirloni edited projects, added cloud-services-team (Kanban); removed Cloud-Services.Mar 24 2019, 12:10 PM
bd808 removed a project: cloud-services-team (Kanban).Jul 9 2019, 9:32 PM
Aklapper added a parent task: T147864: Support OAuth for login onto gerrit.wikimedia.org.May 22 2020, 4:09 PM
taavi subscribed.Jul 6 2020, 5:29 AM
bd808 mentioned this in T320794: Extend LDAP to allow storing all necessary attributes.Dec 14 2022, 10:15 PM
akosiaris changed the task status from Open to Stalled.Dec 15 2022, 10:13 AM
akosiaris subscribed.

This is open since 2016 with minimal updates, probably inaccurate now (as far as I know the corp LDAP doesn't exist now) and it is unclear, at least to me, what work can be done and by who. Thus, I am setting it as Stalled, feel free to reopen

MoritzMuehlenhoff added a comment.Dec 15 2022, 10:20 AM
In T148048#8470183, @akosiaris wrote:

This is open since 2016 with minimal updates, probably inaccurate now (as far as I know the corp LDAP doesn't exist now) and it is unclear, at least to me, what work can be done and by who. Thus, I am setting it as Stalled, feel free to reopen

We'll actually work on this as part of the Bitu IDM work, either next Q or the subsequent one, depending on progress and forthcoming quarterly planning! I'm adding it as a sub task of the IDM roadmap to keep track.

MoritzMuehlenhoff added a parent task: T320603: IDM milestone 2 "Initial limited deployment".Dec 15 2022, 10:21 AM
akosiaris edited projects, added Infrastructure-Foundations; removed SRE.Dec 15 2022, 10:51 AM

Ah, that's awesome. Thanks!

gerritbot added a comment.Feb 6 2023, 8:13 AM

Change 886799 had a related patch set uploaded (by Slyngshede; author: Slyngshede):

[operations/puppet@production] P:openldap Extend wmf-user schema with SUL account.

https://gerrit.wikimedia.org/r/886799

gerritbot added a project: Patch-For-Review.Feb 6 2023, 8:13 AM
SLyngshede-WMF changed the task status from Stalled to In Progress.Feb 6 2023, 8:24 AM
SLyngshede-WMF claimed this task.
Stashbot added a comment.Apr 24 2023, 9:55 AM

Mentioned in SAL (#wikimedia-operations) [2023-04-24T09:55:51Z] <slyngs> Update LDAP schema wmf-user: T148048

gerritbot added a comment.Apr 24 2023, 9:57 AM

Change 886799 merged by Slyngshede:

[operations/puppet@production] P:openldap Extend wmf-user schema with global account.

https://gerrit.wikimedia.org/r/886799

Maintenance_bot removed a project: Patch-For-Review.Apr 24 2023, 10:12 AM
bd808 added a comment.Apr 24 2023, 4:27 PM

SLyngshede-WMF claimed this task.

@SLyngshede-WMF Are you expecting to update Striker to add objectClass: wikimediaPerson and set the wikimediaGlobalAccountId and wikimediaGlobalAccountName attributes on accounts it creates/updates?

SLyngshede-WMF added a comment.Apr 24 2023, 4:33 PM

@bd808 Wasn't expecting to, but I can do it :-)

bd808 added a comment.Apr 24 2023, 5:05 PM
In T148048#8802325, @SLyngshede-WMF wrote:

@bd808 Wasn't expecting to, but I can do it :-)

I was mostly asking because of your claiming of this task. It will need doing at some point and this task was the tracking task for that need. The task decomposition probably could have been cleaner so that we had a task about the LDAP schema change and then a dependent ("parent" in Phabricator terms) task to track implementing the data storage changes in Striker to use the new schema.

Either way I will try to do a bit of analysis of at least the starting changes that will be needed on the Striker side to take advantage of the LDAP schema you have designed.

bd808 added a comment.Apr 24 2023, 5:26 PM

I think that broadly the changes needed for Striker now that the new LDAP schema has landed will be:

  • Add the wmf-user schema to the LDAP service in Striker's development environment
  • Update striker.labsauth.models.LabsUser to track the user's numeric SUL/Central Auth id as a new sulid field.
  • Update the Wikimedia OAuth connection process to collect the user's numeric SUL/Central Auth id.
  • Figure out a process to backfill the new LabsUser sulid field for existing users with a sulname value set. (This should be possible via the stored Wikimedia OAuth credentials for these users.)
  • Update striker.labsauth.models.LdapUser to include the wikimediaPerson objectClass.
    • NOTE: I can't remember if the declared object_classes are used as part of lookup queries or not. If they are, we will likely have to script a data migration to add the wikimediaPerson objectClass to all existing Developer accounts to keep everything working as expected.
  • Update striker.labsauth.models.LdapUser to include the new wikimediaGlobalAccountId and wikimediaGlobalAccountName attributes.
  • Update striker.labsauth.views.oauth_callback to set the wikimediaGlobalAccountId and wikimediaGlobalAccountName attributes on both the LabsUser and LdapUser models when an authenticated user is found.
  • Update striker.labsauth.utils.add_ldap_user to set the wikimediaGlobalAccountId and wikimediaGlobalAccountName attributes when creating a new LdapUser.
  • Figure out a process to backfill the new LdapUser wikimediaGlobalAccountId and wikimediaGlobalAccountName attributes for existing LabsUser records with sulname and sulid data.
bd808 added a comment.Jan 10 2024, 2:09 PM

I have local draft changes which confirm that a migration is needed to add an objectClass: wikimediaPerson attribute to each existing Developer account under the plan outlined in T148048#8802511.

SLyngshede-WMF closed this task as Resolved.Jan 29 2024, 3:40 PM
bd808 reopened this task as Open.Feb 1 2024, 1:30 AM

Reopened because Striker needs to be made to work with the new schema and storage.

bd808 claimed this task.Feb 1 2024, 9:15 PM
bd808 added a subscriber: SLyngshede-WMF.

Claiming for the needed changes to Striker described in T148048#8802511

Restricted Application added a project: User-bd808. · View Herald TranscriptFeb 1 2024, 9:15 PM
bd808 added a comment.Mar 6 2024, 5:35 PM
[15:58]  <    taavi> bd808: is the striker work for T148048 still something you plan to do soon or can I take over?
[15:58]  < stashbot> T148048: Store Wikimedia unified account name (SUL) in LDAP directory - https://phabricator.wikimedia.org/T148048

[16:43]  <    bd808> taavi: I have a patch, but it is busted. I could get it up in gerrit for you to look at and take over or rewrite from scratch if you've got big Striker energy (which seems to be the cool case right now)
[16:44]  <    bd808> The bustedness is that the way I have coded it the LDAP directory needs a migration to add a new objectClass to all of the Developer accounts. Specifically the objectClass that holds the new attribute.
gerritbot added a comment.Mar 6 2024, 7:38 PM

Change 1009321 had a related patch set uploaded (by BryanDavis; author: Bryan Davis):

[labs/striker@master] [WIP] Store SUL information in LDAP

https://gerrit.wikimedia.org/r/1009321

gerritbot added a project: Patch-For-Review.Mar 6 2024, 7:38 PM
bd808 removed bd808 as the assignee of this task.Mar 22 2024, 5:32 PM
bd808 mentioned this in T364516: Look for ways to consolidate "we trust this human" access lists.Wed, May 8, 9:29 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL