Support project creation without OpenStackManager
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	Andrew
	Nov 5 2016, 4:05 PM

Description

I want to move all of the project-creation things that OSM does into keystone hooks so that proper projects can be created from horizon or the commandline.

Add novaadmin to new project
Add novaobserver to new project
Make projectid == projectname
Add default security group rules
ldap: Create project for sudoers
ldap: Create default initial sudo policies
ldap: Create project group for UIDs
Create wikitech nova_resource page describing new project

While we're at it, here are some other nice things we might do:

create default <project>.wmflabs.org domain

Details

Subject	Repo	Branch	Lines +/-
wmfkeystonehooks: Create project page on wikitech on project creation	operations/puppet	production	+305 -44
Keystonehooks: Create and delete sudoer rules in ldap	operations/puppet	production	+392 -10
Remove code to manage posix project groups.	mediawiki/extensions/OpenStackManager	master	+21 -390
Keystonehooks: Sync ldap project groups with keystone project membership	operations/puppet	production	+220 -8
Keystone hooks: monkeypatch keystone to change project id to project name	operations/puppet	production	+98 -0
Keystone hook: Change project id to == project name	operations/puppet	production	+23 -0

Customize query in gerrit

Related Objects
Search...

Status	Subtype	Assigned	Task
Open		None	T189531 All Wikimedia developer services should use single sign-on
Open		None	T363125 sustainability of wikitech.wikimedia.org
Open		None	T161859 Make Wikitech an SUL wiki
Open		SLyngshede-WMF	T163478 Allow viewing/searching LDAP account creations including date
Resolved		None	T153821 wikitech.wikimedia.org missing from pageviews API
Declined		None	T179463 Create a single application to provision and manage developer (LDAP) accounts
Duplicate		None	T189639 Separate LDAP account creation bits from Striker to create a new identity management platform
Open		None	T237773 Move Wikitech onto the production MW cluster
Resolved		Marostegui	T167973 Move database for wikitech (labswiki) to a main cluster section
Resolved		Andrew	T188029 Move labswiki database to m5
Resolved		Marostegui	T282074 Audit labswiki grants
Resolved		Andrew	T282209 Enable connection from labweb1001/labweb1002 to s6
Declined		Andrew	T282573 Move labweb/cloudweb hosts to private IPs
Resolved		Andrew	T284106 Replicate & sanitize wikitech data
Resolved		Andrew	T284108 Bring labswiki database tables up to date
Resolved		Ladsgroup	T269348 wikitech database has almost all of its varbinary fields wrong
Duplicate		None	T284736 Create views on labswiki on clouddb* hosts
Resolved		• Bstorm	T287442 Create views for labswiki (wikitech)
Declined		None	T237889 Install php-ldap on all MW appservers
Resolved		taavi	T237890 Remove and empty useless user groups
Resolved		Jdforrester-WMF	T196466 Remove 'shell user' right on wikitech
Declined		None	T246405 On wikitech, make sysops unable to edit site JS, and then retire contentadmin
Open		jijiki	T292707 Migrate Wikitech to Kubernetes
Open		None	T359551 Replace wikitech as source of two-factor auth protection for developer accounts
Open	Feature	None	T359554 Use IDP for authentication in Striker
Stalled	Feature	None	T359590 Use IDP for authentication in Horizon
Open	Feature	SLyngshede-WMF	T359552 Enable self-service IDP two-factor authentication management
Open		None	T359820 Add developer account (un)blocking support to Bitu
Open		Andrew	T360795 Set up a bitu instance for codfw1dev
Open		SLyngshede-WMF	T362128 Site: 1 VM for codfw1dev bitu deployment
Resolved		ABran-WMF	T362619 Database request for Bitu Cloud DEV installation
Resolved		taavi	T360883 Disable email address changes in Wikitech
Open		None	T364605 Move Striker to Bitu username validation API
Open		SLyngshede-WMF	T362318 Add Bitu container to Striker development environment
Resolved	PRODUCTION ERROR	Tgr	T195253 Special:Notifications gives a consistent PHP exception on load ("The trash icon is not registered") for users with OpenStackManager notifications
Open		None	T106123 Extensions needing to be removed from Wikimedia wikis
Resolved		bd808	T53642 Get rid of SemanticMediaWiki/SRF/SF from wikitech.wikimedia.org
Resolved		yuvipanda	T103995 Build a simple tool to query which instances have which roles / puppet variables
Resolved		bd808	T161662 Replace SMW data on project instances with a tool using the OpenStack APIs
Resolved		bd808	T162508 Implement Tool Labs membership application and processing in Striker
Resolved		bd808	T164787 Keystone permissions exception when trying to approve Tool Labs membership request via Striker
Open		taavi	T161553 Remove OpenStackManager from Wikitech
Resolved		Andrew	T150091 Support project creation without OpenStackManager
Resolved		Andrew	T159021 Wikitech error when adding users to projects
Open		None	T319405 Create an IDM for Wikimedia developer accounts
Resolved		SLyngshede-WMF	T319407 IDM milestone 1 "Initial development work"
Resolved		None	T319409 Pick a name for the IDM
Resolved		SLyngshede-WMF	T319410 Initial Django project setup
Resolved		SLyngshede-WMF	T319415 Evaluate Striker codebase
Resolved		Marostegui	T320426 Figure out where/how to store IDM internal data
Resolved		SLyngshede-WMF	T320427 Design and implement async LDAP operations
Resolved		SLyngshede-WMF	T320428 Initial IDM puppetisation
Resolved		SLyngshede-WMF	T320430 Create an initial IDM/LDAP image for tests and CI
Resolved		SLyngshede-WMF	T320431 IDM: Central logging on all changes
Resolved		SLyngshede-WMF	T320603 IDM milestone 2 "Initial limited deployment"
Resolved		SLyngshede-WMF	T320604 Decide on model for serving idm.wikimedia.org
Resolved		None	T320605 Figure out an HA setup for the IDM
Resolved		SLyngshede-WMF	T320794 Extend LDAP to allow storing all necessary attributes
Resolved		SLyngshede-WMF	T320795 Implement a staging setup for the IDM
Resolved		SLyngshede-WMF	T320797 Initial production deployment of the IDM
Resolved		SLyngshede-WMF	T320799 IDM integration into CAS SSO
Resolved		SLyngshede-WMF	T320807 Implement OAuth account validation for linking an account to a wiki account
Resolved		SLyngshede-WMF	T320808 Implement email address validation workflow
Open		None	T148048 Store Wikimedia unified account name (SUL) in LDAP directory
Open		taavi	T359428 Striker should use ID instead of username to identify SUL accounts
Resolved		SLyngshede-WMF	T335091 Determine which sender address to use for email notification
Resolved		SLyngshede-WMF	T340721 Build Debian packages for Bookworm
Resolved		SLyngshede-WMF	T340722 Update IDM servers to Bookworm
Open		SLyngshede-WMF	T320801 Build-out for self service
Resolved		SLyngshede-WMF	T320802 Create a mockup and involve designers
Resolved	BUG REPORT	SLyngshede-WMF	T338824 Bitu is not responsive
Invalid		None	T320805 Define the core attribute list managed in the IDM with all stakeholders
Resolved		SLyngshede-WMF	T320806 Consider reusing some wiki data sources for signup/restrictions
Resolved		SLyngshede-WMF	T320809 Figure out a captcha option for IDM
Open		None	T335478 Automatic detection of inactive LDAP account
Open		None	T335485 Automatically deploy documentation to docs.wikimedia.org
Resolved		SLyngshede-WMF	T340636 Implement "Forgot my username" feature
Resolved		SLyngshede-WMF	T340637 Implement "update email" functionality
Open		SLyngshede-WMF	T340717 Implement "source" field on user objects
Open		SLyngshede-WMF	T345168 Live validation of usernames
Resolved		SLyngshede-WMF	T345226 Switch developer account creation to Bitu
Open		SLyngshede-WMF	T347572 SSH Key type expiry

Event Timeline

Andrew created this task.Nov 5 2016, 4:05 PM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 5 2016, 4:05 PM

Paladox subscribed.Nov 5 2016, 4:07 PM

Andrew updated the task description. (Show Details)Nov 10 2016, 7:25 PM

Krenair subscribed.Nov 10 2016, 7:28 PM

Andrew updated the task description. (Show Details)Nov 10 2016, 7:31 PM

Change 323117 had a related patch set uploaded (by Andrew Bogott):
wmfkeystonehooks: Maintain project page on wikitech

https://gerrit.wikimedia.org/r/323117

gerritbot added a project: Patch-For-Review.Nov 23 2016, 3:13 AM

Change 324928 had a related patch set uploaded (by Andrew Bogott):
Keystone hook: Change project id to == project name

https://gerrit.wikimedia.org/r/324928

Change 327664 had a related patch set uploaded (by Andrew Bogott):
Keystone hooks: monkeypatch keystone to change project id to project name

https://gerrit.wikimedia.org/r/327664

Change 324928 abandoned by Andrew Bogott:
Keystone hook: Change project id to == project name

Reason:
Abandoning in favor of https://gerrit.wikimedia.org/r/#/c/327664/

https://gerrit.wikimedia.org/r/324928

Change 327664 merged by Andrew Bogott:
Keystone hooks: monkeypatch keystone to change project id to project name

https://gerrit.wikimedia.org/r/327664

Andrew updated the task description. (Show Details)Dec 16 2016, 4:39 PM

Andrew triaged this task as Medium priority.Dec 20 2016, 3:29 PM

Note that none of the group-management stuff will work properly without the upstream patch https://review.openstack.org/#/c/401332/2

Change 338918 had a related patch set uploaded (by Andrew Bogott):
Keystonehooks: Sync ldap project groups with keystone project membership

https://gerrit.wikimedia.org/r/338918

Change 338918 merged by Andrew Bogott:
Keystonehooks: Sync ldap project groups with keystone project membership

https://gerrit.wikimedia.org/r/338918

Andrew updated the task description. (Show Details)Feb 25 2017, 12:53 AM

Andrew created subtask T159021: Wikitech error when adding users to projects.Feb 25 2017, 12:56 AM

Change 343056 had a related patch set uploaded (by Andrew Bogott):
[mediawiki/extensions/OpenStackManager] Remove code to manage posix project groups.

https://gerrit.wikimedia.org/r/343056

Change 343056 merged by jenkins-bot:
[mediawiki/extensions/OpenStackManager] Remove code to manage posix project groups.

https://gerrit.wikimedia.org/r/343056

ReleaseTaggerBot added a project: MW-1.29-release (WMF-deploy-2017-03-28_(1.29.0-wmf.18)).Mar 22 2017, 12:00 AM

Andrew added a parent task: T161553: Remove OpenStackManager from Wikitech.Mar 27 2017, 7:09 PM

Change 346489 had a related patch set uploaded (by Andrew Bogott):
[operations/puppet@production] Keystonehooks: Create and delete sudoer rules in ldap

https://gerrit.wikimedia.org/r/346489

Change 346489 merged by Andrew Bogott:
[operations/puppet@production] Keystonehooks: Create and delete sudoer rules in ldap

https://gerrit.wikimedia.org/r/346489

Andrew updated the task description. (Show Details)Apr 5 2017, 5:51 PM

Change 323117 merged by Andrew Bogott:
[operations/puppet@production] wmfkeystonehooks: Create project page on wikitech on project creation

https://gerrit.wikimedia.org/r/323117

Andrew updated the task description. (Show Details)Apr 12 2017, 9:10 PM

Andrew updated the task description. (Show Details)Apr 12 2017, 9:19 PM

Andrew updated the task description. (Show Details)

removed todo about service groups because it turns out to not be needed.

I moved the item about domain creation into T162977; the rest of this is done.

Andrew mentioned this in T159021: Wikitech error when adding users to projects.Apr 19 2017, 6:23 PM