Page MenuHomePhabricator

Proposal: Centralize OTRS login methodology
Open, MediumPublic

Description

Creating a new OTRS account is a very time-consuming process, taking between 20-30 minutes for each account. Between OTRS itself, otrs wiki, permisisons, and logging, there are about 15 steps that must be completed to give one agent access to one queue.

I am proposing a change in our workflow to mitigate this problem. Both OTRS and Mediawiki allow for authentication via LDAP:

To that end, I am proposing the following. We set up an external LDAP server to manage agent accounts in both OTRS and otrs-wiki. Or, we choose either the wiki or OTRS as the master server for accounts.

This depends on the following things:

  1. This will give all agents access to the wiki, unless it's configured by roles. From my understanding, we are working to give all agents access to the wiki anyway (OTRS Administrators - am I correct about this?)
  2. This would necessitate a new server to configure or changing of our existing agent management workflows.
  3. Probably require some downtime in OTRS.

Event Timeline

Restricted Application added subscribers: Steinsplitter, Aklapper. · View Herald TranscriptApr 24 2016, 1:35 AM

While I was an agent I wrote scripts for the admins to turn half of that process into a simple form. What happened with that?

I also don't understand why you're proposing setting up a new server (external? what?) when we have an existing LDAP setup where you could be using groups - like how labs projects/roles work.

I quit a year ago but my understanding of the access policy at the time was that they were moving away from everyone having wiki access.

While I was an agent I wrote scripts for the admins to turn half of that process into a simple form. What happened with that?

Erm... which part? The wiki account creation? I use your admin log script frequently.

I also don't understand why you're proposing setting up a new server (external? what?) when we have an existing LDAP setup where you could be using groups - like how labs projects/roles work.

Either that or do use the existing infrastructure with groups. This task is open-ended in that regard. Wisest might be to choose either OTRS or otrs-wiki as a provider and create accounts at this provider, with the other as a slave.

I quit a year ago but my understanding of the access policy at the time was that they were moving away from everyone having wiki access.

That was not my understanding, as the documentation and new agent training are stored on the wiki.

While I was an agent I wrote scripts for the admins to turn half of that process into a simple form. What happened with that?

Erm... which part? The wiki account creation? I use your admin log script frequently.

Oh, so it's just not solved the problem entirely? okay :)

I also don't understand why you're proposing setting up a new server (external? what?) when we have an existing LDAP setup where you could be using groups - like how labs projects/roles work.

Either that or do use the existing infrastructure with groups. This task is open-ended in that regard. Wisest might be to choose either OTRS or otrs-wiki as a provider and create accounts at this provider, with the other as a slave.

Okay. If you did go with the existing LDAP route, the current account creation system for LDAP is wikitech. This might change in the future however.
https://otrs.github.io/doc/manual/admin/5.0/en/html/external-backends.html#agent-auth-backend-ldap

  • Login to both OTRS and OTRS wiki would be via the same credentials.
  • But they would require the user to be in a particular group.
  • We'd have to find some way to let admins control who is in the group.
  • I was going to say "OTRS' internal permissions would still have to be controlled inside OTRS", but if you scroll down it does say "you can use LDAP groups to determine group memberships or roles in OTRS" - if we got that working it'd ideally be administered in the same manner as the OTRS generic access group.

I quit a year ago but my understanding of the access policy at the time was that they were moving away from everyone having wiki access.

That was not my understanding, as the documentation and new agent training are stored on the wiki.

Indeed.

So I guess the tricky part would be finding a sane way for OTRS admins to control the LDAP groups. We'd presumably want it integrated with either OTRS (sounds from "This module has only read access to the LDAP tree, which means that you cannot edit your user data via the agent management interface." like that's not possible with the existing code, and few around here know enough perl to make it happen) or OTRS wiki (would have to build a custom extension and put it through deployment review...)

And I suppose an argument in favour of a new separate LDAP system would be the existing OTRS/OTRS wiki users conflicting with the existing LDAP users - although maybe we could put OTRS accounts elsewhere in the existing LDAP tree (in which case OTRS account creation would be somewhere separate from wikitech/its successor and it wouldn't be integrated with the labs/technical systems, which most agents probably don't care much about) instead of having to perform some SUL-migration-like-thing.

While I was an agent I wrote scripts for the admins to turn half of that process into a simple form. What happened with that?

Erm... which part? The wiki account creation? I use your admin log script frequently.

Oh, so it's just not solved the problem entirely? okay :)

Pardon my confusion, are you referring to https://otrs-wiki.wikimedia.org/wiki/ACC or the simple logging script that's at the top of every subpage of https://otrs-wiki.wikimedia.org/wiki/Admin_log ?

I also don't understand why you're proposing setting up a new server (external? what?) when we have an existing LDAP setup where you could be using groups - like how labs projects/roles work.

Either that or do use the existing infrastructure with groups. This task is open-ended in that regard. Wisest might be to choose either OTRS or otrs-wiki as a provider and create accounts at this provider, with the other as a slave.

Okay. If you did go with the existing LDAP route, the current account creation system for LDAP is wikitech. This might change in the future however.
https://otrs.github.io/doc/manual/admin/5.0/en/html/external-backends.html#agent-auth-backend-ldap

  • Login to both OTRS and OTRS wiki would be via the same credentials.
  • But they would require the user to be in a particular group.
  • We'd have to find some way to let admins control who is in the group.
  • I was going to say "OTRS' internal permissions would still have to be controlled inside OTRS", but if you scroll down it does say "you can use LDAP groups to determine group memberships or roles in OTRS" - if we got that working it'd ideally be administered in the same manner as the OTRS generic access group.

I agree, I'm going to let operations make the call though. I'm not sure how they would want to centralize the account information, if at all.

And I suppose an argument in favour of a new separate LDAP system would be the existing OTRS/OTRS wiki users conflicting with the existing LDAP users - although maybe we could put OTRS accounts elsewhere in the existing LDAP tree (in which case OTRS account creation would be somewhere separate from wikitech/its successor and it wouldn't be integrated with the labs/technical systems, which most agents probably don't care much about) instead of having to perform some SUL-migration-like-thing.

Agreed.

Krenair added a comment.EditedApr 24 2016, 3:07 AM

While I was an agent I wrote scripts for the admins to turn half of that process into a simple form. What happened with that?

Erm... which part? The wiki account creation? I use your admin log script frequently.

Oh, so it's just not solved the problem entirely? okay :)

Pardon my confusion, are you referring to https://otrs-wiki.wikimedia.org/wiki/ACC or the simple logging script that's at the top of every subpage of https://otrs-wiki.wikimedia.org/wiki/Admin_log ?

It's a private wiki and I believe that my wiki account was closed again a few months ago after I refused to sign an extra NDA (I already have one in my own name for volunteer activities with the foundation and this had different terms, etc.). What I wrote was not just the logging thing but a couple of forms - one for opening accounts (e.g. create wiki account, add to LOA, admin log, and I think there was something in there about welcoming the user on their talk page?) and one for closing accounts (block wiki account, move to LOA/C, admin log, etc.)

While I was an agent I wrote scripts for the admins to turn half of that process into a simple form. What happened with that?

Erm... which part? The wiki account creation? I use your admin log script frequently.

Oh, so it's just not solved the problem entirely? okay :)

Pardon my confusion, are you referring to https://otrs-wiki.wikimedia.org/wiki/ACC or the simple logging script that's at the top of every subpage of https://otrs-wiki.wikimedia.org/wiki/Admin_log ?

It's a private wiki and I believe that my wiki account was closed again a few months ago after I refused to sign an extra NDA (I already have one in my own name for volunteer activities with the foundation and this had different terms, etc.). What I wrote was not just the logging thing but a couple of forms - one for opening accounts (e.g. create wiki account, add to LOA, admin log, and I think there was something in there about welcoming the user on their talk page?) and one for closing accounts (block wiki account, move to LOA/C, admin log, etc.)

[[ACC]] looks like the one, I should include that in the training. Thanks for the information.

Krd added a comment.Apr 24 2016, 5:15 AM

Strong oppose. No need, more problems created than resolved, if any resolved at at.
Additionally, no prior discussion has taken place at the appropriate venue, which would have been the OTRS admin mailing list.

No need, more problems created than resolved, if any resolved at at.

I don't think you could say no problems resolved until details were confirmed. Also @Matthewrbowker is not the first OTRS admin to complain about the length of the process for opening/closing OTRS accounts, so I think you need to back up the "No need"

Additionally, no prior discussion has taken place at the appropriate venue, which would have been the OTRS admin mailing list.

These sorts of things often come to Phabricator before being discussed locally.

TerraCodes added a subscriber: TerraCodes.
fgiunchedi triaged this task as Medium priority.Apr 27 2016, 3:40 PM
Steinsplitter moved this task from Incoming to Backlog on the OTRS board.May 21 2016, 2:03 PM
Scoopfinder added a subscriber: Scoopfinder.
Az1568 added a subscriber: Az1568.Aug 15 2017, 11:29 PM
Restricted Application added a project: User-Matthewrbowker. · View Herald TranscriptAug 15 2017, 11:29 PM