A python script loads Zero configurations and updates Varnish ip lookup. The configs are loaded via authenticated MW API, but now my understanding is that we need to use new authentication method.
I'm unclear on this. It sounds like there's some new AuthManager code rolling out. This task is to update the zero fetcher to use this new authentication mechanism, and yet it blocks enabling that authentication mechanism for MW in general? Is the implication that there will be no overlap in the switch from the old auth API to the new one for clients? How do we test and enable it for the zero fetcher before it's enabled for use?
Presumably the existing script uses API action=login to log in to the target wiki using the account's main password. It should be updated to use one of the following:
- OAuth, if that's enabled on the target wiki.
- Bot passwords, which is in MediaWiki core since 1.27.0-wmf.13. But I assume the wiki is private, fishbowl, or nonglobal, so it will need a database table created (see maintenance/archives/patch-bot_passwords.sql) if it doesn't already exist and wmgEnableBotPasswords set true in InitializeSettings.php.
Both of these solutions are (or could be made) available now, before AuthManager gets enabled.
From a perspective of updating the script itself, the latter is the easier solution: log in to the script's account, use Special:BotPasswords to set it up (you can just check all the boxes if you don't want to figure out which specifically are needed), then adjust the script's configured username and password without any code changes needed.
Resulted in massive logspam.
Jun 6 17:27:04 mw1146: #012Notice: Undefined index: revisions in /srv/mediawiki/php-1.28.0-wmf.4/extensions/ZeroPortal/includes/ApiZeroPortal.php on line 321 Jun 6 17:27:04 mw1146: #012Warning: Invalid argument supplied for foreach() in /srv/mediawiki/php-1.28.0-wmf.4/extensions/ZeroPortal/includes/ApiZeroPortal.php on line 338
Logstash claims about 1000 warnings at the start of every minute, which is weird because AIUI the script doesn't make nearly that many calls per minute.
The massive logspam was because the lack of the apihighlimits right available to the account (since it wasn't originally granted "High-volume editing") triggered T137144: ApiZeroPortal spams logs with warnings if there are sufficient Zero configurations.