Maniphest T320795

Implement a staging setup for the IDM
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	MoritzMuehlenhoff
	Oct 14 2022, 12:08 PM

Description

An IDM is the kind of setup we cannot easily test in Cloud VPS since some of the workflows are tied to other production setups. We can however mimic setups which face the same issues, namely the IDPs and Netbox, which both have staging host(s) within production.

We could have an additional DNS name idm-next.w.o which points to an additional VM running the same Puppet setup (and the same deb), e.g. running on idm-test1001.wikimedia.org. This would allow us to:

Deploy a more recent version of the deb first on the idm-next instance
Apply idm-test-specific Hiera settings first to the test instance (which would e.g. enable a new module/feature which isn’t live for the main test instance)

To prevent users from accidentally using the -next version we could implement a filter which e.g. validates that the user logging in is part of the cn=ops or cn=idm-testers LDAP groups.

Details

	Subject	Repo	Branch	Lines +/-
	C:idm::deployment Add missing package	operations/puppet	production	+2 -2
	role:IDM assign IDM role to test VM.	operations/puppet	production	+24 -14

Customize query in gerrit

Related Objects
Search...

Status	Subtype	Assigned	Task
Open		None	T189531 All Wikimedia developer services should use single sign-on
Open		None	T363125 sustainability of wikitech.wikimedia.org
Open		None	T161859 Make Wikitech an SUL wiki
Open		SLyngshede-WMF	T163478 Allow viewing/searching LDAP account creations including date
Resolved		None	T153821 wikitech.wikimedia.org missing from pageviews API
Open		None	T237773 Move Wikitech onto the production MW cluster
Resolved		Marostegui	T167973 Move database for wikitech (labswiki) to a main cluster section
Resolved		Andrew	T188029 Move labswiki database to m5
Resolved		Marostegui	T282074 Audit labswiki grants
Resolved		Andrew	T282209 Enable connection from labweb1001/labweb1002 to s6
Declined		Andrew	T282573 Move labweb/cloudweb hosts to private IPs
Resolved		Andrew	T284106 Replicate & sanitize wikitech data
Resolved		Andrew	T284108 Bring labswiki database tables up to date
Resolved		Ladsgroup	T269348 wikitech database has almost all of its varbinary fields wrong
Duplicate		None	T284736 Create views on labswiki on clouddb* hosts
Resolved		• Bstorm	T287442 Create views for labswiki (wikitech)
Declined		None	T237889 Install php-ldap on all MW appservers
Resolved		• taavi	T237890 Remove and empty useless user groups
Resolved		Jdforrester-WMF	T196466 Remove 'shell user' right on wikitech
Declined		None	T246405 On wikitech, make sysops unable to edit site JS, and then retire contentadmin
Open		jijiki	T292707 Migrate Wikitech to Kubernetes
Open		None	T359551 Replace wikitech as source of two-factor auth protection for developer accounts
Open	Feature	None	T359554 Use IDP for authentication in Striker
Stalled	Feature	None	T359590 Use IDP for authentication in Horizon
Open	Feature	SLyngshede-WMF	T359552 Enable self-service IDP two-factor authentication management
Open		None	T359820 Add developer account (un)blocking support to Bitu
Open		Andrew	T360795 Set up a bitu instance for codfw1dev
Open		SLyngshede-WMF	T362128 Site: 1 VM for codfw1dev bitu deployment
Resolved		ABran-WMF	T362619 Database request for Bitu Cloud DEV installation
Resolved		• taavi	T360883 Disable email address changes in Wikitech
Open		None	T364605 Move Striker to Bitu username validation API
In Progress		SLyngshede-WMF	T362318 Add Bitu container to Striker development environment
Resolved	PRODUCTION ERROR	Tgr	T195253 Special:Notifications gives a consistent PHP exception on load ("The trash icon is not registered") for users with OpenStackManager notifications
Open		None	T106123 Extensions needing to be removed from Wikimedia wikis
Resolved		bd808	T53642 Get rid of SemanticMediaWiki/SRF/SF from wikitech.wikimedia.org
Resolved		yuvipanda	T103995 Build a simple tool to query which instances have which roles / puppet variables
Resolved		bd808	T161662 Replace SMW data on project instances with a tool using the OpenStack APIs
Resolved		bd808	T162508 Implement Tool Labs membership application and processing in Striker
Resolved		bd808	T164787 Keystone permissions exception when trying to approve Tool Labs membership request via Striker
Open		• taavi	T161553 Remove OpenStackManager from Wikitech
Resolved		• taavi	T196171 Developer account creation without OpenStackManager
Declined		None	T179463 Create a single application to provision and manage developer (LDAP) accounts
Open		None	T319405 Create an IDM for Wikimedia developer accounts
Resolved		SLyngshede-WMF	T320603 IDM milestone 2 "Initial limited deployment"
Resolved		SLyngshede-WMF	T320795 Implement a staging setup for the IDM
Open		None	T148048 Store Wikimedia unified account name (SUL) in LDAP directory
Open		• taavi	T359428 Striker should use ID instead of username to identify SUL accounts