Enable 2FA for wikidata-staff on wikidatawiki
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	tstarling
	Nov 17 2016, 2:19 AM

Description

A WMDE staff member contacted me to request that OATH be enabled for the wikidata-staff group on wikidatawiki. This is a highly privileged group.

Details

	Project	Branch	Lines +/-	Subject
	operations/mediawiki-config	master	+24 -28	Make and re-use list of all elevated WMF groups

Customize query in gerrit

Related Objects

Mentioned In: T151229: Unable to issue email commands nor reply to Tasks since the last UI update
T150951: Create list of privileged wiki groups

Event Timeline

tstarling created this task.Nov 17 2016, 2:19 AM

Restricted Application added subscribers: JEumerus, Matanya, Aklapper. · View Herald TranscriptNov 17 2016, 2:19 AM

it's one of many dangerous groups I listed in the comments of https://gerrit.wikimedia.org/r/#/c/321797/

Lea_Lacroix_WMDE added a subscriber: Lea_Lacroix_WMDE.Nov 17 2016, 9:04 AM

MarcoAurelio triaged this task as High priority.Nov 17 2016, 10:26 AM

MarcoAurelio added a subscriber: MarcoAurelio.

This comment was removed by MarcoAurelio.

Restricted Application added a subscriber: Dereckson. · View Herald TranscriptNov 17 2016, 10:26 AM

In T150925#2801474, @Krenair wrote:

it's one of many dangerous groups I listed in the comments of https://gerrit.wikimedia.org/r/#/c/321797/

It's just symptomatic of a generally bigger problem. We let communities decide on their own extra groups, with varying rights etc. So they can do what we want. And then we don't remember about the various idiosyncrasies of various communities.

I propose, we add something to InitialiseSettings that we keep track of these groups that are generally considered "privileged", and as such, should be treated the same for OATHAuth, password requirements and alike -- as although we might've been enabling OATHAuth right for these groups. they've not been included in the bumps in PasswordPolicies. Otherwise we're varying on some right that all groups aren't likely to have in common, which is going to be prone to even more errors.

I want to avoid adding more lines like https://gerrit.wikimedia.org/r/#/c/321797/ (and the abusefilter line that was already there). For Wiki Specific groups, we should be adding these to groupOverrides/groupOverrides2, where we're already defining said rights. And similar can be said for sysop etc where it's in CommonSettings

I know I'm guilty of some of the above, but we might aswell fix it up now before it becomes a huge config mess. Granted, eventually these overrides will just be removed, and it'll be enabled for everyone

'wmgPrivelegedGroups' => [
	'default' => [ 'sysop', 'bureaucrat' ],
	'+wikidatawiki' => [ 'wikidata-staff' ],
],

We can then reuse this variable where necessary for setting these things for elevated password for these groups, and even enabling OATHAuth or similar protection in one place, rather than loads of hard coding

Reedy mentioned this in T150951: Create list of privileged wiki groups.Nov 17 2016, 1:37 PM

Change 322094 had a related patch set uploaded (by Reedy):
Make and re-use list of all elevated WMF groups

https://gerrit.wikimedia.org/r/322094

gerritbot added a project: Patch-For-Review.Nov 17 2016, 1:55 PM

Lea_Lacroix_WMDE added a subscriber: Lydia_Pintscher.Nov 18 2016, 10:28 AM

MarcoAurelio mentioned this in T151229: Unable to issue email commands nor reply to Tasks since the last UI update.Nov 21 2016, 6:59 PM

Change 322094 merged by jenkins-bot:
Make and re-use list of all elevated WMF groups

https://gerrit.wikimedia.org/r/322094

MarcoAurelio closed this task as Resolved.Nov 29 2016, 10:26 AM

sbassett moved this task from Incoming to Our Part Is Done on the Security-Team board.Jun 11 2019, 6:34 PM