Page MenuHomePhabricator
Create Task
Maniphest T189531

All Wikimedia developer services should use single sign-on
Open, HighPublic
Actions

Description

Wikimedia developer services here refers to things like Phabricator, Gerrit, Kibana, Grafana, Wikitech/Horizon etc.

Most of these currently use LDAP to share credentials, but that's not true single sign-on, authentication still happens locally. That's bad for usability (people have to type in passwords all the time) and bad for security (if any one of these services gets compromised, the attacker can harvest the credentials for all the others). It also prevents the use of shared credentials in less secure environments (such as the beta cluster), resulting in awkward workarounds.

There should be an easy way (probably some kind of Apache config that can be enabled by applying a puppet role) to put a website behind single sign-on and limit it to certain user groups.

Related Objects
Search...

StatusSubtypeAssignedTask
 ResolvedPRODUCTION ERRORTgrT195253 Special:Notifications gives a consistent PHP exception on load ("The trash icon is not registered") for users with OpenStackManager notifications
 OpenNoneT106123 Extensions needing to be removed from Wikimedia wikis
 OpenNoneT189531 All Wikimedia developer services should use single sign-on
 StalledNoneT147864 Support OAuth for login onto gerrit.wikimedia.org
 OpenNoneT363125 sustainability of wikitech.wikimedia.org
 OpenNoneT161859 Make Wikitech an SUL wiki
 OpentaaviT161553 Remove OpenStackManager from Wikitech
 ResolvedAndrewT150091 Support project creation without OpenStackManager
 ResolvedAndrewT159021 Wikitech error when adding users to projects
 ResolvedAndrewT162097 Create a Horizon panel for managing per-project sudo policies
 ResolvedAndrewT194191 Allow projectadmins to change project roles in Horizon
 ResolvedMarcoAurelioT194670 Copy maintenance/attachLdapUser.php to another extension
 ResolvedAndrewT194794 Add new users to Bastion group whenever they join a project
 ResolvedtaaviT196171 Developer account creation without OpenStackManager
 DeclinedNoneT179463 Create a single application to provision and manage developer (LDAP) accounts
 DuplicateNoneT189639 Separate LDAP account creation bits from Striker to create a new identity management platform
 OpenNoneT319405 Create an IDM for Wikimedia developer accounts
 ResolvedSLyngshede-WMFT319407 IDM milestone 1 "Initial development work"
 ResolvedNoneT319409 Pick a name for the IDM
 ResolvedSLyngshede-WMFT319410 Initial Django project setup
 ResolvedSLyngshede-WMFT319415 Evaluate Striker codebase
 ResolvedMarosteguiT320426 Figure out where/how to store IDM internal data
 ResolvedSLyngshede-WMFT320427 Design and implement async LDAP operations
 ResolvedSLyngshede-WMFT320428 Initial IDM puppetisation
 ResolvedSLyngshede-WMFT320430 Create an initial IDM/LDAP image for tests and CI
 ResolvedSLyngshede-WMFT320431 IDM: Central logging on all changes
 ResolvedSLyngshede-WMFT320603 IDM milestone 2 "Initial limited deployment"
 ResolvedSLyngshede-WMFT320604 Decide on model for serving idm.wikimedia.org
 ResolvedNoneT320605 Figure out an HA setup for the IDM
 ResolvedSLyngshede-WMFT320794 Extend LDAP to allow storing all necessary attributes
 ResolvedSLyngshede-WMFT320795 Implement a staging setup for the IDM
 ResolvedSLyngshede-WMFT320797 Initial production deployment of the IDM
 ResolvedSLyngshede-WMFT320799 IDM integration into CAS SSO
 ResolvedSLyngshede-WMFT320807 Implement OAuth account validation for linking an account to a wiki account
 ResolvedSLyngshede-WMFT320808 Implement email address validation workflow
 OpenNoneT148048 Store Wikimedia unified account name (SUL) in LDAP directory
 OpentaaviT359428 Striker should use ID instead of username to identify SUL accounts
 ResolvedSLyngshede-WMFT335091 Determine which sender address to use for email notification
 ResolvedSLyngshede-WMFT340721 Build Debian packages for Bookworm
 ResolvedSLyngshede-WMFT340722 Update IDM servers to Bookworm
 OpenSLyngshede-WMFT320801 Build-out for self service
 ResolvedSLyngshede-WMFT320802 Create a mockup and involve designers
 ResolvedBUG REPORTSLyngshede-WMFT338824 Bitu is not responsive
 InvalidNoneT320805 Define the core attribute list managed in the IDM with all stakeholders
 ResolvedSLyngshede-WMFT320806 Consider reusing some wiki data sources for signup/restrictions
 ResolvedSLyngshede-WMFT320809 Figure out a captcha option for IDM
 OpenNoneT335478 Automatic detection of inactive LDAP account
 OpenNoneT335485 Automatically deploy documentation to docs.wikimedia.org
 ResolvedSLyngshede-WMFT340636 Implement "Forgot my username" feature
 ResolvedSLyngshede-WMFT340637 Implement "update email" functionality
 OpenSLyngshede-WMFT340717 Implement "source" field on user objects
 OpenSLyngshede-WMFT345168 Live validation of usernames
 ResolvedSLyngshede-WMFT345226 Switch developer account creation to Bitu
 OpenSLyngshede-WMFT347572 SSH Key type expiry
 OpentaaviT338477 `Nova Resource:` namespace should be declared in wmf-config, not in Extension:OpenStackManager
 OpentaaviT359544 Disable SSH key management on Wikitech
 ResolvedFeatureSLyngshede-WMFT359543 Allow enabling a key directly when adding it
 ResolvedBUG REPORTSLyngshede-WMFT360634 Bitu not importing key changes directly in LDAP
 Resolvedbd808T53642 Get rid of SemanticMediaWiki/SRF/SF from wikitech.wikimedia.org
 ResolvedyuvipandaT103995 Build a simple tool to query which instances have which roles / puppet variables
 Resolvedbd808T161662 Replace SMW data on project instances with a tool using the OpenStack APIs
 Resolvedbd808T162508 Implement Tool Labs membership application and processing in Striker
 Resolvedbd808T164787 Keystone permissions exception when trying to approve Tool Labs membership request via Striker
 OpenSLyngshede-WMFT163478 Allow viewing/searching LDAP account creations including date
 ResolvedNoneT153821 wikitech.wikimedia.org missing from pageviews API
 OpenNoneT237773 Move Wikitech onto the production MW cluster
 ResolvedMarosteguiT167973 Move database for wikitech (labswiki) to a main cluster section
 ResolvedAndrewT188029 Move labswiki database to m5
ResolvedMarosteguiT282074 Audit labswiki grants
 ResolvedAndrewT282209 Enable connection from labweb1001/labweb1002 to s6
 DeclinedAndrewT282573 Move labweb/cloudweb hosts to private IPs
 ResolvedAndrewT284106 Replicate & sanitize wikitech data
 ResolvedAndrewT284108 Bring labswiki database tables up to date
 ResolvedLadsgroupT269348 wikitech database has almost all of its varbinary fields wrong
 DuplicateNoneT284736 Create views on labswiki on clouddb* hosts
 Resolved BstormT287442 Create views for labswiki (wikitech)
 DeclinedNoneT237889 Install php-ldap on all MW appservers
 ResolvedtaaviT237890 Remove and empty useless user groups
 ResolvedJdforrester-WMFT196466 Remove 'shell user' right on wikitech
 DeclinedNoneT246405 On wikitech, make sysops unable to edit site JS, and then retire contentadmin
 OpenjijikiT292707 Migrate Wikitech to Kubernetes
 OpenNoneT359551 Replace wikitech as source of two-factor auth protection for developer accounts
 OpenFeatureNoneT359554 Use IDP for authentication in Striker
 StalledFeatureNoneT359590 Use IDP for authentication in Horizon
 OpenFeatureSLyngshede-WMFT359552 Enable self-service IDP two-factor authentication management
 OpenNoneT359820 Add developer account (un)blocking support to Bitu
 OpenAndrewT360795 Set up a bitu instance for codfw1dev
 OpenSLyngshede-WMFT362128 Site: 1 VM for codfw1dev bitu deployment
 ResolvedABran-WMFT362619 Database request for Bitu Cloud DEV installation
 ResolvedtaaviT360883 Disable email address changes in Wikitech
 OpenNoneT364605 Move Striker to Bitu username validation API
 OpenSLyngshede-WMFT362318 Add Bitu container to Striker development environment

Event Timeline

Tgr created this task.Mar 12 2018, 9:50 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 12 2018, 9:50 PM
MarcoAurelio subscribed.Mar 12 2018, 10:11 PM
Tgr added a comment.Mar 12 2018, 10:13 PM

One option would be to use Wikimedia SUL via mod_authnz_fcgi and a custom authentication client frontend (probably based on oauthclient-php). That would require T148048: Store Wikimedia unified account name (SUL) in LDAP directory, and the auth frontend doing an LDAP group lookup or providing it some way to fetch those groups via the OAuth identify request.

Tgr mentioned this in T161859: Make Wikitech an SUL wiki.Mar 12 2018, 10:13 PM
Tgr added a subtask: T161859: Make Wikitech an SUL wiki.
Tgr added a subtask: T147864: Support OAuth for login onto gerrit.wikimedia.org.
Tgr added a subtask: T97133: Login integration for Sentry.
Krenair subscribed.Mar 12 2018, 10:16 PM
Paladox subscribed.Mar 12 2018, 10:26 PM
TerraCodes subscribed.Mar 13 2018, 5:32 AM
nshahquinn subscribed.Mar 13 2018, 7:56 AM
Jdforrester-WMF awarded a token.Mar 21 2018, 9:20 PM
Jdforrester-WMF subscribed.
Tgr added a project: Wikimedia-Hackathon-2018.May 10 2018, 3:41 PM
Tgr moved this task from Backlog to Project on the Wikimedia-Hackathon-2018 board.
Tgr added a project: User-Tgr.
Liuxinyu970226 awarded a token.Jun 2 2018, 2:15 PM
Liuxinyu970226 subscribed.
Tgr mentioned this in T170150: Evaluate Grafana's LDAP group options and deprecate grafana-admin if possible.Jun 13 2018, 4:29 PM
1997kB subscribed.Aug 9 2018, 12:47 PM
Phabricator_maintenance added a project: acl*security.Sep 20 2018, 9:15 AM
greg subscribed.Oct 10 2018, 3:59 PM
LarsWirzenius subscribed.Oct 12 2018, 12:01 PM
AfroThundr3007730 subscribed.Nov 27 2018, 4:45 AM
Tgr mentioned this in T161473: Stop requiring two-factor authentication for horizon.wikimedia.org.Dec 9 2018, 7:41 PM
Tgr mentioned this in T215046: RfC: Use Github login for mediawiki.org.Feb 17 2019, 3:28 AM
Meno25 subscribed.May 31 2019, 4:31 PM
hashar mentioned this in T198813: Integrate MFA into Gerrit.Jun 3 2019, 9:54 PM
Aklapper removed a project: Security-Other.Nov 27 2019, 1:38 PM
chasemp triaged this task as High priority.Dec 9 2019, 5:06 PM
chasemp added a project: Security-Team.
chasemp added subscribers: MoritzMuehlenhoff, chasemp.

@MoritzMuehlenhoff seems like maybe some merging of this stuff into T233921 and co would make sense?

chasemp moved this task from Incoming to Watching on the Security-Team board.Dec 9 2019, 5:30 PM
greg unsubscribed.Dec 9 2019, 11:27 PM
chasemp added a project: Security.Feb 10 2020, 10:55 PM
LarsWirzenius unsubscribed.Feb 20 2020, 3:37 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:05 PM
hashar mentioned this in T207762: Make the new Jenkins login page match the fancy gerrit login page.May 19 2020, 1:28 PM
hashar mentioned this in T198814: Enable MFA on Jenkins.May 19 2020, 1:34 PM
hashar merged a task: T198814: Enable MFA on Jenkins.
hashar added subscribers: Reedy, thcipriani, greg, hashar.
chasemp added a project: CAS-SSO.May 19 2020, 3:47 PM
taavi subscribed.Jun 18 2020, 4:26 PM
zeljkofilipin subscribed.Jun 26 2020, 12:57 PM
Aklapper added a project: Infrastructure-Foundations.Jun 21 2021, 8:59 PM
sbassett removed a project: Security-Team.Feb 16 2022, 8:21 PM
taavi renamed this task from All Wikimedia developer services should use single sign-on to All Wikimedia developer services should use single sign-on.Feb 16 2022, 8:22 PM
hashar unsubscribed.Apr 20 2022, 10:51 AM
joanna_borun removed projects: Infrastructure-Foundations, CAS-SSO.Jul 6 2023, 8:59 AM
joanna_borun subscribed.

After reviewing the task, it appears that no further action is required on our part. Therefore, I am removing the "Infrastructure Foundations" tag.

Aklapper removed a subtask: T97133: Login integration for Sentry.Jul 10 2023, 9:35 AM
SLyngshede-WMF mentioned this in T315867: Identity Management System for Wikimedia developer accounts.Sep 18 2023, 6:42 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL