Page MenuHomePhabricator
Create Task
Maniphest T140832

Investigate moving labsdb (replicas) user credential management to 'Striker' (codename)
Open, MediumPublic
Actions

Description

When a tool is created we have a service that runs on labstore1001 that creates a mysql user/pass combination and writes it to a file within the tools home directory.

This has a lot of downsides at the moment:

  • This job is detached from tool creation or any user insight. It runs every 5m trying to figure out what it should do. The lack of visibility leaves tool owners and volunteers without debug options and fixup has to wait for a member of ops who understands the setup.
  • We grant access universally (when it works!) leaving lots of unused / abandoned accounts in the wild.
  • This does not lend itself to credential rotation ever.

Striker (http://striker.wmflabs.org/) is a Tools management interface spearheaded by @bd808 to make targeted aspects of Tools more friendly for users (T136256). I think it may make sense for this interface to include credential management logic for the replicas and any user accessible DB's for tool consumption.

Thoughts on why:

  • We already expect users of Tools to need to use this application
  • From what I can tell it is meant to be modular in a way that facilitates integration of this nature
  • It would be in every way superior to our current process if it gave users any information at all beyond "it's there or it's not"

Related Objects
Search...

Event Timeline

chasemp created this task.Jul 19 2016, 9:29 PM
bd808 added a project: Striker.Jul 21 2016, 4:42 PM
chasemp mentioned this in T141096: Having lots of accounts with separate grants makes auditing difficult..Jul 22 2016, 1:36 PM
chasemp mentioned this in T149933: Migrate existing labs users from the old servers, if possible using roles and start maintaining users on the new database servers, too.Nov 21 2016, 2:57 PM
Phabricator_maintenance removed a subscriber: yuvipanda.Jun 7 2017, 6:41 PM
jcrespo added a comment.Aug 22 2017, 10:38 AM

@chasemp I do not want to push for this, but I suspect this may already be done and should be resolved? Can you comment the state of this? Maybe it is only partially done out of a larger scope?

bd808 added a comment.Aug 22 2017, 3:20 PM

This is still wishlist status on the Striker implementation side. The idea is to replace the current service which automatically generates mysql/mariadb credentials for each new Toolforge member and Tool with on-demand generation.

jcrespo added a comment.EditedAug 22 2017, 3:21 PM

Oh, sorry. So it is done, but not by striker. Sorry for the confusion. I will mark it as blocked on (generic) you.

jcrespo moved this task from Triage to Blocked external/Not db team on the DBA board.Aug 22 2017, 3:22 PM
GTirloni edited projects, added cloud-services-team (Kanban); removed Striker, Cloud-VPS.Mar 24 2019, 10:33 AM
Marostegui removed a project: DBA.Oct 30 2020, 6:52 AM
Bstorm edited projects, added Data-Services, Striker; removed Cloud-Services.Oct 30 2020, 3:19 PM
Bstorm moved this task from Backlog to Wiki replicas on the Data-Services board.
Bstorm subscribed.Mar 4 2021, 4:32 PM
fnegri edited projects, added cloud-services-team; removed cloud-services-team (Kanban).Jan 18 2023, 9:44 PM
fnegri moved this task from Kanban to Inbox on the cloud-services-team board.
dcaro subscribed.Tue, Jul 2, 4:54 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits