Is moving wikitech to SUL a good idea? There's a lot of complications from doing that which aren't blockers for stopping using OpenStackManager, I thought. Should be split this task into the two components?

The goal is to have wikitech be just a normal wiki like any other, the source of Wikimedia technical documentation. Anything that actually does anything (and requires special login creds) will be handled via Horizon or Striker.

It's a dream, but a beautiful one. Are there complications I'm missing, outside of "Move all OSM functionality elsewhere"?

I thought there were some quite horrible issues with the shell/account naming stuff? There's also the problem of merging accounts (which isn't sanely possible) or having most of the existing users of the wiki be forcibly renamed.

The wikitech user name won't match the SUL username. So that would mean all wikitech users start to use their SUL user and now have 2 separate edit histories?

I would also recommend to split this into 2 tasks, one about using OpenStackManager and one about making Wikitech use SUL.

@Andrew How would we import the ssh keys as this is also currently handled by the extension?

As we import ssh keys in Special:Preference - OpenStack

I see no where in horizon for doing that.

In T161553#3182308, @Paladox wrote:

@Andrew How would we import the ssh keys as this is also currently handled by the extension?
As we import ssh keys in Special:Preference - OpenStack
I see no where in horizon for doing that.

Using https://toolsadmin.wikimedia.org/profile/settings/ssh-keys

In T161553#3141039, @Jdforrester-WMF wrote:

I thought there were some quite horrible issues with the shell/account naming stuff? There's also the problem of merging accounts (which isn't sanely possible) or having most of the existing users of the wiki be forcibly renamed.

In T161553#3141052, @Dzahn wrote:

The wikitech user name won't match the SUL username. So that would mean all wikitech users start to use their SUL user and now have 2 separate edit histories?

Shell accounts and wikitech accounts are only related by accident of implementation. The LDAP accounts could have been just as easily associated with SUL accounts from the beginning. The account creation workflow that has been implemented in https://toolsadmin.wikimedia.org/ starts with an OAuth association to an existing SUL account. LDAP accounts that existed prior to the new workflow can be associated with with a SUL account using that tool as well.

The final step of converting wikitech to a SUL wiki will require another SUL unification as was done for the main wiki farm. There is some fiddling to do at the code/configuration level, but I'm confident that we will be able to change things so that we can rename the wikitech users to match the associated SUL users without causing problems with gerrit and other systems that are currently using the LDAP cn and sn attributes which currently correspond to the on-wiki username for wikitech.

When it comes time to do the unification, we can connect many wiktech accounts to the proper SUL account using email addresses and git/svn commit histories if they have not already been linked using toolsadmin. There will be some currently unknown number of accounts where we have no SUL user to connect to and we will have to come up with a plan for how to deal with them. There is time for that. The elimination of OSM and SMW (T53642) are the first steps that we need to focus on.

@bd808 Thank you for the detailed explanation! (PS. Maybe if i can get T113792 solved on the side of this, i'd be happy, hehe :))

In T161553#3182344, @bd808 wrote:

In T161553#3182308, @Paladox wrote:

@Andrew How would we import the ssh keys as this is also currently handled by the extension?
As we import ssh keys in Special:Preference - OpenStack
I see no where in horizon for doing that.

Using https://toolsadmin.wikimedia.org/profile/settings/ssh-keys

But that sounds like tool related and not labs.

In T161553#3182596, @Paladox wrote:

But that sounds like tool related and not labs.

A rose by any other name would smell as sweet. We can rename the apache virtual host trivially. This will probably happen at some point as we add additional functionality to Striker (the application currently hosted at the https://toolsadmin.wikimedia.org/ vhost). Note that the functionality you are worried about is currently hosted on a vhost named wikitech.wikimedia.org which honestly sounds like neither Labs nor Tool Labs to me.

If the name of the vhost is the only thing that bothers you I'm pretty sure that the application and plan are on the right track. Please try to think more in the mode of of "What Would You Do If You Weren't Afraid?" and less "Who Moved My Cheese?" when interacting with the development community who are trying to make things better for everyone. (Honestly a horrible book, but a good sentiment.)

Oh nope the host name doesn't bother me, just was confusing on weather that was for tools only. but thanks for explaining.

Change 355617 had a related patch set uploaded (by Andrew Bogott; owner: Andrew Bogott):
[mediawiki/extensions/OpenStackManager@master] Remove Special:NovaInstance page.

https://gerrit.wikimedia.org/r/355617

Change 355618 had a related patch set uploaded (by Andrew Bogott; owner: Andrew Bogott):
[mediawiki/extensions/OpenStackManager@master] Remove two unused special pages.

https://gerrit.wikimedia.org/r/355618

In T161553#3183886, @bd808 wrote:

a vhost named wikitech.wikimedia.org which honestly sounds like neither Labs nor Tool Labs to me.

Labsconsole sound so much better IMO.

In T161553#3296173, @zhuyifei1999 wrote:

Labsconsole sound so much better IMO.

Until we rename away from using the 'Labs' term across the suite of product offerings. :)

It's early, but there was some discussion at the Vienna hackathon between @faidon, @Volans, and I and then between @Aklapper and I about the idea of a developer.wikimedia.org application that would be the entry point for creating and managing LDAP accounts. It could also serve as the start of the documentation and discovery portal for people interested in contributing to the technical spaces in the Wikimedia movement as well as consuming the various services that the movement provides for distributing knowledge. This application probably would not include the Toolforge management functionality from Striker, but it would logically take over the basic LDAP account creation and management roles. This is all in a very early preliminary discussion state however, so don't freak out if it sounds like the worst idea you have ever heard and don't get your hopes up yet if it sounds like the greatest thing ever.

Adding @MoritzMuehlenhoff too.

Change 355617 merged by jenkins-bot:
[mediawiki/extensions/OpenStackManager@master] Remove Special:NovaInstance page.

https://gerrit.wikimedia.org/r/355617

Change 355618 merged by jenkins-bot:
[mediawiki/extensions/OpenStackManager@master] Remove two unused special pages.

https://gerrit.wikimedia.org/r/355618

Mass-moving all items tagged for MediaWiki 1.30.0-wmf.3, as that was never released; instead, we're using -wmf.4.

Change 432702 had a related patch set uploaded (by Andrew Bogott; owner: Andrew Bogott):
[operations/mediawiki-config@master] wikitech: Don't load OpenStackManager

https://gerrit.wikimedia.org/r/432702

Change 432703 had a related patch set uploaded (by Andrew Bogott; owner: Andrew Bogott):
[operations/puppet@production] wikitech: remove OpenStackManager private settings

https://gerrit.wikimedia.org/r/432703

I've removed all of Wikitech's sidebar links to OSM. If we avoid protest and surprise for a few weeks I'll rip out the code.

In T161553#4249022, @Andrew wrote:

I've removed all of Wikitech's sidebar links to OSM. If we avoid protest and surprise for a few weeks I'll rip out the code.

I'm still a bit concerned about what complete removal does to new account creation. We need to think through how we are going to handle the fact that without OSM the MediaWiki account creation form will make LDAP accounts, but those accounts will not have a shell name and associated LDAP attributes. I think we can setup a hook or similar that will preserve account creation, but I have not looked into exactly what that would entail. It may be that we actually need a PHP calss or two to properly integrate this with the AuthManager layer.

@bd808, does striker not already do all the necessary things to create an account? Or is that accomplished via a wikitech hook? (Not that that solves the problem you're talking about, but it would suggest that we at least have a second example of the needed steps)

In T161553#4249033, @Andrew wrote:

@bd808, does striker not already do all the necessary things to create an account? Or is that accomplished via a wikitech hook? (Not that that solves the problem you're talking about, but it would suggest that we at least have a second example of the needed steps)

Striker does know how to create an LDAP record with the proper data to be used by OpenStack, MediaWiki, Gerrit, and Phabricator. That should make it easier for us to replicate the needed data collection and storage for sure.

The user interface there is currently full of talk about Toolforge which will probably be confusing to some people. It will also probably be confusing to have on-wiki account creation disabled if we decide to go that route instead. I think looking at how to either do it all in config with hooks or thinking about a slim extension that only adds the account creation parts would be easiest. I guess the 3rd option is to rip all the things out of OSM except account management. I can't imagine that OSM is really in use anywhere else since we have not heard from angry folks as we took out other functionality.