Page MenuHomePhabricator

Make Wikitech an SUL wiki
Open, MediumPublic

Description

We're moving lots of Labs-specific functions off of Wikitech. Once that's done, it should be possible to merge wikitech with the rest of the wikiverse.

See https://meta.wikimedia.org/wiki/Community_Tech/Tool_Labs_support/Tool_Labs_vision for some of the reasoning leading up to this task.

Related Objects

StatusSubtypeAssignedTask
OpenNone
OpenNone
OpenNone
ResolvedAndrew
ResolvedAndrew
ResolvedAndrew
ResolvedAndrew
ResolvedMarcoAurelio
ResolvedAndrew
OpenNone
Resolvedbd808
Resolvedyuvipanda
Resolvedbd808
Resolvedbd808
Resolvedbd808
OpenNone
ResolvedNone
OpenNone
OpenNone
DuplicateNone
OpenNone
OpenMarostegui
ResolvedAndrew
ResolvedMarostegui
ResolvedAndrew
OpenAndrew
ResolvedAndrew
OpenAndrew
ResolvedLadsgroup
OpenNone
OpenNone
OpenNone
ResolvedJdforrester-WMF
DeclinedNone

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes
Restricted Application added a subscriber: Aklapper. · View Herald Transcript

Yes, but indirectly I think. Once wikitech is a SUL wiki it should just live in the main wiki cluster rather than on silver. We can actually even do that before full SUL unification. The remaining blocker to moving the wiki to the normal hosting pool is T161553: Remove OpenStackManager from Wikitech.

Would/Is T171570 a blocker for this one?

T171570: Rename database 'labswiki' to 'wikitechwiki' seems like a large potential for breaking things with a very small overall impact on the movement. I personally don't think it is worth the effort and risk.

Wouldn't this also break gerrit?

Wouldn't this also break gerrit?

gerrit uses LDAP account, so as long as LDAP is sane gerrit is okay.

Yep but would new accounts work?

Yep but would new accounts work?

See the outline at the top which clearly includes Replace wikitech as source of LDAP account creation.

Is there also a "make everything SUL" plan? More specifically, a plan to replace passwords with some kind of SUL-based remote login on gerrit, horizon, logstash etc?

What will happen to accounts already created and SUL accounts? Would we be able to get them merged/migrated/etc?

@Tgr, I don't think we would want to do this. The threat model for horizon/gerrit/etc is quite different from on-wiki account access so I'd prefer that we keep the two separate account types.

That said, a simpler/unified login service for all developer account types might be nice.

What will happen to accounts already created and SUL accounts? Would we be able to get them merged/migrated/etc?

My intent is for all existing LDAP accounts (that are still in use) to be associated with a SUL account. This is the "Connect active LDAP accounts with SUL accounts" step in the very high level plan. It is possible today to make this association using https://toolsadmin.wikimedia.org/. The "Replace wikitech as source of LDAP account creation" step would be a good time to introduce this idea more broadly and to start a campaign to get active users to make the association.

Is there also a "make everything SUL" plan? More specifically, a plan to replace passwords with some kind of SUL-based remote login on gerrit, horizon, logstash etc?

That decision is largely beyond the scope of the Cloud Services team. The projects we own that could do this are Horizon and Striker (toolsadmin). There is a plan for Striker to use SUL via OAuth as the authentication mechanism. I think it would be possible for Horizon as well, but one thing we would probably want to be able to do for Horizon is to require that the SUL account be using 2FA protection.

aborrero triaged this task as Medium priority.May 11 2021, 4:16 PM
aborrero moved this task from Inbox to Watching on the cloud-services-team (Kanban) board.