Page MenuHomePhabricator
Create Task
Maniphest T161859

Make Wikitech an SUL wiki
Open, MediumPublic
Actions

Description

We're moving lots of Labs-specific functions off of Wikitech. Once that's done, it should be possible to merge wikitech with the rest of the wikiverse.

See https://meta.wikimedia.org/wiki/Community_Tech/Tool_Labs_support/Tool_Labs_vision for some of the reasoning leading up to this task.

Related Objects
Search...

StatusSubtypeAssignedTask
 OpenNoneT189531 All Wikimedia developer services should use single sign-on
 OpenNoneT161859 Make Wikitech an SUL wiki
 OpenNoneT161553 Remove OpenStackManager from Wikitech
 ResolvedAndrewT150091 Support project creation without OpenStackManager
 ResolvedAndrewT159021 Wikitech error when adding users to projects
 ResolvedAndrewT162097 Create a Horizon panel for managing per-project sudo policies
 ResolvedAndrewT194191 Allow projectadmins to change project roles in Horizon
 ResolvedMarcoAurelioT194670 Copy maintenance/attachLdapUser.php to another extension
 ResolvedAndrewT194794 Add new users to Bastion group whenever they join a project
 In ProgressNoneT196171 Developer account creation without OpenStackManager
 OpenNoneT179463 Create a single application to provision and manage developer (LDAP) accounts
 DuplicateNoneT189639 Separate LDAP account creation bits from Striker to create a new identity management platform
 OpenNoneT319405 Create an IDM for Wikimedia developer accounts
 ResolvedSLyngshede-WMFT319407 IDM milestone 1 "Initial development work"
 ResolvedNoneT319409 Pick a name for the IDM
 ResolvedSLyngshede-WMFT319410 Initial Django project setup
 ResolvedSLyngshede-WMFT319415 Evaluate Striker codebase
 ResolvedMarosteguiT320426 Figure out where/how to store IDM internal data
 ResolvedSLyngshede-WMFT320427 Design and implement async LDAP operations
 ResolvedSLyngshede-WMFT320428 Initial IDM puppetisation
 ResolvedSLyngshede-WMFT320430 Create an initial IDM/LDAP image for tests and CI
 ResolvedSLyngshede-WMFT320431 IDM: Central logging on all changes
 OpenNoneT320603 IDM milestone 2 "Initial limited deployment"
 ResolvedSLyngshede-WMFT320604 Decide on model for serving idm.wikimedia.org
 ResolvedNoneT320605 Figure out an HA setup for the IDM
 ResolvedSLyngshede-WMFT320794 Extend LDAP to allow storing all necessary attributes
 ResolvedSLyngshede-WMFT320795 Implement a staging setup for the IDM
 ResolvedSLyngshede-WMFT320797 Initial production deployment of the IDM
 ResolvedSLyngshede-WMFT320799 IDM integration into CAS SSO
 ResolvedSLyngshede-WMFT320807 Implement OAuth account validation for linking an account to a wiki account
 ResolvedSLyngshede-WMFT320808 Implement email address validation workflow
 In ProgressSLyngshede-WMFT148048 Store Wikimedia unified account name (SUL) in LDAP directory
 ResolvedSLyngshede-WMFT335091 Determine which sender address to use for email notification
 ResolvedSLyngshede-WMFT340721 Build Debian packages for Bookworm
 ResolvedSLyngshede-WMFT340722 Update IDM servers to Bookworm
 OpenSLyngshede-WMFT320801 Build-out for self service
 ResolvedSLyngshede-WMFT320802 Create a mockup and involve designers
 OpenBUG REPORTNoneT338824 Bitu is not responsive
 OpenNoneT320805 Define the core attribute list managed in the IDM with all stakeholders
 ResolvedSLyngshede-WMFT320806 Consider reusing some wiki data sources for signup/restrictions
 ResolvedSLyngshede-WMFT320809 Figure out a captcha option for IDM
 OpenNoneT335478 Automatic detection of inactive LDAP account
 OpenNoneT335485 Automatically deploy documentation to docs.wikimedia.org
 ResolvedSLyngshede-WMFT340636 Implement "Forgot my username" feature
 ResolvedSLyngshede-WMFT340637 Implement "update email" functionality
 OpenSLyngshede-WMFT340717 Implement "source" field on user objects
 OpenSLyngshede-WMFT345168 Live validation of usernames
 ResolvedSLyngshede-WMFT345226 Switch developer account creation to Bitu
 OpenNoneT338477 `Nova Resource:` namespace should be declared in wmf-config, not in Extension:OpenStackManager
 Resolved bd808T53642 Get rid of SemanticMediaWiki/SRF/SF from wikitech.wikimedia.org
 ResolvedyuvipandaT103995 Build a simple tool to query which instances have which roles / puppet variables
 Resolved bd808T161662 Replace SMW data on project instances with a tool using the OpenStack APIs
 Resolved bd808T162508 Implement Tool Labs membership application and processing in Striker
 Resolved bd808T164787 Keystone permissions exception when trying to approve Tool Labs membership request via Striker
 OpenNoneT163478 Allow viewing/searching LDAP account creations including date
 ResolvedNoneT153821 wikitech.wikimedia.org missing from pageviews API
 OpenNoneT237773 Move Wikitech onto the production MW cluster
 ResolvedMarosteguiT167973 Move database for wikitech (labswiki) to a main cluster section
 ResolvedAndrewT188029 Move labswiki database to m5
ResolvedMarosteguiT282074 Audit labswiki grants
 ResolvedAndrewT282209 Enable connection from labweb1001/labweb1002 to s6
 DeclinedAndrewT282573 Move labweb/cloudweb hosts to private IPs
 ResolvedAndrewT284106 Replicate & sanitize wikitech data
 ResolvedAndrewT284108 Bring labswiki database tables up to date
 ResolvedLadsgroupT269348 wikitech database has almost all of its varbinary fields wrong
 DuplicateNoneT284736 Create views on labswiki on clouddb* hosts
 ResolvedBstormT287442 Create views for labswiki (wikitech)
 DeclinedNoneT237889 Install php-ldap on all MW appservers
 ResolvedtaaviT237890 Remove and empty useless user groups
 ResolvedJdforrester-WMFT196466 Remove 'shell user' right on wikitech
 DeclinedNoneT246405 On wikitech, make sysops unable to edit site JS, and then retire contentadmin
 OpenNoneT292707 Migrate Wikitech to Kubernetes

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes
Jdforrester-WMF added a comment.May 4 2017, 7:18 PM

Does this encompass T98813: Move wikitech (silver) to HHVM too?

bd808 mentioned this in T153821: wikitech.wikimedia.org missing from pageviews API.May 8 2017, 3:19 PM
Milimetric added a subtask: T153821: wikitech.wikimedia.org missing from pageviews API.May 9 2017, 2:06 PM
bd808 closed subtask T53642: Get rid of SemanticMediaWiki/SRF/SF from wikitech.wikimedia.org as Resolved.May 9 2017, 11:02 PM
TerraCodes added a subscriber: TerraCodes.May 9 2017, 11:08 PM
bd808 added a subscriber: bd808.May 11 2017, 9:28 PM
In T161859#3236750, @Jdforrester-WMF wrote:

Does this encompass T98813: Move wikitech (silver) to HHVM too?

Yes, but indirectly I think. Once wikitech is a SUL wiki it should just live in the main wiki cluster rather than on silver. We can actually even do that before full SUL unification. The remaining blocker to moving the wiki to the normal hosting pool is T161553: Remove OpenStackManager from Wikitech.

jcrespo mentioned this in T167973: Move database for wikitech (labswiki) to a main cluster section.Jun 15 2017, 2:50 PM
bd808 mentioned this in T168470: Setup wikitech, horizon, and striker on new labweb hardware.Jun 20 2017, 9:01 PM
bd808 updated the task description. (Show Details)Jun 20 2017, 10:19 PM
bd808 added a subtask: T148048: Store Wikimedia unified account name (SUL) in LDAP directory.
demon mentioned this in T168692: Blocking an account on wikitech should disable LDAP logins.Jul 10 2017, 6:01 PM
Mainframe98 added a subscriber: Mainframe98.Jul 17 2017, 9:05 PM
MarcoAurelio mentioned this in T171570: Rename database 'labswiki' to 'wikitechwiki'.Jul 25 2017, 10:08 AM
MarcoAurelio added a subscriber: MarcoAurelio.

Would/Is T171570 a blocker for this one?

bd808 added a comment.Jul 25 2017, 3:12 PM
In T161859#3469379, @MarcoAurelio wrote:

Would/Is T171570 a blocker for this one?

T171570: Rename database 'labswiki' to 'wikitechwiki' seems like a large potential for breaking things with a very small overall impact on the movement. I personally don't think it is worth the effort and risk.

Paladox added a comment.Jul 25 2017, 3:13 PM

Wouldn't this also break gerrit?

zhuyifei1999 added a comment.Jul 25 2017, 3:16 PM
In T161859#3470502, @Paladox wrote:

Wouldn't this also break gerrit?

gerrit uses LDAP account, so as long as LDAP is sane gerrit is okay.

Paladox added a comment.Jul 25 2017, 3:17 PM

Yep but would new accounts work?

bd808 added a comment.Jul 25 2017, 4:20 PM
In T161859#3470511, @Paladox wrote:

Yep but would new accounts work?

See the outline at the top which clearly includes Replace wikitech as source of LDAP account creation.

Paladox added a comment.Jul 25 2017, 4:20 PM

Oh i see. Thanks.

Liuxinyu970226 added a subscriber: Liuxinyu970226.Jul 25 2017, 11:33 PM
BethNaught added a subscriber: BethNaught.Jul 30 2017, 9:25 AM
He7d3r added a subscriber: He7d3r.Aug 30 2017, 7:02 PM
bd808 mentioned this in T110987: Determine whether wikitech should really depend on production search cluster.Sep 7 2017, 12:31 AM
nshahquinn added a subscriber: nshahquinn.Sep 11 2017, 6:14 PM
bd808 mentioned this in T179461: Use the term "developer account" for Wikimedia LDAP accounts.Nov 1 2017, 3:13 AM
bd808 mentioned this in T179463: Create a single application to provision and manage developer (LDAP) accounts.Nov 1 2017, 4:26 AM
bd808 mentioned this in T103874: Update Vagrant role for Extension:OpenStackManager.Feb 1 2018, 4:52 AM
Quiddity added a subscriber: Quiddity.Feb 23 2018, 9:09 PM
Tgr added a subscriber: Tgr.Feb 23 2018, 9:37 PM

Is there also a "make everything SUL" plan? More specifically, a plan to replace passwords with some kind of SUL-based remote login on gerrit, horizon, logstash etc?

MarcoAurelio added a comment.Feb 23 2018, 9:49 PM

What will happen to accounts already created and SUL accounts? Would we be able to get them merged/migrated/etc?

Andrew added a comment.Feb 23 2018, 9:49 PM

@Tgr, I don't think we would want to do this. The threat model for horizon/gerrit/etc is quite different from on-wiki account access so I'd prefer that we keep the two separate account types.

That said, a simpler/unified login service for all developer account types might be nice.

bd808 added a comment.Feb 23 2018, 11:16 PM
In T161859#3997722, @MarcoAurelio wrote:

What will happen to accounts already created and SUL accounts? Would we be able to get them merged/migrated/etc?

My intent is for all existing LDAP accounts (that are still in use) to be associated with a SUL account. This is the "Connect active LDAP accounts with SUL accounts" step in the very high level plan. It is possible today to make this association using https://toolsadmin.wikimedia.org/. The "Replace wikitech as source of LDAP account creation" step would be a good time to introduce this idea more broadly and to start a campaign to get active users to make the association.

bd808 added a comment.Feb 23 2018, 11:21 PM
In T161859#3997670, @Tgr wrote:

Is there also a "make everything SUL" plan? More specifically, a plan to replace passwords with some kind of SUL-based remote login on gerrit, horizon, logstash etc?

That decision is largely beyond the scope of the Cloud Services team. The projects we own that could do this are Horizon and Striker (toolsadmin). There is a plan for Striker to use SUL via OAuth as the authentication mechanism. I think it would be possible for Horizon as well, but one thing we would probably want to be able to do for Horizon is to require that the SUL account be using 2FA protection.

Framawiki added a subscriber: Framawiki.Feb 24 2018, 4:28 PM
Mholloway added a subscriber: Mholloway.Feb 28 2018, 5:30 PM
Tgr added a comment.Mar 12 2018, 10:13 PM
In T161859#3997670, @Tgr wrote:

Is there also a "make everything SUL" plan?

Filed that as T189531: All Wikimedia developer services should use single sign-on.

Tgr added a parent task: T189531: All Wikimedia developer services should use single sign-on.Mar 12 2018, 10:14 PM
bd808 mentioned this in T88092: Update wikitech customised shell account name registration instructions.Mar 22 2018, 8:52 PM
bd808 added a subtask: T179463: Create a single application to provision and manage developer (LDAP) accounts.Mar 22 2018, 8:55 PM
mxn added a subscriber: mxn.May 21 2018, 6:44 AM
1997kB added a subscriber: 1997kB.Aug 18 2018, 6:12 AM
jcrespo added a subtask: T167973: Move database for wikitech (labswiki) to a main cluster section.Sep 6 2018, 7:27 AM
jcrespo removed a project: Cloud-Services.
jcrespo updated the task description. (Show Details)
bd808 mentioned this in T131385: Dynamically fiddle with wgLocalDatabases to recognise wikitech separation.Oct 2 2018, 9:13 PM
AfroThundr3007730 added a subscriber: AfroThundr3007730.Nov 27 2018, 4:44 AM
GTirloni added a subscriber: GTirloni.Nov 28 2018, 4:02 PM
Nuria closed subtask T153821: wikitech.wikimedia.org missing from pageviews API as Resolved.Jan 8 2019, 12:00 PM
jbond added a subscriber: jbond.Mar 5 2019, 3:47 PM
GTirloni removed a subscriber: GTirloni.Mar 21 2019, 9:06 PM
Meno25 added a subscriber: Meno25.May 31 2019, 4:32 PM
bd808 mentioned this in T233236: Move labtestwikitech database to clouddb2001-dev.Oct 16 2019, 4:44 PM
Andrew added a parent task: T237771: Make Wikitech a normal wiki.Nov 8 2019, 9:42 PM
Peachey88 added a subscriber: Peachey88.Nov 8 2019, 11:31 PM
bd808 changed the status of subtask T167973: Move database for wikitech (labswiki) to a main cluster section from Stalled to Open.Nov 10 2019, 10:56 PM
bd808 updated the task description. (Show Details)
bd808 added a subtask: T237773: Move Wikitech onto the production MW cluster.Nov 10 2019, 11:01 PM
bd808 removed a parent task: T237771: Make Wikitech a normal wiki.
bd808 merged a task: T237771: Make Wikitech a normal wiki.
bd808 updated the task description. (Show Details)Nov 10 2019, 11:08 PM
Reedy moved this task from Backlog to Snowflakes on the wikitech.wikimedia.org board.Nov 11 2019, 12:18 AM
jcrespo changed the status of subtask T167973: Move database for wikitech (labswiki) to a main cluster section from Open to Stalled.Nov 11 2019, 8:38 AM
jcrespo changed the status of subtask T167973: Move database for wikitech (labswiki) to a main cluster section from Stalled to Open.
Quiddity mentioned this in T241027: wikitech: Update user groups following OpenStackManager rights removal.Dec 19 2019, 8:00 PM
bd808 mentioned this in T237889: Install php-ldap on all MW appservers.Apr 13 2020, 7:56 PM
bd808 mentioned this in T237773: Move Wikitech onto the production MW cluster.Jul 10 2020, 12:16 AM
bd808 updated the task description. (Show Details)Apr 30 2021, 4:02 PM
Restricted Application added a project: cloud-services-team (Kanban). · View Herald TranscriptApr 30 2021, 4:02 PM
Ameisenigel added a subscriber: Ameisenigel.May 10 2021, 6:11 AM
aborrero triaged this task as Medium priority.May 11 2021, 4:16 PM
aborrero moved this task from Inbox to Watching on the cloud-services-team (Kanban) board.
Nintendofan885 added a subscriber: Nintendofan885.Jul 17 2021, 6:58 PM
Frostly added a subscriber: Frostly.Aug 16 2021, 6:21 PM
bd808 mentioned this in T288906: Remove CentralAuth SUL migration code.Aug 18 2021, 4:09 PM
LSobanski added a subscriber: LSobanski.Sep 6 2021, 8:45 PM
Marostegui closed subtask T167973: Move database for wikitech (labswiki) to a main cluster section as Resolved.Sep 27 2021, 8:19 AM
Mholloway removed a subscriber: Mholloway.Sep 27 2021, 11:24 AM
Reedy mentioned this in T296893: Replace Diffusion integration with Gitlab integration in Striker (toolsadmin).Dec 2 2021, 5:52 AM
Zabe added a subscriber: Zabe.Dec 25 2021, 12:24 AM
Stang added a subscriber: Stang.Feb 10 2022, 2:44 PM
bd808 mentioned this in T305786: Fatal exception of type "UnexpectedValueException" when attempting to block.Apr 14 2022, 5:09 PM
TheresNoTime added a subscriber: TheresNoTime.Sep 28 2022, 12:06 PM
BTullis added a subscriber: BTullis.Sep 28 2022, 3:21 PM
Izno added a subscriber: Izno.Oct 14 2022, 10:55 PM
lmata added a subscriber: lmata.Dec 6 2022, 7:39 PM
akosiaris changed the status of subtask T148048: Store Wikimedia unified account name (SUL) in LDAP directory from Open to Stalled.Dec 15 2022, 10:13 AM
fnegri edited projects, added cloud-services-team; removed cloud-services-team (Kanban).Jan 18 2023, 6:40 PM
fnegri moved this task from Kanban to Watching on the cloud-services-team board.
lmata removed a subscriber: lmata.Jan 20 2023, 1:46 PM
SLyngshede-WMF changed the status of subtask T148048: Store Wikimedia unified account name (SUL) in LDAP directory from Stalled to In Progress.Feb 6 2023, 8:24 AM
Content licensed under Creative Commons Attribution-ShareAlike 4.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL