⚓ T161859 Make Wikitech an SUL wiki

Status	Subtype	Assigned	Task
Open		None	T189531 All Wikimedia developer services should use single sign-on
Open		None	T363125 sustainability of wikitech.wikimedia.org
Open		None	T161859 Make Wikitech an SUL wiki
Open		• taavi	T161553 Remove OpenStackManager from Wikitech
Resolved		Andrew	T150091 Support project creation without OpenStackManager
Resolved		Andrew	T159021 Wikitech error when adding users to projects
Resolved		Andrew	T162097 Create a Horizon panel for managing per-project sudo policies
Resolved		Andrew	T194191 Allow projectadmins to change project roles in Horizon
Resolved		MarcoAurelio	T194670 Copy maintenance/attachLdapUser.php to another extension
Resolved		Andrew	T194794 Add new users to Bastion group whenever they join a project
Resolved		• taavi	T196171 Developer account creation without OpenStackManager
Declined		None	T179463 Create a single application to provision and manage developer (LDAP) accounts
Duplicate		None	T189639 Separate LDAP account creation bits from Striker to create a new identity management platform
Open		None	T319405 Create an IDM for Wikimedia developer accounts
Resolved		SLyngshede-WMF	T319407 IDM milestone 1 "Initial development work"
Resolved		None	T319409 Pick a name for the IDM
Resolved		SLyngshede-WMF	T319410 Initial Django project setup
Resolved		SLyngshede-WMF	T319415 Evaluate Striker codebase
Resolved		Marostegui	T320426 Figure out where/how to store IDM internal data
Resolved		SLyngshede-WMF	T320427 Design and implement async LDAP operations
Resolved		SLyngshede-WMF	T320428 Initial IDM puppetisation
Resolved		SLyngshede-WMF	T320430 Create an initial IDM/LDAP image for tests and CI
Resolved		SLyngshede-WMF	T320431 IDM: Central logging on all changes
Resolved		SLyngshede-WMF	T320603 IDM milestone 2 "Initial limited deployment"
Resolved		SLyngshede-WMF	T320604 Decide on model for serving idm.wikimedia.org
Resolved		None	T320605 Figure out an HA setup for the IDM
Resolved		SLyngshede-WMF	T320794 Extend LDAP to allow storing all necessary attributes
Resolved		SLyngshede-WMF	T320795 Implement a staging setup for the IDM
Resolved		SLyngshede-WMF	T320797 Initial production deployment of the IDM
Resolved		SLyngshede-WMF	T320799 IDM integration into CAS SSO
Resolved		SLyngshede-WMF	T320807 Implement OAuth account validation for linking an account to a wiki account
Resolved		SLyngshede-WMF	T320808 Implement email address validation workflow
Open		None	T148048 Store Wikimedia unified account name (SUL) in LDAP directory
Open		• taavi	T359428 Striker should use ID instead of username to identify SUL accounts
Resolved		SLyngshede-WMF	T335091 Determine which sender address to use for email notification
Resolved		SLyngshede-WMF	T340721 Build Debian packages for Bookworm
Resolved		SLyngshede-WMF	T340722 Update IDM servers to Bookworm
Open		SLyngshede-WMF	T320801 Build-out for self service
Resolved		SLyngshede-WMF	T320802 Create a mockup and involve designers
Resolved	BUG REPORT	SLyngshede-WMF	T338824 Bitu is not responsive
Invalid		None	T320805 Define the core attribute list managed in the IDM with all stakeholders
Resolved		SLyngshede-WMF	T320806 Consider reusing some wiki data sources for signup/restrictions
Resolved		SLyngshede-WMF	T320809 Figure out a captcha option for IDM
Open		None	T335478 Automatic detection of inactive LDAP account
Open		None	T335485 Automatically deploy documentation to docs.wikimedia.org
Resolved		SLyngshede-WMF	T340636 Implement "Forgot my username" feature
Resolved		SLyngshede-WMF	T340637 Implement "update email" functionality
Open		SLyngshede-WMF	T340717 Implement "source" field on user objects
Open		SLyngshede-WMF	T345168 Live validation of usernames
Resolved		SLyngshede-WMF	T345226 Switch developer account creation to Bitu
Open		SLyngshede-WMF	T347572 SSH Key type expiry
Open		• taavi	T338477 `Nova Resource:` namespace should be declared in wmf-config, not in Extension:OpenStackManager
Open		• taavi	T359544 Disable SSH key management on Wikitech
Resolved	Feature	SLyngshede-WMF	T359543 Allow enabling a key directly when adding it
Resolved	BUG REPORT	SLyngshede-WMF	T360634 Bitu not importing key changes directly in LDAP
Resolved		bd808	T53642 Get rid of SemanticMediaWiki/SRF/SF from wikitech.wikimedia.org
Resolved		yuvipanda	T103995 Build a simple tool to query which instances have which roles / puppet variables
Resolved		bd808	T161662 Replace SMW data on project instances with a tool using the OpenStack APIs
Resolved		bd808	T162508 Implement Tool Labs membership application and processing in Striker
Resolved		bd808	T164787 Keystone permissions exception when trying to approve Tool Labs membership request via Striker
Open		SLyngshede-WMF	T163478 Allow viewing/searching LDAP account creations including date
Resolved		None	T153821 wikitech.wikimedia.org missing from pageviews API
Open		None	T237773 Move Wikitech onto the production MW cluster
Resolved		Marostegui	T167973 Move database for wikitech (labswiki) to a main cluster section
Resolved		Andrew	T188029 Move labswiki database to m5
Resolved		Marostegui	T282074 Audit labswiki grants
Resolved		Andrew	T282209 Enable connection from labweb1001/labweb1002 to s6
Declined		Andrew	T282573 Move labweb/cloudweb hosts to private IPs
Resolved		Andrew	T284106 Replicate & sanitize wikitech data
Resolved		Andrew	T284108 Bring labswiki database tables up to date
Resolved		Ladsgroup	T269348 wikitech database has almost all of its varbinary fields wrong
Duplicate		None	T284736 Create views on labswiki on clouddb* hosts
Resolved		• Bstorm	T287442 Create views for labswiki (wikitech)
Declined		None	T237889 Install php-ldap on all MW appservers
Resolved		• taavi	T237890 Remove and empty useless user groups
Resolved		Jdforrester-WMF	T196466 Remove 'shell user' right on wikitech
Declined		None	T246405 On wikitech, make sysops unable to edit site JS, and then retire contentadmin
Open		jijiki	T292707 Migrate Wikitech to Kubernetes
Open		None	T359551 Replace wikitech as source of two-factor auth protection for developer accounts
Open	Feature	None	T359554 Use IDP for authentication in Striker
Stalled	Feature	None	T359590 Use IDP for authentication in Horizon
Open	Feature	SLyngshede-WMF	T359552 Enable self-service IDP two-factor authentication management
Open		None	T359820 Add developer account (un)blocking support to Bitu
Open		SLyngshede-WMF	T360795 Set up a bitu instance for codfw1dev
Open		SLyngshede-WMF	T362128 Site: 1 VM for codfw1dev bitu deployment
Resolved		ABran-WMF	T362619 Database request for Bitu Cloud DEV installation
Resolved		• taavi	T360883 Disable email address changes in Wikitech
Open		None	T364605 Move Striker to Bitu username validation API
In Progress		SLyngshede-WMF	T362318 Add Bitu container to Striker development environment

Is there also a "make everything SUL" plan? More specifically, a plan to replace passwords with some kind of SUL-based remote login on gerrit, horizon, logstash etc?

What will happen to accounts already created and SUL accounts? Would we be able to get them merged/migrated/etc?

@Tgr, I don't think we would want to do this. The threat model for horizon/gerrit/etc is quite different from on-wiki account access so I'd prefer that we keep the two separate account types.

That said, a simpler/unified login service for all developer account types might be nice.

In T161859#3997722, @MarcoAurelio wrote:

What will happen to accounts already created and SUL accounts? Would we be able to get them merged/migrated/etc?

My intent is for all existing LDAP accounts (that are still in use) to be associated with a SUL account. This is the "Connect active LDAP accounts with SUL accounts" step in the very high level plan. It is possible today to make this association using https://toolsadmin.wikimedia.org/. The "Replace wikitech as source of LDAP account creation" step would be a good time to introduce this idea more broadly and to start a campaign to get active users to make the association.

In T161859#3997670, @Tgr wrote:

Is there also a "make everything SUL" plan? More specifically, a plan to replace passwords with some kind of SUL-based remote login on gerrit, horizon, logstash etc?

That decision is largely beyond the scope of the Cloud Services team. The projects we own that could do this are Horizon and Striker (toolsadmin). There is a plan for Striker to use SUL via OAuth as the authentication mechanism. I think it would be possible for Horizon as well, but one thing we would probably want to be able to do for Horizon is to require that the SUL account be using 2FA protection.

Framawiki subscribed.Feb 24 2018, 4:28 PM

• Mholloway subscribed.Feb 28 2018, 5:30 PM

In T161859#3997670, @Tgr wrote:

Is there also a "make everything SUL" plan?

Filed that as T189531: All Wikimedia developer services should use single sign-on.

Tgr added a parent task: T189531: All Wikimedia developer services should use single sign-on.Mar 12 2018, 10:14 PM

bd808 mentioned this in T88092: Update wikitech customised shell account name registration instructions.Mar 22 2018, 8:52 PM

bd808 added a subtask: T179463: Create a single application to provision and manage developer (LDAP) accounts.Mar 22 2018, 8:55 PM

mxn subscribed.May 21 2018, 6:44 AM

1997kB subscribed.Aug 18 2018, 6:12 AM

jcrespo added a subtask: T167973: Move database for wikitech (labswiki) to a main cluster section.Sep 6 2018, 7:27 AM

jcrespo removed a project: Cloud-Services.

jcrespo updated the task description. (Show Details)

bd808 mentioned this in T131385: Dynamically fiddle with wgLocalDatabases to recognise wikitech separation.Oct 2 2018, 9:13 PM

AfroThundr3007730 subscribed.Nov 27 2018, 4:44 AM

• GTirloni subscribed.Nov 28 2018, 4:02 PM

• Nuria closed subtask T153821: wikitech.wikimedia.org missing from pageviews API as Resolved.Jan 8 2019, 12:00 PM

jbond subscribed.Mar 5 2019, 3:47 PM

• GTirloni unsubscribed.Mar 21 2019, 9:06 PM

Meno25 subscribed.May 31 2019, 4:32 PM

bd808 mentioned this in T233236: Move labtestwikitech database to clouddb2001-dev.Oct 16 2019, 4:44 PM

Andrew added a parent task: T237771: Make Wikitech a normal wiki.Nov 8 2019, 9:42 PM

Peachey88 subscribed.Nov 8 2019, 11:31 PM

bd808 changed the status of subtask T167973: Move database for wikitech (labswiki) to a main cluster section from Stalled to Open.Nov 10 2019, 10:56 PM

bd808 updated the task description. (Show Details)

bd808 added a subtask: T237773: Move Wikitech onto the production MW cluster.Nov 10 2019, 11:01 PM

bd808 removed a parent task: T237771: Make Wikitech a normal wiki.

bd808 merged a task: T237771: Make Wikitech a normal wiki.

bd808 updated the task description. (Show Details)Nov 10 2019, 11:08 PM

Reedy moved this task from Backlog to Snowflakes on the wikitech.wikimedia.org board.Nov 11 2019, 12:18 AM

jcrespo changed the status of subtask T167973: Move database for wikitech (labswiki) to a main cluster section from Open to Stalled.Nov 11 2019, 8:38 AM

jcrespo changed the status of subtask T167973: Move database for wikitech (labswiki) to a main cluster section from Stalled to Open.

Quiddity mentioned this in T241027: wikitech: Update user groups following OpenStackManager rights removal.Dec 19 2019, 8:00 PM

bd808 mentioned this in T237889: Install php-ldap on all MW appservers.Apr 13 2020, 7:56 PM

bd808 mentioned this in T237773: Move Wikitech onto the production MW cluster.Jul 10 2020, 12:16 AM

bd808 updated the task description. (Show Details)Apr 30 2021, 4:02 PM

Restricted Application added a project: cloud-services-team (Kanban). · View Herald TranscriptApr 30 2021, 4:02 PM

Ameisenigel subscribed.May 10 2021, 6:11 AM

aborrero triaged this task as Medium priority.May 11 2021, 4:16 PM

aborrero moved this task from Inbox to Watching on the cloud-services-team (Kanban) board.

Nintendofan885 subscribed.Jul 17 2021, 6:58 PM

Frostly subscribed.Aug 16 2021, 6:21 PM

bd808 mentioned this in T288906: Remove CentralAuth SUL migration code.Aug 18 2021, 4:09 PM

LSobanski subscribed.Sep 6 2021, 8:45 PM

Marostegui closed subtask T167973: Move database for wikitech (labswiki) to a main cluster section as Resolved.Sep 27 2021, 8:19 AM

• Mholloway unsubscribed.Sep 27 2021, 11:24 AM

Reedy mentioned this in T296893: Replace Diffusion integration with Gitlab integration in Striker (toolsadmin).Dec 2 2021, 5:52 AM

Zabe subscribed.Dec 25 2021, 12:24 AM

Stang subscribed.Feb 10 2022, 2:44 PM

bd808 mentioned this in T305786: Fatal exception of type "UnexpectedValueException" when attempting to block.Apr 14 2022, 5:09 PM

TheresNoTime subscribed.Sep 28 2022, 12:06 PM

BTullis subscribed.Sep 28 2022, 3:21 PM

Izno subscribed.Oct 14 2022, 10:55 PM

lmata subscribed.Dec 6 2022, 7:39 PM

akosiaris changed the status of subtask T148048: Store Wikimedia unified account name (SUL) in LDAP directory from Open to Stalled.Dec 15 2022, 10:13 AM

fnegri edited projects, added cloud-services-team; removed cloud-services-team (Kanban).Jan 18 2023, 6:40 PM

fnegri moved this task from Kanban to Watching on the cloud-services-team board.

lmata unsubscribed.Jan 20 2023, 1:46 PM

SLyngshede-WMF changed the status of subtask T148048: Store Wikimedia unified account name (SUL) in LDAP directory from Stalled to In Progress.Feb 6 2023, 8:24 AM

I'm skeptical about the cost/benefit ratio of making Wikitech a CentralAuth SUL wiki. It had multiple unfortunate naming policies over the years which resulted in a lot of people using a different username than their SUL account (or, in the case of WMF staff with a volunteer background, two SUL accounts and one Wikitech account); it would require either an extensive amount of renaming and content cleanup, or some kind of name mapping capability in CentralAuth that would violate a lot of assumptions in the code.

Making Wikitech outsource login to a CentralAuth SUL wiki using WSOAuth or something similar is easy. Extending the global blocking and permission system to Wikitech might not be worth the effort (or if it is, might be easier via custom hacks than by using CentralAuth).

TBurmeister subscribed.Jan 26 2024, 6:26 PM

SLyngshede-WMF closed subtask T148048: Store Wikimedia unified account name (SUL) in LDAP directory as Resolved.Jan 29 2024, 3:40 PM

SLyngshede-WMF closed subtask T179463: Create a single application to provision and manage developer (LDAP) accounts as Declined.Jan 29 2024, 4:02 PM

bd808 reopened subtask T148048: Store Wikimedia unified account name (SUL) in LDAP directory as Open.Feb 1 2024, 1:30 AM

bd808 mentioned this in T316418: Add account locking for GitLab accounts to wikitech account blocking.Mar 4 2024, 9:03 PM

• taavi updated the task description. (Show Details)Mar 11 2024, 11:02 AM

• taavi updated the task description. (Show Details)Mar 11 2024, 1:34 PM

In T161859#9233732, @Tgr wrote:

I'm skeptical about the cost/benefit ratio of making Wikitech a CentralAuth SUL wiki. It had multiple unfortunate naming policies over the years which resulted in a lot of people using a different username than their SUL account (or, in the case of WMF staff with a volunteer background, two SUL accounts and one Wikitech account); it would require either an extensive amount of renaming and content cleanup, or some kind of name mapping capability in CentralAuth that would violate a lot of assumptions in the code.

In my mind it just needs an account migration pretty much exactly like SUL unification did back in the day. The ~labswiki suffix for un-migrated local only accounts should go a long way towards keeping CentralAuth happy I think? Has the stack changed such that that solution is no longer possible?

I have always assumed that I would do that work once it was possible mostly because nobody else is likely to. "Cost/benefit ratio" sounds like an assumption that this would actually be resourced work and not anything like the active reality about everything wikitech--we do it because we need tools, not because management thinks tools are worth resourcing.

Making Wikitech outsource login to a CentralAuth SUL wiki using WSOAuth or something similar is easy.

How is that functionally different than making it a SUL wiki? Is is just the local legacy account cleanup that you would hope to avoid?

In T161859#9621255, @bd808 wrote:

In my mind it just needs an account migration pretty much exactly like SUL unification did back in the day. The ~labswiki suffix for un-migrated local only accounts should go a long way towards keeping CentralAuth happy I think? Has the stack changed such that that solution is no longer possible?

It hasn't been used or tested in a decade, I would be surprised if it wouldn't be at least somewhat broken.
But also, how would the migration work? You can't rename LDAP accounts, right? So you'd have to add some functionality to keep track of how Foo~labswiki needs to use cn=Foo for the LDAP password lookup. Or do you just rename everyone in one go, based on an authoritative and full SUL-LDAP username mapping that somehow exists, and generate random passwords for the unSULed (who hopefully have an email address)?

How is that functionally different than making it a SUL wiki? Is is just the local legacy account cleanup that you would hope to avoid?

Yes. You'd be able to log in with your Wikimedia account, we'd end up with an (incomplete) SUL-LDAP map based on those logins, you wouldn't get any of the CentralAuth functionality (although in the longer term we might be able to change that via T359116: Split up CentralAuth into smaller extensions) which might or might not be a problem wrt anti-abuse, not sure how that's imagined to work in the future.

In T161859#9621853, @Tgr wrote:

In T161859#9621255, @bd808 wrote:

In my mind it just needs an account migration pretty much exactly like SUL unification did back in the day. The ~labswiki suffix for un-migrated local only accounts should go a long way towards keeping CentralAuth happy I think? Has the stack changed such that that solution is no longer possible?

It hasn't been used or tested in a decade, I would be surprised if it wouldn't be at least somewhat broken.
But also, how would the migration work? You can't rename LDAP accounts, right? So you'd have to add some functionality to keep track of how Foo~labswiki needs to use cn=Foo for the LDAP password lookup. Or do you just rename everyone in one go, based on an authoritative and full SUL-LDAP username mapping that somehow exists, and generate random passwords for the unSULed (who hopefully have an email address)?

The MediaWiki accounts are MediaWiki accounts, not LDAP accounts. SUL migration here is very much about removing LDAP and Developer accounts from having anything at all to do with Wikitech as the canonical location for WMF operational documentation.

I honestly haven't gamed out the whole process in depth because there are still way too many blockers to make this an urgent need. At a high level the first thing needed would be converting to local authn within Wikitech. Because the passwords are currently external we probably have to get creative about how this is done. It may be possible to figure out how to harvest and reuse the password hashes from LDAP records, but it might just be easier to have everyone reclaim their account via password recovery. Once that's done Wikitech is just another fishbowl MediaWiki deployment. From there we can start integration with SUL which I think could look like everything did from the dawn of CentralAuth until the SUL finalization where there are a mix of local and global accounts in the local MediaWiki tables.

We could even decide that all of this is just too fancy and just do a ~labswiki rename for all old local accounts and start fresh with folks SUL accounts. If we did that, we could also think about possibilities to bring MediaWiki-extensions-UserMerge back temporarily (T216089: Undeploy UserMerge Extension from WMF production) just for Wikitech. I don't know if that would be a bigger lift than the alternate suggestion to bring WSOAuth into the Wikimedia prod cluster or not.

foundationwiki has been SUL-ified in T205347 and that was not such a long time ago. But Wikitech might be a bit more difficult.

• taavi updated the task description. (Show Details)Mar 18 2024, 3:28 PM

bd808 updated the task description. (Show Details)Mar 22 2024, 5:30 PM

Johannnes89 subscribed.Mar 25 2024, 10:50 AM

• taavi updated the task description. (Show Details)Apr 5 2024, 1:25 PM

Connect active LDAP accounts with SUL accounts -- this can use Bitu/Striker account linking?

Yes, the associations collected by Striker and Bitu would be part of this work. That data is at least partially in the LDAP directory itself now. What will certainly be needed is a campaign to make as many users who have not yet linked their Developer account identity with a SUL account identity to do so. I have not ran any reports to know the percentage or absolute numbers, but Developer accounts existed for many years before either Striker or Bitu allowed linking and to date there have not been major promotional campaigns outside of Striker's goal prompts that would have driven folks with older accounts to connect them together.

• taavi closed subtask T360883: Disable email address changes in Wikitech as Resolved.Apr 16 2024, 2:31 PM

Andrew added a parent task: T363125: sustainability of wikitech.wikimedia.org.Apr 23 2024, 3:56 AM

Nemoralis subscribed.Wed, May 22, 12:55 PM

Make Wikitech an SUL wiki
Open, MediumPublic
Actions

Description

Related Objects
Search...

Event Timeline

	Andrew
	Mar 30 2017, 9:04 PM

Make Wikitech an SUL wikiOpen, MediumPublicActions

Description

Related ObjectsSearch...

Event Timeline

Make Wikitech an SUL wiki
Open, MediumPublic
Actions

Related Objects
Search...