Page MenuHomePhabricator

Update Varnish Zero config downloading script to be ready for AuthManager
Closed, ResolvedPublic


A python script loads Zero configurations and updates Varnish ip lookup. The configs are loaded via authenticated MW API, but now my understanding is that we need to use new authentication method.

Event Timeline

I'm unclear on this. It sounds like there's some new AuthManager code rolling out. This task is to update the zero fetcher to use this new authentication mechanism, and yet it blocks enabling that authentication mechanism for MW in general? Is the implication that there will be no overlap in the switch from the old auth API to the new one for clients? How do we test and enable it for the zero fetcher before it's enabled for use?

Presumably the existing script uses API action=login to log in to the target wiki using the account's main password. It should be updated to use one of the following:

  • OAuth, if that's enabled on the target wiki.
  • Bot passwords, which is in MediaWiki core since 1.27.0-wmf.13. But I assume the wiki is private, fishbowl, or nonglobal, so it will need a database table created (see maintenance/archives/patch-bot_passwords.sql) if it doesn't already exist and wmgEnableBotPasswords set true in InitializeSettings.php.

Both of these solutions are (or could be made) available now, before AuthManager gets enabled.

From a perspective of updating the script itself, the latter is the easier solution: log in to the script's account, use Special:BotPasswords to set it up (you can just check all the boxes if you don't want to figure out which specifically are needed), then adjust the script's configured username and password without any code changes needed.

See also this announcement from January, or this one.

Anomie renamed this task from Update Varnish Zero config downloading script to use AuthManager to Update Varnish Zero config downloading script to be ready for AuthManager.May 19 2016, 1:36 PM

Change 292053 had a related patch set uploaded (by Gergő Tisza):
Enable bot passwords on zerowiki

Change 292053 merged by jenkins-bot:
Enable bot passwords on zerowiki

Change 292951 had a related patch set uploaded (by Gergő Tisza):
Create zeroscript grant group for zerowiki

Change 292951 merged by jenkins-bot:
Create zeroscript grant group for zerowiki

Resulted in massive logspam.

Jun  6 17:27:04 mw1146:  #012Notice: Undefined index: revisions in /srv/mediawiki/php-1.28.0-wmf.4/extensions/ZeroPortal/includes/ApiZeroPortal.php on line 321
Jun  6 17:27:04 mw1146:  #012Warning: Invalid argument supplied for foreach() in /srv/mediawiki/php-1.28.0-wmf.4/extensions/ZeroPortal/includes/ApiZeroPortal.php on line 338

ie. the revisions field of the API result is empty. Per @Yurik that should never happen; per @BBlack the script did fetch the data correctly when hand-tested.

Logstash claims about 1000 warnings at the start of every minute, which is weird because AIUI the script doesn't make nearly that many calls per minute.

The massive logspam was because the lack of the apihighlimits right available to the account (since it wasn't originally granted "High-volume editing") triggered T137144: ApiZeroPortal spams logs with warnings if there are sufficient Zero configurations.

Tgr claimed this task.

@BBlack set the password and there weren't any warnings this time so I think we can call this fixed.