Hopefully this one is simpler than T178: Implement Wikimedia SUL in this Labs instance
Description
Details
- Reference
- fl180
Status | Subtype | Assigned | Task | ||
---|---|---|---|---|---|
Resolved | Qgil | T553 Engineering Community team goals for October 2014 | |||
Resolved | Qgil | T174 Launch Wikimedia Phabricator Day 1 | |||
Resolved | Qgil | T175 Nominate a team in charge of deploying and maintaining Wikimedia Phabricator code | |||
Resolved | • RobLa-WMF | T17 Allocate resources for the migration and maintenance | |||
Resolved | None | T16 Support only WMF SUL and LDAP as authentication mechanisms (no purely local logins, no third party authentications) | |||
Resolved | Qgil | T113 Offer Wikitech (LDAP) authentication in this Labs instance |
Event Timeline
demon wrote on 2014-04-21 19:54:08 (UTC)
We could probably turn this on pretty easily. I'm fine with doing it (then we'd at least be on-par with Gerrit auth) but we'd want to properly setup SSL for the domain.
qgil wrote on 2014-04-22 00:55:59 (UTC)
Thank you for volunteering, @demon. What needs to be done to setup SSL properly? File a bug? I'm happy to help, if you tell me what to do.
qgil wrote on 2014-04-23 03:31:07 (UTC)
Sorry for asking dummy questions: do you mean setup SSL in Phabricator or in the Labs instance? Or you can tell me directly who should I ping, and I will do it.
demon wrote on 2014-04-23 04:14:19 (UTC)
Well I was talking to Yuvi earlier today and we need an SSL cert for labs. I was using star.wmflabs.org cert, but Yuvi pointed out that we need to lock down the instance if we use it. The alternative is a self-signed cert (ick), or buying an explicit cert (feels like putting the cart before the horse if we haven't finished the RfC).
So yeah, I think we'll go with star.wmflabs.org. CCing Yuvi so he can say more.
bd808 wrote on 2014-04-23 17:39:19 (UTC)
Ryan slapped my hand several times for suggesting using LDAP auth for things inside Labs. His reasonable argument is that many people have access to Labs project instances that could trivially be used to capture passwords even with SSL in place for the connection.
demon wrote on 2014-04-23 18:04:58 (UTC)
In that case I suppose we should really get on the OpenID then.
qgil wrote on 2014-04-23 18:25:05 (UTC)
Ok, then no LDAP in *this* instance. It will be an option if/when we have a Phabricator instance in a server out of Labs.
See you at T178: Set up the Phabricator instance?
demon wrote on 2014-04-23 18:42:07 (UTC)
Well maybe, maybe not. Ideal world would be OpenID/OAuth or something, not doing LDAP again. LDAP would be nothing more than a stop-gap between here and the ideal world.
robla wrote on 2014-04-23 19:46:33 (UTC)
Actually, I worry that a stopgap of LDAP is probably a bad idea in Labs. We generally have avoided proxying LDAP credentials through Labs instances; in fact, I think it's specifically against the policy. Has that changed, and if so, are there any other projects doing it?
demon wrote on 2014-04-23 20:01:52 (UTC)
We shouldn't do it in labs as you and Bryan point out. When I said "maybe maybe not" I meant in prod. I'd rather not go down the LDAP route unless we find the other options to be too impossible.