Page MenuHomePhabricator

Make Wikitech an SUL wiki
Open, Needs TriagePublic

Description

We're moving lots of Labs-specific functions off of Wikitech. Once that's done, it should be possible to merge wikitech with the rest of the wikiverse.

See https://meta.wikimedia.org/wiki/Community_Tech/Tool_Labs_support/Tool_Labs_vision for some of the reasoning leading up to this task.

  • Remove dependency on Semantic MediaWiki
  • Remove dependency on OpenStackManager OpenStack APIs (Keystone, Nova, etc)
  • T237773: Move Wikitech onto the production MW cluster (including database)
  • Replace wikitech as source of two-factor auth protection for LDAP accounts
  • Replace wikitech as source of LDAP account creation
  • Connect active LDAP accounts with SUL accounts
  • Create SUL accounts for inactive LDAP accounts
  • Unify wikitech local accounts with SUL accounts [the final(?) SUL unification]

Related Objects

StatusAssignedTask
OpenNone
OpenNone
OpenNone
ResolvedAndrew
ResolvedAndrew
ResolvedAndrew
ResolvedAndrew
Resolved MarcoAurelio
ResolvedAndrew
OpenNone
Resolvedbd808
Resolved yuvipanda
Resolvedbd808
Resolvedbd808
Resolvedbd808
OpenNone
ResolvedNone
OpenNone
OpenNone
DuplicateNone
OpenNone
OpenNone
ResolvedAndrew
OpenNone
OpenNone
OpenNone
OpenNone

Event Timeline

Andrew created this task.Mar 30 2017, 9:04 PM
Restricted Application added a project: Cloud-Services. · View Herald TranscriptMar 30 2017, 9:04 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
bd808 updated the task description. (Show Details)Apr 14 2017, 4:18 AM
bd808 added a subscriber: bd808.May 11 2017, 9:28 PM

Yes, but indirectly I think. Once wikitech is a SUL wiki it should just live in the main wiki cluster rather than on silver. We can actually even do that before full SUL unification. The remaining blocker to moving the wiki to the normal hosting pool is T161553: Remove OpenStackManager from Wikitech.

bd808 added a comment.Jul 25 2017, 3:12 PM

Would/Is T171570 a blocker for this one?

T171570: Rename database 'labswiki' to 'wikitechwiki' seems like a large potential for breaking things with a very small overall impact on the movement. I personally don't think it is worth the effort and risk.

Wouldn't this also break gerrit?

Wouldn't this also break gerrit?

gerrit uses LDAP account, so as long as LDAP is sane gerrit is okay.

Yep but would new accounts work?

bd808 added a comment.Jul 25 2017, 4:20 PM

Yep but would new accounts work?

See the outline at the top which clearly includes Replace wikitech as source of LDAP account creation.

Oh i see. Thanks.

He7d3r added a subscriber: He7d3r.Aug 30 2017, 7:02 PM
Tgr added a subscriber: Tgr.Feb 23 2018, 9:37 PM

Is there also a "make everything SUL" plan? More specifically, a plan to replace passwords with some kind of SUL-based remote login on gerrit, horizon, logstash etc?

What will happen to accounts already created and SUL accounts? Would we be able to get them merged/migrated/etc?

@Tgr, I don't think we would want to do this. The threat model for horizon/gerrit/etc is quite different from on-wiki account access so I'd prefer that we keep the two separate account types.

That said, a simpler/unified login service for all developer account types might be nice.

What will happen to accounts already created and SUL accounts? Would we be able to get them merged/migrated/etc?

My intent is for all existing LDAP accounts (that are still in use) to be associated with a SUL account. This is the "Connect active LDAP accounts with SUL accounts" step in the very high level plan. It is possible today to make this association using https://toolsadmin.wikimedia.org/. The "Replace wikitech as source of LDAP account creation" step would be a good time to introduce this idea more broadly and to start a campaign to get active users to make the association.

Is there also a "make everything SUL" plan? More specifically, a plan to replace passwords with some kind of SUL-based remote login on gerrit, horizon, logstash etc?

That decision is largely beyond the scope of the Cloud Services team. The projects we own that could do this are Horizon and Striker (toolsadmin). There is a plan for Striker to use SUL via OAuth as the authentication mechanism. I think it would be possible for Horizon as well, but one thing we would probably want to be able to do for Horizon is to require that the SUL account be using 2FA protection.

Tgr added a comment.Mar 12 2018, 10:13 PM

Is there also a "make everything SUL" plan?

Filed that as T189531: All Wikimedia developer services should use single sign-on .

mxn added a subscriber: mxn.May 21 2018, 6:44 AM
1997kB added a subscriber: 1997kB.Aug 18 2018, 6:12 AM
jbond added a subscriber: jbond.Mar 5 2019, 3:47 PM
GTirloni removed a subscriber: GTirloni.Mar 21 2019, 9:06 PM
Meno25 added a subscriber: Meno25.May 31 2019, 4:32 PM
bd808 updated the task description. (Show Details)Nov 10 2019, 11:08 PM