Page MenuHomePhabricator

Clean up after ldap->mysql keystone migration
Closed, ResolvedPublic

Description

  • remove obsolete ldap records
    • all projectmanager and admin role records
    • membership entries in project ous
  • remove obsolete OSM code
    • *ldap.php transitional classes
    • migration script
    • purge or repair maintenance scripts that are broken due to move away from ldap

Event Timeline

Andrew created this task.Feb 12 2016, 4:49 PM
Andrew claimed this task.
Andrew raised the priority of this task from to Medium.
Andrew updated the task description. (Show Details)
Andrew added subscribers: chasemp, scfc, Ricordisamoa and 6 others.

Change 280752 had a related patch set uploaded (by Andrew Bogott):
Remove ldap->keystone transitional classes and tools

https://gerrit.wikimedia.org/r/280752

Change 280752 merged by jenkins-bot:
Remove ldap->keystone transitional classes and tools

https://gerrit.wikimedia.org/r/280752

Andrew updated the task description. (Show Details)Apr 1 2016, 10:05 PM
Andrew updated the task description. (Show Details)Apr 1 2016, 10:07 PM

Change 287235 had a related patch set uploaded (by Andrew Bogott):
Remove ldap/dns services from labcontrol1001 and labcontrol1002

https://gerrit.wikimedia.org/r/287235

Change 287236 had a related patch set uploaded (by Andrew Bogott):
Purge labs dns/ldap code

https://gerrit.wikimedia.org/r/287236

Change 287238 had a related patch set uploaded (by Andrew Bogott):
Remove dns entries for the old ldap/dns servers

https://gerrit.wikimedia.org/r/287238

Change 287245 had a related patch set uploaded (by Andrew Bogott):
Removed the transitional labs-ns2 and labs-ns3 definitions.

https://gerrit.wikimedia.org/r/287245

Change 287235 merged by Andrew Bogott:
Remove ldap/dns services from labcontrol1001 and labcontrol1002

https://gerrit.wikimedia.org/r/287235

Change 287236 merged by Andrew Bogott:
Purge labs dns/ldap code

https://gerrit.wikimedia.org/r/287236

Change 287238 merged by Andrew Bogott:
Remove dns entries for the old ldap/dns servers

https://gerrit.wikimedia.org/r/287238

Change 287245 merged by Andrew Bogott:
Removed the transitional labs-ns2 and labs-ns3 definitions.

https://gerrit.wikimedia.org/r/287245

Change 346187 had a related patch set uploaded (by Andrew Bogott):
[operations/puppet@production] toolschecker: Test ldap by checking ou=groups instead of ou=projects

https://gerrit.wikimedia.org/r/346187

Change 346187 merged by Andrew Bogott:
[operations/puppet@production] toolschecker: Test ldap by checking ou=groups instead of ou=projects

https://gerrit.wikimedia.org/r/346187

Change 346189 had a related patch set uploaded (by Andrew Bogott):
[operations/puppet@production] toolschecker: The group is 'project-testlabs,' not 'testlabs'

https://gerrit.wikimedia.org/r/346189

Change 346189 merged by Andrew Bogott:
[operations/puppet@production] toolschecker: The group is 'project-testlabs,' not 'testlabs'

https://gerrit.wikimedia.org/r/346189

Mentioned in SAL (#wikimedia-operations) [2017-04-03T19:16:44Z] <andrewbogott> in testlabs, deleted ou=projects,dc=wikimedia,dc=org and ou=roles,dc=wikimedia,dc=org as per T126758

Andrew added a comment.Apr 3 2017, 7:17 PM

On labtest I ran

ldapdelete -x -r -D 'uid=novaadmin,ou=people,dc=wikimedia,dc=org' -W 'ou=projects,dc=wikimedia,dc=org'

and

ldapdelete -x -r -D 'uid=novaadmin,ou=people,dc=wikimedia,dc=org' -W 'ou=roles,dc=wikimedia,dc=org'

If there are no ill effects, the same can be done in production.

ldapdelete -x -r -D 'uid=novaadmin,ou=people,dc=wikimedia,dc=org' -W 'ou=projects,dc=wikimedia,dc=org'

This is wrong! Sudoers currently live under the 'projects' tree.

Instead, I am running:

ldapdelete -x -r -D 'uid=novaadmin,ou=people,dc=wikimedia,dc=org' -W 'ou=roles,dc=wikimedia,dc=org'

And then using ldapvi to painstakingly remove all the projectadmin role entries. It's a start...

...and now I'm going through and removing all members from project entries that are not 'novaadmin.' Novaadmin stays just to keep the schema happy. I'm not sure if we could remove the 'groupofnames' type from project entries; I don't want to risk it.

And I removed a bunch of other spare role definitions (e.g. 'observer' and 'admin'.)

Andrew closed this task as Resolved.Apr 18 2017, 5:38 PM
Andrew updated the task description. (Show Details)