Page MenuHomePhabricator
Create Task
Maniphest T126758

Clean up after ldap->mysql keystone migration
Closed, ResolvedPublic
Actions

Description

  • remove obsolete ldap records
    • all projectmanager and admin role records
    • membership entries in project ous
  • remove obsolete OSM code
    • *ldap.php transitional classes
    • migration script
    • purge or repair maintenance scripts that are broken due to move away from ldap

Details

ProjectBranchLines +/-Subject
operations/puppetproduction+1 -1toolschecker: The group is 'project-testlabs,' not 'testlabs'
operations/puppetproduction+1 -1toolschecker: Test ldap by checking ou=groups instead of ou=projects
operations/dnsmaster+0 -3Removed the transitional labs-ns2 and labs-ns3 definitions.
operations/dnsmaster+0 -3Remove dns entries for the old ldap/dns servers
operations/puppetproduction+0 -164Purge labs dns/ldap code
operations/puppetproduction+2 -4Remove ldap/dns services from labcontrol1001 and labcontrol1002
mediawiki/extensions/OpenStackManagermaster+0 -1 KRemove ldap->keystone transitional classes and tools
Customize query in gerrit

Related Objects

Event Timeline

Andrew created this task.Feb 12 2016, 4:49 PM
Andrew claimed this task.
Andrew raised the priority of this task from to Medium.
Andrew updated the task description. (Show Details)
Andrew added projects: MW-1.27-release (WMF-deploy-2016-02-09_(1.27.0-wmf.13)), Patch-For-Review, labs-sprint-119, labs-sprint-118, Cloud-VPS, Cloud-Services, labs-sprint-117.
Andrew added subscribers: chasemp, scfc, Ricordisamoa and 6 others.
Krenair removed projects: labs-sprint-117, labs-sprint-118, labs-sprint-119, Patch-For-Review, MW-1.27-release (WMF-deploy-2016-02-09_(1.27.0-wmf.13)).Feb 12 2016, 4:50 PM
Krenair set Security to None.
Krenair added a project: MediaWiki-extensions-OpenStackManager.
gerritbot added a subscriber: gerritbot.Mar 31 2016, 8:54 PM

Change 280752 had a related patch set uploaded (by Andrew Bogott):
Remove ldap->keystone transitional classes and tools

https://gerrit.wikimedia.org/r/280752

gerritbot added a project: Patch-For-Review.Mar 31 2016, 8:54 PM
Andrew removed a parent task: T115029: Move project membership/assignment from ldap to keystone mysql.Mar 31 2016, 8:55 PM
gerritbot added a comment.Mar 31 2016, 10:21 PM

Change 280752 merged by jenkins-bot:
Remove ldap->keystone transitional classes and tools

https://gerrit.wikimedia.org/r/280752

ReleaseTaggerBot added a project: MW-1.27-release (WMF-deploy-2016-04-05_(1.27.0-wmf.20)).Mar 31 2016, 11:00 PM
Andrew updated the task description. (Show Details)Apr 1 2016, 10:05 PM
Andrew updated the task description. (Show Details)Apr 1 2016, 10:07 PM
gerritbot added a comment.May 6 2016, 4:19 PM

Change 287235 had a related patch set uploaded (by Andrew Bogott):
Remove ldap/dns services from labcontrol1001 and labcontrol1002

https://gerrit.wikimedia.org/r/287235

gerritbot added a comment.May 6 2016, 4:19 PM

Change 287236 had a related patch set uploaded (by Andrew Bogott):
Purge labs dns/ldap code

https://gerrit.wikimedia.org/r/287236

gerritbot added a comment.May 6 2016, 4:25 PM

Change 287238 had a related patch set uploaded (by Andrew Bogott):
Remove dns entries for the old ldap/dns servers

https://gerrit.wikimedia.org/r/287238

gerritbot added a comment.May 6 2016, 4:42 PM

Change 287245 had a related patch set uploaded (by Andrew Bogott):
Removed the transitional labs-ns2 and labs-ns3 definitions.

https://gerrit.wikimedia.org/r/287245

gerritbot added a comment.May 9 2016, 6:35 PM

Change 287235 merged by Andrew Bogott:
Remove ldap/dns services from labcontrol1001 and labcontrol1002

https://gerrit.wikimedia.org/r/287235

gerritbot added a comment.May 9 2016, 8:35 PM

Change 287236 merged by Andrew Bogott:
Purge labs dns/ldap code

https://gerrit.wikimedia.org/r/287236

gerritbot added a comment.May 10 2016, 4:09 PM

Change 287238 merged by Andrew Bogott:
Remove dns entries for the old ldap/dns servers

https://gerrit.wikimedia.org/r/287238

gerritbot added a comment.May 10 2016, 6:46 PM

Change 287245 merged by Andrew Bogott:
Removed the transitional labs-ns2 and labs-ns3 definitions.

https://gerrit.wikimedia.org/r/287245

Andrew mentioned this in rOPUP80ecc34e7fd6: Purge labs dns/ldap code.Jun 17 2016, 6:10 PM
Andrew mentioned this in rOPUP4ee22be7617d: Remove ldap/dns services from labcontrol1001 and labcontrol1002.
Andrew mentioned this in rOPUPc9b128abea15: Purge labs dns/ldap code.
gerritbot added a comment.Apr 3 2017, 6:59 PM

Change 346187 had a related patch set uploaded (by Andrew Bogott):
[operations/puppet@production] toolschecker: Test ldap by checking ou=groups instead of ou=projects

https://gerrit.wikimedia.org/r/346187

gerritbot added a comment.Apr 3 2017, 7:01 PM

Change 346187 merged by Andrew Bogott:
[operations/puppet@production] toolschecker: Test ldap by checking ou=groups instead of ou=projects

https://gerrit.wikimedia.org/r/346187

gerritbot added a comment.Apr 3 2017, 7:10 PM

Change 346189 had a related patch set uploaded (by Andrew Bogott):
[operations/puppet@production] toolschecker: The group is 'project-testlabs,' not 'testlabs'

https://gerrit.wikimedia.org/r/346189

gerritbot added a comment.Apr 3 2017, 7:12 PM

Change 346189 merged by Andrew Bogott:
[operations/puppet@production] toolschecker: The group is 'project-testlabs,' not 'testlabs'

https://gerrit.wikimedia.org/r/346189

Stashbot added a subscriber: Stashbot.Apr 3 2017, 7:16 PM

Mentioned in SAL (#wikimedia-operations) [2017-04-03T19:16:44Z] <andrewbogott> in testlabs, deleted ou=projects,dc=wikimedia,dc=org and ou=roles,dc=wikimedia,dc=org as per T126758

Andrew added a comment.Apr 3 2017, 7:17 PM

On labtest I ran

ldapdelete -x -r -D 'uid=novaadmin,ou=people,dc=wikimedia,dc=org' -W 'ou=projects,dc=wikimedia,dc=org'

and

ldapdelete -x -r -D 'uid=novaadmin,ou=people,dc=wikimedia,dc=org' -W 'ou=roles,dc=wikimedia,dc=org'

If there are no ill effects, the same can be done in production.

Andrew added a comment.Apr 3 2017, 10:00 PM
In T126758#3151944, @Andrew wrote:
ldapdelete -x -r -D 'uid=novaadmin,ou=people,dc=wikimedia,dc=org' -W 'ou=projects,dc=wikimedia,dc=org'

This is wrong! Sudoers currently live under the 'projects' tree.

Andrew added a comment.Apr 18 2017, 5:17 PM

Instead, I am running:

ldapdelete -x -r -D 'uid=novaadmin,ou=people,dc=wikimedia,dc=org' -W 'ou=roles,dc=wikimedia,dc=org'

And then using ldapvi to painstakingly remove all the projectadmin role entries. It's a start...

Andrew added a comment.Apr 18 2017, 5:28 PM

...and now I'm going through and removing all members from project entries that are not 'novaadmin.' Novaadmin stays just to keep the schema happy. I'm not sure if we could remove the 'groupofnames' type from project entries; I don't want to risk it.

Andrew added a comment.Apr 18 2017, 5:38 PM

And I removed a bunch of other spare role definitions (e.g. 'observer' and 'admin'.)

Andrew closed this task as Resolved.Apr 18 2017, 5:38 PM
Andrew updated the task description. (Show Details)
Phabricator_maintenance removed a subscriber: yuvipanda.Jun 7 2017, 6:44 PM
Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL