Page MenuHomePhabricator
Create Task
Maniphest T142815

Enhance account handling (meta bug)
Open, MediumPublic
Actions

Description

This task tracks various enhancement tasks around account/group membership handling in the WMF systems.

Related Objects
Search...

StatusSubtypeAssignedTask
 OpenNoneT142815 Enhance account handling (meta bug)
 ResolvedMoritzMuehlenhoffT142816 Optional expiry date for user accounts
 ResolvedMoritzMuehlenhoffT142817 Enhance group membership visibility using the memberof LDAP overlay
 DeclinedNoneT142819 Update/add/remove LDAP entries based on changes to data.yaml
 ResolvedjbondT142821 Synchronise groups defined in data.yaml to LDAP
 ResolvedhasharT142822 Check status of under_NDA group
 ResolvedMoritzMuehlenhoffT142825 Offboarding script for account handling
 ResolvedMoritzMuehlenhoffT142826 Require/track email addresses
 DeclinedNoneT142827 Enforce reference to Phabricator task for all commits to modules/admin/data/data.yaml
 DeclinedNoneT142830 Require/track Phabricator username
 ResolvedMoritzMuehlenhoffT142836 Cross-validation of account data
 DeclinedNoneT129786 Add wmf LDAP group members into nda group, delete wmf group
 ResolvedMoritzMuehlenhoffT129788 Review list of LDAP groups and document exactly what kind of access they can be allowed to provide
 Resolved AlexMonk-WMFT114161 Do not require people to be explicitly added to the bastiononly group
 DeclinedNoneT146657 create notifications about user accounts that have not been used for a long time
 DeclinedNoneT149222 Reconsider/check naming of 'privatedata' shell groups compared to their theoretically non-sensitive counterparts
 DeclinedNoneT149225 Rethink/clarify/document use of 'analytics' vs. 'statistics' in group names
 OpenNoneT148048 Store Wikimedia unified account name (SUL) in LDAP directory
 OpenNoneT359428 Striker should use ID instead of username to identify SUL accounts
 ResolvedMoritzMuehlenhoffT157131 Harmonise "Directory Managers" group
 ResolvedDzahnT157591 rename shell user 'volkere' to 'volker-e'
 DeclinedNoneT160158 Make disabled accounts visible in the corp mirror LDAP replica
 DeclinedNoneT161003 Cross-check disabled accounts from corp LDAP against data.yaml
 StalledNoneT161004 Remove disabled users from internal mailing lists
 OpenFeatureNoneT364516 Look for ways to consolidate "we trust this human" access lists

Event Timeline

MoritzMuehlenhoff created this task.Aug 12 2016, 9:26 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 12 2016, 9:26 AM
MoritzMuehlenhoff added a project: SRE.Aug 12 2016, 9:26 AM
Krenair subscribed.Aug 12 2016, 9:29 AM
MoritzMuehlenhoff added a subtask: T142816: Optional expiry date for user accounts.Aug 12 2016, 9:30 AM
MoritzMuehlenhoff created subtask T142817: Enhance group membership visibility using the memberof LDAP overlay.Aug 12 2016, 9:36 AM
MoritzMuehlenhoff created subtask T142819: Update/add/remove LDAP entries based on changes to data.yaml.Aug 12 2016, 9:53 AM
MoritzMuehlenhoff created subtask T142822: Check status of under_NDA group.Aug 12 2016, 10:36 AM
faidon subscribed.Aug 12 2016, 10:42 AM
Peachey88 subscribed.Aug 12 2016, 10:44 AM
MoritzMuehlenhoff created subtask T142825: Offboarding script for account handling.Aug 12 2016, 10:57 AM
MoritzMuehlenhoff created subtask T142826: Require/track email addresses.Aug 12 2016, 11:07 AM
MoritzMuehlenhoff created subtask T142827: Enforce reference to Phabricator task for all commits to modules/admin/data/data.yaml.Aug 12 2016, 11:10 AM
MoritzMuehlenhoff created subtask T142830: Require/track Phabricator username.Aug 12 2016, 11:55 AM
MoritzMuehlenhoff created subtask T142836: Cross-validation of account data.Aug 12 2016, 12:34 PM
AlexMonk-WMF added subtasks: T129786: Add wmf LDAP group members into nda group, delete wmf group, T129788: Review list of LDAP groups and document exactly what kind of access they can be allowed to provide.Aug 12 2016, 1:23 PM
AlexMonk-WMF added a subtask: T114161: Do not require people to be explicitly added to the bastiononly group.Aug 12 2016, 1:59 PM
AlexMonk-WMF closed subtask T114161: Do not require people to be explicitly added to the bastiononly group as Resolved.Aug 20 2016, 8:02 AM
greg subscribed.Aug 20 2016, 8:05 AM
MoritzMuehlenhoff triaged this task as Medium priority.Sep 6 2016, 12:58 PM
hashar closed subtask T142822: Check status of under_NDA group as Resolved.Sep 26 2016, 10:20 AM
Dzahn created subtask T146657: create notifications about user accounts that have not been used for a long time.Sep 26 2016, 4:03 PM
AlexMonk-WMF created subtask T149222: Reconsider/check naming of 'privatedata' shell groups compared to their theoretically non-sensitive counterparts.Oct 26 2016, 6:01 PM
AlexMonk-WMF created subtask T149225: Rethink/clarify/document use of 'analytics' vs. 'statistics' in group names.Oct 26 2016, 6:07 PM
AlexMonk-WMF mentioned this in T108078: audit labs versus production ssh keys.Dec 10 2016, 2:24 PM
AlexMonk-WMF added a subtask: T148048: Store Wikimedia unified account name (SUL) in LDAP directory.
MoritzMuehlenhoff closed subtask T142826: Require/track email addresses as Resolved.Feb 3 2017, 11:12 AM
MoritzMuehlenhoff created subtask T157131: Harmonise "Directory Managers" group.Feb 3 2017, 3:04 PM
chasemp subscribed.Feb 6 2017, 5:26 PM

Is there a way to disable an account in LDAP that would then fail for authentication for all ancillary services that check LDAP? We have run into wanting this a few times with spammers who hit Phab and then wikitech or gerrit. The common point of authentication is there but we end up playing whackamole in every venue individually. We have also wanted this for a Tool account or service user that is suspected as compromised and the workarounds are very specific and hacky.

Dzahn added a subtask: T157591: rename shell user 'volkere' to 'volker-e'.Feb 8 2017, 6:28 PM
Dzahn closed subtask T157591: rename shell user 'volkere' to 'volker-e' as Resolved.Feb 8 2017, 7:13 PM
MoritzMuehlenhoff closed subtask T129786: Add wmf LDAP group members into nda group, delete wmf group as Declined.Feb 17 2017, 10:12 AM
MoritzMuehlenhoff closed subtask T142816: Optional expiry date for user accounts as Resolved.Feb 17 2017, 12:55 PM
Ottomata closed subtask T149225: Rethink/clarify/document use of 'analytics' vs. 'statistics' in group names as Declined.Mar 9 2017, 3:57 PM
Ottomata closed subtask T149222: Reconsider/check naming of 'privatedata' shell groups compared to their theoretically non-sensitive counterparts as Declined.Mar 9 2017, 4:05 PM
MoritzMuehlenhoff closed subtask T142836: Cross-validation of account data as Resolved.Mar 10 2017, 9:44 AM
MoritzMuehlenhoff closed subtask T142830: Require/track Phabricator username as Declined.Mar 10 2017, 9:59 AM
MoritzMuehlenhoff closed subtask T142819: Update/add/remove LDAP entries based on changes to data.yaml as Declined.Mar 13 2017, 10:16 AM
MoritzMuehlenhoff closed subtask T129788: Review list of LDAP groups and document exactly what kind of access they can be allowed to provide as Resolved.Mar 15 2017, 12:07 PM
MoritzMuehlenhoff closed subtask T142825: Offboarding script for account handling as Resolved.Mar 17 2017, 10:01 AM
MoritzMuehlenhoff closed subtask T157131: Harmonise "Directory Managers" group as Resolved.Mar 21 2017, 3:29 PM
MoritzMuehlenhoff closed subtask T142817: Enhance group membership visibility using the memberof LDAP overlay as Resolved.Mar 22 2017, 7:53 AM
MoritzMuehlenhoff added subtasks: T161004: Remove disabled users from internal mailing lists, T160158: Make disabled accounts visible in the corp mirror LDAP replica.Mar 28 2017, 7:00 AM
Phabricator_maintenance moved this task from Backlog to Acknowledged on the SRE board.Jan 26 2019, 8:47 PM
Dzahn changed the status of subtask T161004: Remove disabled users from internal mailing lists from Open to Stalled.Oct 16 2020, 12:58 AM
MoritzMuehlenhoff closed subtask T146657: create notifications about user accounts that have not been used for a long time as Declined.Nov 7 2022, 9:11 AM
LSobanski closed subtask T160158: Make disabled accounts visible in the corp mirror LDAP replica as Declined.Nov 7 2022, 10:13 AM
LSobanski added a project: Infrastructure-Foundations.
MoritzMuehlenhoff closed subtask T142827: Enforce reference to Phabricator task for all commits to modules/admin/data/data.yaml as Declined.Dec 1 2022, 9:29 AM
akosiaris changed the status of subtask T148048: Store Wikimedia unified account name (SUL) in LDAP directory from Open to Stalled.Dec 15 2022, 10:13 AM
SLyngshede-WMF changed the status of subtask T148048: Store Wikimedia unified account name (SUL) in LDAP directory from Stalled to In Progress.Feb 6 2023, 8:24 AM
SLyngshede-WMF closed subtask T148048: Store Wikimedia unified account name (SUL) in LDAP directory as Resolved.Jan 29 2024, 3:40 PM
bd808 reopened subtask T148048: Store Wikimedia unified account name (SUL) in LDAP directory as Open.Feb 1 2024, 1:30 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits