Page MenuHomePhabricator
Create Task
Maniphest T153815

Allow global groups to be assigned temporarily (expire)
Closed, ResolvedPublic
Actions

Assigned To
taavi
Authored By
TTO
Dec 21 2016, 5:01 AM
Tags
Referenced Files
None
Subscribers
Aklapper
alaa
CCicalese_WMF
CptViraj
DerHexer
gerritbot
HakanIST
View All 25 Subscribers
Tokens
"Barnstar" token, awarded by CptViraj."Like" token, awarded by Stryn."Like" token, awarded by TheresNoTime."Like" token, awarded by Reception123."Like" token, awarded by MarcoAurelio.

Description

T12493: Setting a temporary usergroup (allow expiry of user rights via Special:UserRights form) is about allowing local user groups to be assigned temporarily. This was a top-10 wish in the 2016 Community Wishlist Survey.

A logical extension of that wish would be to allow global groups to expire as well. From a quick glance, it looks like the CentralAuth code and tables would need similar modifications to core code and tables.

It's worth noting that the community discussion at the Survey didn't mention global groups. However, it seems that this could be useful for global IP block exemptions among other things.

There are only 8 temporary group memberships in force at the moment (6 GIPBE, 1 global delete, 1 global editinterface), so this doesn't look like a high-priority task.

Details

SubjectRepoBranchLines +/-
P:mw::maintenance: add centralauth group purge joboperations/puppetproduction+7 -0
Enable temporary global user groups on productionoperations/mediawiki-configmaster+3 -3
Update SpecialGlobalGroupMembership for global groupsmediawiki/extensions/CentralAuthmaster+92 -27
beta: Enable temporary global user groupsoperations/mediawiki-configmaster+3 -0
Allow global groups to be assigned temporarilymediawiki/extensions/CentralAuthmaster+593 -109
Add a script to clean expired global_user_groups rowsmediawiki/extensions/CentralAuthmaster+85 -0
SpecialCentralAuth: Display global group expirymediawiki/extensions/CentralAuthmaster+30 -5
Enforce gug_expirymediawiki/extensions/CentralAuthmaster+151 -26
Customize query in gerrit

Related Objects
Search...

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 21 2016, 5:01 AM
TTO added a project: Stewards-and-global-tools.Dec 21 2016, 5:10 AM
MZMcBride subscribed.Dec 21 2016, 5:24 AM
MarcoAurelio edited projects, added Stewards-and-global-tools (Temporary-UserRights); removed Stewards-and-global-tools.Dec 21 2016, 2:46 PM
DannyH moved this task from New & TBD Tickets to Older: Team Work on the Community-Tech board.Dec 22 2016, 5:41 PM
TTO triaged this task as Low priority.Jan 31 2017, 3:48 AM
TTO updated the task description. (Show Details)
MarcoAurelio subscribed.Jan 31 2017, 9:45 AM

Expiring global groups would be tremendously useful as well. For example, all IPBE's we grant, or nearly all of them, are temporary but don't list them afterwards at SRAT but in our internal wiki for privacy reasons. Other global groups such as editinterface are temporary by default. It'd really help us to have this function avalaible for global rights as well. Thanks!

TTO added a comment.Feb 1 2017, 8:41 AM

Just to get an idea, are all of the 252 current global IP-block exemptions temporary? If not, how many are temporary?

MarcoAurelio added a comment.Feb 1 2017, 11:11 AM

Excluding a handful of them, we usually grant that until the global block that caused their issues expires, or for one year and so on. Some users are given GIPBE permanently, but there ain't that much of them. Thanks.

Teles subscribed.Apr 20 2017, 2:20 AM
RuyP subscribed.Apr 25 2017, 3:51 AM
HakanIST subscribed.Apr 25 2017, 10:02 AM
Rschen7754 subscribed.Apr 26 2017, 6:27 PM
Vituzzu subscribed.Apr 29 2017, 8:11 PM
Trijnstel subscribed.Apr 29 2017, 8:23 PM
MF-Warburg subscribed.Apr 29 2017, 11:06 PM
DerHexer subscribed.Apr 30 2017, 6:25 PM
MarcoAurelio added a comment.Jul 26 2017, 2:40 PM

Now that local user group expiration is a reality and seems to be working just fine, can we get an estimate on how much effort or complication this would be? Maybe also adding subtasks of pending things to do would be a good idea? Regards.

MarcoAurelio awarded a token.Jul 26 2017, 2:40 PM
TTO added a comment.Jul 27 2017, 1:14 AM

I was hoping to work on it this month, but various IRL things happened so that I wasn't able to. I do plan to get to it eventually, but note that this task is not assigned to me, so anyone else may of course claim it if they wish.

I think it is best worked on as a single unit of work; the main meat of it will be a patch to CentralAuth, and I don't think there will be too much beyond that (fingers crossed).

Reception123 merged a task: T173292: CentralAuth temporary global groups (expiry).Aug 14 2017, 6:04 AM
Reception123 awarded a token.
Reception123 subscribed.
MarcoAurelio added a comment.Aug 14 2017, 8:42 AM

@TTO I think we'll wait for you since you have done most of the temporary userrights feature and know what exactly needs to be done.

TBolliger removed a project: Community-Tech.Feb 23 2018, 11:49 PM
MarcoAurelio added a comment.Mar 15 2018, 3:07 PM

Due to recent issues with governments blocking accesses to Wikimedia sites, the number of temporary IP block exemptions have been growing, and so keeping track of all of them is getting harder. We also grant other kind of temporary global rights which would benefit from this, as explained above. Can I suggest, if possible, to have a look at this request again please? Thank you!

TheresNoTime awarded a token.Mar 15 2018, 3:38 PM
TheresNoTime subscribed.
Stryn awarded a token.Mar 15 2018, 4:07 PM
alaa subscribed.Mar 23 2018, 8:34 PM
MarcoAurelio added a comment.Jul 31 2018, 4:50 PM

Hi there. Any updates? Feature still required for most global ipblock exemptions and (soon) all global interface administrator permissions. Thanks!

Melos subscribed.Nov 21 2018, 9:23 PM
gerritbot subscribed.Nov 27 2018, 1:04 AM

Change 475930 had a related patch set uploaded (by Melos; owner: Melos):
[mediawiki/extensions/CentralAuth@master] Allow global groups to be assigned temporarily

https://gerrit.wikimedia.org/r/475930

gerritbot added a project: Patch-For-Review.Nov 27 2018, 1:04 AM
MarcoAurelio added a project: Schema-change.Nov 27 2018, 7:40 PM

Thanks @Melos !!!

AFAICS your change does some DB changes so I'm adding the Schema-change so our DBA can take a look as well.

Notes to consider that just came to my mind: when we implemented expiring local rights there was a problem with said permissions when expiring not being moved to user_former_groups and being in the database indefinitely until someone did "touched" the wiki. This was: T177404: Expired user groups not added to user_former_groups table, T176754: Regularly purge expired temporary userrights from DB tables and T163691: Expired user groups are still shown in Special:Preferences/Special:UserRights after expiring, due to User cache among others. Taking a look at https://phabricator.wikimedia.org/project/board/2414/query/all/ can also be helpful.

Regards.

jrbs subscribed.Dec 4 2018, 7:20 PM
MarcoAurelio added a project: DBA.Jul 31 2019, 11:40 AM

Tag DBA for patch review.

Marostegui removed a project: DBA.Jul 31 2019, 12:29 PM
Marostegui subscribed.

The schema change looks good to me. The table is pretty small (around 1500 rows) and 8M in disk, so it can probably be altered on the master once the schema change is ready.
Please, remember to submit a schema change when the change is merged, using the schema change template: https://wikitech.wikimedia.org/wiki/Schema_changes#Workflow_of_a_schema_change

Removing the DBA tag but I will remain subscribed here in case I am needed :)

Jony subscribed.Jul 31 2019, 12:39 PM
MarcoAurelio added a comment.Oct 16 2019, 3:04 PM

@Marostegui So, do we get 475930 merged first and then file a new task? I'd love to get this new feature live but I'm a bit lost on how to proceed. Thanks.

Marostegui added a comment.Oct 16 2019, 3:11 PM

Yes, once that patchset is reviewd and merged, you can follow: https://wikitech.wikimedia.org/wiki/Schema_changes#Workflow_of_a_schema_change

MarcoAurelio added a project: Platform Engineering.Jan 23 2020, 12:31 PM

+CPT for codereview.

daniel raised the priority of this task from Low to Medium.Feb 5 2020, 7:20 PM
daniel moved this task from Inbox to Feature Requests to Review on the Platform Engineering board.Feb 5 2020, 7:24 PM
CCicalese_WMF removed a project: Platform Engineering.Feb 13 2020, 8:07 PM
CCicalese_WMF subscribed.

Is this task ready for code review by the Core Platform Team? The only patch I see is 475930, and it is marked as WIP. I'm untagging us for now, but please retag when there is a patch ready for code review.

MarcoAurelio added a comment.Feb 13 2020, 9:32 PM

@CCicalese_WMF I have asked @Melos to confirm whether the patch is still WIP or can proceed to code review. I'll let you know once I have a reply.

gerritbot added a comment.Feb 18 2020, 11:37 AM

Change 475930 had a related patch set uploaded (by Melos; owner: Melos):
[mediawiki/extensions/CentralAuth@master] Allow global groups to be assigned temporarily

https://gerrit.wikimedia.org/r/475930

Reedy moved this task from Unsorted to Add / Create on the Schema-change board.Feb 24 2020, 6:13 AM
Reedy closed subtask T245413: Prepare CentralAuth db for global groups expiration as Resolved.Feb 24 2020, 6:59 AM
Melos added a project: Platform Engineering.Feb 27 2020, 3:14 PM
CCicalese_WMF edited projects, added Platform Team Workboards (Clinic Duty Team); removed Platform Engineering.Feb 27 2020, 3:19 PM
CCicalese_WMF moved this task from Inbox to External Code Review Needed on the Platform Team Workboards (Clinic Duty Team) board.
Tks4Fish subscribed.Apr 13 2020, 8:26 PM
Reedy mentioned this in T245946: Create a hook for purgeExpiredUserrights.May 7 2020, 10:39 PM
CCicalese_WMF edited projects, added Platform Team Workboards (External Code Reviews); removed Platform Team Workboards (Clinic Duty Team).Jul 31 2020, 4:16 PM
CptViraj subscribed.Nov 17 2020, 4:28 AM
taavi subscribed.Dec 24 2020, 3:49 PM
Zabe subscribed.Feb 27 2021, 10:09 PM
gerritbot added a comment.Dec 4 2021, 10:27 AM

Change 743561 had a related patch set uploaded (by Majavah; author: Majavah):

[mediawiki/extensions/CentralAuth@master] Enforce gug_expiry

https://gerrit.wikimedia.org/r/743561

gerritbot added a comment.Jan 8 2022, 7:02 PM

Change 743561 merged by jenkins-bot:

[mediawiki/extensions/CentralAuth@master] Enforce gug_expiry

https://gerrit.wikimedia.org/r/743561

gerritbot added a comment.Jan 8 2022, 7:03 PM

Change 752300 had a related patch set uploaded (by Majavah; author: Majavah):

[mediawiki/extensions/CentralAuth@master] Add a script to clean expired global_user_groups rows

https://gerrit.wikimedia.org/r/752300

gerritbot added a comment.Jan 8 2022, 7:03 PM

Change 752301 had a related patch set uploaded (by Majavah; author: Majavah):

[mediawiki/extensions/CentralAuth@master] Update SpecialGlobalGroupMembership for global groups

https://gerrit.wikimedia.org/r/752301

gerritbot added a comment.Jan 8 2022, 7:23 PM

Change 752302 had a related patch set uploaded (by Majavah; author: Majavah):

[mediawiki/extensions/CentralAuth@master] SpecialCentralAuth: Display global group expiry

https://gerrit.wikimedia.org/r/752302

ReleaseTaggerBot added a project: MW-1.38-notes (1.38.0-wmf.17; 2022-01-10).Jan 8 2022, 8:00 PM
taavi claimed this task.Jan 8 2022, 8:26 PM
gerritbot added a comment.Jan 8 2022, 8:59 PM

Change 752302 merged by jenkins-bot:

[mediawiki/extensions/CentralAuth@master] SpecialCentralAuth: Display global group expiry

https://gerrit.wikimedia.org/r/752302

gerritbot added a comment.Jan 9 2022, 3:25 PM

Change 752300 merged by jenkins-bot:

[mediawiki/extensions/CentralAuth@master] Add a script to clean expired global_user_groups rows

https://gerrit.wikimedia.org/r/752300

gerritbot added a comment.Jan 9 2022, 4:07 PM

Change 752341 had a related patch set uploaded (by Majavah; author: Majavah):

[operations/puppet@production] P:mw::maintenance: add centralauth group purge job

https://gerrit.wikimedia.org/r/752341

gerritbot added a comment.Jan 9 2022, 4:15 PM

Change 752301 merged by jenkins-bot:

[mediawiki/extensions/CentralAuth@master] Update SpecialGlobalGroupMembership for global groups

https://gerrit.wikimedia.org/r/752301

gerritbot added a comment.Jan 9 2022, 4:16 PM

Change 475930 abandoned by Zabe:

[mediawiki/extensions/CentralAuth@master] Allow global groups to be assigned temporarily

Reason:

Sadly this never went in, temporary global groups were now implemented in different patches, so this one is no longer necessary. Still thanks for your work. :)

https://gerrit.wikimedia.org/r/475930

gerritbot added a comment.Jan 9 2022, 4:22 PM

Change 752343 had a related patch set uploaded (by Majavah; author: Majavah):

[operations/mediawiki-config@master] beta: Enable temporary global user groups

https://gerrit.wikimedia.org/r/752343

gerritbot added a comment.Jan 9 2022, 4:22 PM

Change 752344 had a related patch set uploaded (by Majavah; author: Majavah):

[operations/mediawiki-config@master] Enable temporary global user groups on production

https://gerrit.wikimedia.org/r/752344

taavi added a comment.Jan 9 2022, 6:53 PM

CentralAuth code changes are shipping next week with the train but disabled with a config value. I'll enable it on production once the train is 100% stable and deployed on all wikis, so most likely the week starting January 17th.

gerritbot added a comment.Jan 10 2022, 12:25 PM

Change 752343 merged by jenkins-bot:

[operations/mediawiki-config@master] beta: Enable temporary global user groups

https://gerrit.wikimedia.org/r/752343

gerritbot added a comment.Jan 18 2022, 9:35 AM

Change 752344 merged by jenkins-bot:

[operations/mediawiki-config@master] Enable temporary global user groups on production

https://gerrit.wikimedia.org/r/752344

Stashbot added a comment.Jan 18 2022, 9:41 AM

Mentioned in SAL (#wikimedia-operations) [2022-01-18T09:41:03Z] <taavi@deploy1002> Synchronized wmf-config/CommonSettings.php: Config: [[gerrit:752344|Enable temporary global user groups on production (T153815)]] (duration: 00m 51s)

taavi closed this task as Resolved.Jan 18 2022, 9:41 AM
CptViraj awarded a token.Jan 18 2022, 3:46 PM
MusikAnimal mentioned this in T299411: xtools does not display global group expiry on rights changes list.Jan 18 2022, 8:57 PM
gerritbot added a comment.Jan 20 2022, 8:49 AM

Change 752341 merged by Legoktm:

[operations/puppet@production] P:mw::maintenance: add centralauth group purge job

https://gerrit.wikimedia.org/r/752341

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL