Change 325740 had a related patch set uploaded (by Gergő Tisza):
Whitelist TSG for account creation

https://gerrit.wikimedia.org/r/325740

Added to configuration. T27000: Deploy ThrottleOverride extension to Wikimedia wikis would provide a saner approach but has been stalled for a long time.

What do their account names look like? Why are they creating accounts on production instead of beta?

Which beta? They verify workflows across the beta cluster, beta mobile web, production mobile web, Beta Features, and - granted, the extent of its distinctness is hard to gauge sometimes - production desktop web. Would you please clarify about the account names question?

IIRC iOS does not yet support using the beta cluster. Also, it's pretty common to try reproducing beta behavior on production to see if some bug is caused by a recent change. Also also, authentication is one of the things where beta is not quite on par with production. The domain structure is different, the load is different (we have a convoluted central authentication process involving dozens of redirects which can be sensitive to race conditions). And then there is the whole "beta as staging" vs "beta as pre-deployment sandbox" thing.

In T152588#2853882, @dr0ptp4kt wrote:

Which beta? They verify workflows across the beta cluster, beta mobile web, production mobile web, Beta Features, and - granted, the extent of its distinctness is hard to gauge sometimes - production desktop web.

beta cluster, beta.wmflabs.org, deployment-prep labs project

In T152588#2853882, @dr0ptp4kt wrote:

Would you please clarify about the account names question?

The commit says that this group are WMF contractors, so you'd expect that any accounts they create in production are easily identifiable based on name.

In T152588#2854822, @Tgr wrote:

IIRC iOS does not yet support using the beta cluster.

That's probably something that should be fixed in the iOS app then.

In T152588#2854822, @Tgr wrote:

Also, it's pretty common to try reproducing beta behavior on production to see if some bug is caused by a recent change.

Okay.

In T152588#2854822, @Tgr wrote:

Also also, authentication is one of the things where beta is not quite on par with production. The domain structure is different, the load is different (we have a convoluted central authentication process involving dozens of redirects which can be sensitive to race conditions).

I thought beta has CentralAuth set almost the same way as production?

In T152588#2854857, @Krenair wrote:

I thought beta has CentralAuth set almost the same way as production?

Almost, but non-beta-reproducible login bugs still crop up every once in a while. Many of them are related to second-level domain cookies, and the apps have manual cookie handling so I imagine that would be something beta is not super reliable to test for.
(I am not familiar with app testing practices so maybe they have completely different reasons to use production; I just know that I had to use it all the time when testing login/signup issues.)

In T152588#2854902, @Tgr wrote:

In T152588#2854857, @Krenair wrote:

I thought beta has CentralAuth set almost the same way as production?

Almost, but non-beta-reproducible login bugs still crop up every once in a while. Many of them are related to second-level domain cookies, and the apps have manual cookie handling so I imagine that would be something beta is not super reliable to test for.
(I am not familiar with app testing practices so maybe they have completely different reasons to use production; I just know that I had to use it all the time when testing login/signup issues.)

Ouch, okay. This or your previous comment about reproducing on different versions both sound good enough to me, just need to clear up the username thing.

I've asked TSG for the username prefix they'll plan to use for their account creation type regression testing routines.

The prefix will be "tsgqa."

In T152588#2855768, @dr0ptp4kt wrote:

The prefix will be "tsgqa."

Since they're contractors they would fall under the User Account Policy ( officeWiki, apologies to those without access ) and so would generally be required to do any paid work under a WMF account. This is one of the reasons we generally try to avoid a lot of test accounts on the main cluster but obviously if there is a good reason then we can work to try and build in a fair exception for them and make sure the community has something public on Meta to explain it (mass creation of test accounts can quickly set off alarm bells for example, as can test edits).

Perhaps it would be good to set up a chat (in the office or by hangout) so we can get on the same page and make sure you have what you need and limit/eliminate any blowback?

Special Handling to Trust-and-Safety for the username issue

It's not reasonable IMO to apply that policy to test accounts which do not edit. About ten thousand new accounts are created every day, and most of them never make a single edit. No one will care if there are a few more. Just make sure the account is named something like Test-TSG-1 so the purpose is clear. We are not talking about hundreds of bot-created accounts here, just a manual tester going through the account creation process.

(Test edits are a different matter, but those can be done from a permanent account.)

Just an update that I'm trying to get a meeting setup with TSG and James to cover naming conventions.

Change 325740 abandoned by Gergő Tisza:
Whitelist TSG for account creation

Reason:
There doesn't seem to be an interest in this anymore.

https://gerrit.wikimedia.org/r/325740

In T152588#2860063, @dr0ptp4kt wrote:

Just an update that I'm trying to get a meeting setup with TSG and James to cover naming conventions.

Did this happen? :) Is there an update on this task?

It stalled out. @Tgr can this be closed?