Page MenuHomePhabricator

Investigate moving labsdb (replicas) user credential management to 'Striker' (codename)
Open, MediumPublic

Description

When a tool is created we have a service that runs on labstore1001 that creates a mysql user/pass combination and writes it to a file within the tools home directory.

This has a lot of downsides at the moment:

  • This job is detached from tool creation or any user insight. It runs every 5m trying to figure out what it should do. The lack of visibility leaves tool owners and volunteers without debug options and fixup has to wait for a member of ops who understands the setup.
  • We grant access universally (when it works!) leaving lots of unused / abandoned accounts in the wild.
  • This does not lend itself to credential rotation ever.

Striker (http://striker.wmflabs.org/) is a Tools management interface spearheaded by @bd808 to make targeted aspects of Tools more friendly for users (T136256). I think it may make sense for this interface to include credential management logic for the replicas and any user accessible DB's for tool consumption.

Thoughts on why:

  • We already expect users of Tools to need to use this application
  • From what I can tell it is meant to be modular in a way that facilitates integration of this nature
  • It would be in every way superior to our current process if it gave users any information at all beyond "it's there or it's not"

Event Timeline

chasemp created this task.Jul 19 2016, 9:29 PM

@chasemp I do not want to push for this, but I suspect this may already be done and should be resolved? Can you comment the state of this? Maybe it is only partially done out of a larger scope?

bd808 added a comment.Aug 22 2017, 3:20 PM

This is still wishlist status on the Striker implementation side. The idea is to replace the current service which automatically generates mysql/mariadb credentials for each new Toolforge member and Tool with on-demand generation.

jcrespo added a comment.EditedAug 22 2017, 3:21 PM

Oh, sorry. So it is done, but not by striker. Sorry for the confusion. I will mark it as blocked on (generic) you.