Page MenuHomePhabricator

Dynamically fiddle with wgLocalDatabases to recognise wikitech separation
Open, NormalPublic

Description

If you try to change userrights via userrights-interwiki at meta with the database labswiki (should be wikitech) you get:

Sorry! This site is experiencing technical difficulties.
Try waiting a few minutes and reloading.
(Cannot access the database: Can't connect to MySQL server on '208.80.154.136' (4) (208.80.154.136))

This is because the firewall doesn't let you connect to that database server

Event Timeline

Restricted Application added a project: Cloud-Services. · View Herald TranscriptMar 31 2016, 5:58 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript

The error message reported above is what I got when I tried changing my userrights at Meta using @labswiki as database.

Krenair closed this task as Declined.Mar 31 2016, 6:03 PM
Krenair added a subscriber: Krenair.

Yes, and this isn't going to be changed.

I guess asking for an explanation other than "because I say so" would be too much asking? We were asked to OS something at wikitech today, and while we knew that wikitech is outside CentralAuth, even if this is not going to be changed, which I don't mean it should be, the error message given should be clearer. So please, reopen the task and at least make that error message more comprehensive for everyone. Thanks.

labswiki is supposed to be isolated like this, the firewall shouldn't be opened up to allow connections from any appserver just so you can change rights on it.
It is controlled by the sysadmins and controls the labs infrastructure, it is not to be administered by ordinary users. Rights grantable at this wiki are extremely sensitive.
I don't think there is a sane way to make the error message specific to the particular case.

@Krenair, I wouls like to respectfully disgree with the declined. Either this is allowed, or it is not, and it is an legitimate bug. I would give it the lowest priority, if you think it is not worth working on it (or decline the "giving rights" part only).

Trying to connect to a random server is a problem that should be fixed at meta, even if with very low priority.

It is not to be allowed, it is not a legitimate bug, this is not a case of "not worth working on", it should not be done, the status reflects this.

I don't know what you're talking about with the 'random server' thing. They're trying change rights on labswiki and that reqiures opening a connection to the database server on silver, which is (correctly) denied.

You could open a task against MediaWiki core to have such DB connection failures during interwiki-userrights changes handled more gracefully, but it's out of scope here

jcrespo added a comment.EditedMar 31 2016, 6:35 PM

Yes, that was my point. Not allowing that, but failing gracefully. The errors shows at https://logstash.wikimedia.org/#dashboard/temp/AVPN8G8sO3D718AOD3-_ [requires NDA] (so it is at aleast a Wikimedia-production-error task).

Explaining that in detail will avoid misunderstandings towards our loved contributors :-).

Note that "mysql error" tends to point to me (be it a real error or not), so it helps avoiding misunderstandings about potential errors! ;-)

Krenair renamed this task from Changing rights via userrights-interwiki with '@labswiki' throws database-error to Implement restriction of userrights-interwiki at a software level beyond wgLocalDatabases.Mar 31 2016, 6:49 PM
Krenair reopened this task as Open.
Krenair updated the task description. (Show Details)

Actually, we may be able to mess with wgLocalDatabases in the wikimedia config to achieve this, but other things look at that variable... It'll be hacky and maybe a bit risky.

Krenair renamed this task from Implement restriction of userrights-interwiki at a software level beyond wgLocalDatabases to Dynamically fiddle with wgLocalDatabases to recognise wikitech separation.Mar 31 2016, 7:04 PM
Krenair edited projects, added Wikimedia-Site-requests; removed MediaWiki-General.
Restricted Application added subscribers: JEumerus, Matanya. · View Herald TranscriptMar 31 2016, 7:04 PM

Change 280704 had a related patch set uploaded (by Alex Monk):
Dynamically fiddle with wgLocalDatabases to recognise wikitech separation

https://gerrit.wikimedia.org/r/280704

hashar triaged this task as Normal priority.Sep 26 2016, 3:24 PM
hashar moved this task from Meta to Found during 1.34-wmf.9 on the Wikimedia-production-error board.

Change 280704 abandoned by Chad:
Dynamically fiddle with wgLocalDatabases to recognise wikitech separation

Reason:
Abandoning all config changes > 1y old

https://gerrit.wikimedia.org/r/280704

Krinkle added subscribers: Reedy, Krinkle, Paladox.

This affects:

  • Viewing urls like https://wikitech.wikimedia.org/wiki/Special:Uploads/Legoktm on Wikitech, both as unregistered user and as logged-in user, it times out with a Database error that claims "This site is having technical difficulties"
  • Viewing Special:Upload on Wikitech has the same issue (only when logged-in as user with the upload permission).
  • Use of Special:UserRights on Meta-Wiki for labswiki.
bd808 added a subscriber: bd808.Oct 2 2018, 9:13 PM

The eventual fix for this would be T161859: Make Wikitech an SUL wiki. When that is completed Wikitech will be a "normal" Wikimedia production cluster wiki rather than a "special" wiki with its database and other support services in strange network locations.

The Special:Uploads issue in particular is probably due to inheriting some config from the main wiki farm that makes Wikitech think that it should be able to query other databases directly rather than calling remote APIs (or not participating in a farm).

The original issue reported here is the wiki farm problem in reverse. Sometimes the main wiki farm thinks that Wikitech is part of it when it actually is not today.

mmodell changed the subtype of this task from "Task" to "Production Error".Wed, Aug 28, 11:11 PM