Page MenuHomePhabricator
Create Task
Maniphest T189531

All Wikimedia developer services should use single sign-on
Open, HighPublic
Actions

Description

Wikimedia developer services here refers to things like Phabricator, Gerrit, Kibana, Grafana, Wikitech/Horizon etc.

Most of these currently use LDAP to share credentials, but that's not true single sign-on, authentication still happens locally. That's bad for usability (people have to type in passwords all the time) and bad for security (if any one of these services gets compromised, the attacker can harvest the credentials for all the others). It also prevents the use of shared credentials in less secure environments (such as the beta cluster), resulting in awkward workarounds.

Instead, these services should use our CAS-SSO developer single sign-on.

Related Objects
Search...

View Standalone Graph
This task is connected to more than 200 other tasks. Only direct parents and subtasks are shown here. Use View Standalone Graph to show more of the graph.
StatusSubtypeAssignedTask
· · ·
OpenNoneT189531 All Wikimedia developer services should use single sign-on
ResolvedNoneT161859 Make Wikitech an SUL wiki
OpenNoneT147864 Use IDP for authentication in Gerrit
DuplicateNoneT367287 Update Wikitech's LDAP credentials to be read-only
OpenFeatureNoneT359554 Use IDP for authentication in Striker
ResolvedFeatureAndrewT359590 Use IDP for authentication in Horizon
OpenFeatureNoneT377061 Phabricator should use IDP for developer account logins
· · ·

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 12 2018, 9:50 PM
MarcoAurelio subscribed.Mar 12 2018, 10:11 PM
Tgr added a comment.Mar 12 2018, 10:13 PM

One option would be to use Wikimedia SUL via mod_authnz_fcgi and a custom authentication client frontend (probably based on oauthclient-php). That would require T148048: Store Wikimedia unified account name (SUL) in LDAP directory, and the auth frontend doing an LDAP group lookup or providing it some way to fetch those groups via the OAuth identify request.

Tgr mentioned this in T161859: Make Wikitech an SUL wiki.Mar 12 2018, 10:13 PM
Tgr added a subtask: T161859: Make Wikitech an SUL wiki.
Tgr added a subtask: T147864: Use IDP for authentication in Gerrit.
Tgr added a subtask: T97133: Login integration for Sentry.
Krenair subscribed.Mar 12 2018, 10:16 PM
Paladox subscribed.Mar 12 2018, 10:26 PM
TerraCodes subscribed.Mar 13 2018, 5:32 AM
nshahquinn subscribed.Mar 13 2018, 7:56 AM
Jdforrester-WMF awarded a token.Mar 21 2018, 9:20 PM
Jdforrester-WMF subscribed.
Tgr added a project: Wikimedia-Hackathon-2018.May 10 2018, 3:41 PM
Tgr moved this task from Backlog to Project on the Wikimedia-Hackathon-2018 board.
Tgr added a project: User-Tgr.
Liuxinyu970226 awarded a token.Jun 2 2018, 2:15 PM
Liuxinyu970226 subscribed.
Tgr mentioned this in T170150: Evaluate Grafana's LDAP group options and deprecate grafana-admin if possible.Jun 13 2018, 4:29 PM
1997kB subscribed.Aug 9 2018, 12:47 PM
Phabricator_maintenance added a project: acl*security.Sep 20 2018, 9:15 AM
greg subscribed.Oct 10 2018, 3:59 PM
LarsWirzenius subscribed.Oct 12 2018, 12:01 PM
AfroThundr3007730 subscribed.Nov 27 2018, 4:45 AM
Tgr mentioned this in T161473: Stop requiring two-factor authentication for horizon.wikimedia.org.Dec 9 2018, 7:41 PM
Tgr mentioned this in T215046: RfC: Use Github login for mediawiki.org.Feb 17 2019, 3:28 AM
Meno25 subscribed.May 31 2019, 4:31 PM
hashar mentioned this in T198813: Integrate MFA into Gerrit.Jun 3 2019, 9:54 PM
Aklapper removed a project: Security-Other.Nov 27 2019, 1:38 PM
chasemp triaged this task as High priority.Dec 9 2019, 5:06 PM
chasemp added a project: Security-Team.
chasemp added subscribers: MoritzMuehlenhoff, chasemp.

@MoritzMuehlenhoff seems like maybe some merging of this stuff into T233921 and co would make sense?

chasemp moved this task from Incoming to Watching on the Security-Team board.Dec 9 2019, 5:30 PM
greg unsubscribed.Dec 9 2019, 11:27 PM
chasemp added a project: Security.Feb 10 2020, 10:55 PM
LarsWirzenius unsubscribed.Feb 20 2020, 3:37 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:05 PM
hashar mentioned this in T207762: Make the new Jenkins login page match the fancy gerrit login page.May 19 2020, 1:28 PM
hashar mentioned this in T198814: Enable MFA on Jenkins.May 19 2020, 1:34 PM
hashar merged a task: T198814: Enable MFA on Jenkins.
hashar added subscribers: Reedy, thcipriani, greg, hashar.
chasemp added a project: CAS-SSO.May 19 2020, 3:47 PM
taavi subscribed.Jun 18 2020, 4:26 PM
zeljkofilipin subscribed.Jun 26 2020, 12:57 PM
Aklapper added a project: Infrastructure-Foundations.Jun 21 2021, 8:59 PM
sbassett removed a project: Security-Team.Feb 16 2022, 8:21 PM
taavi renamed this task from All Wikimedia developer services should use single sign-on to All Wikimedia developer services should use single sign-on.Feb 16 2022, 8:22 PM
hashar unsubscribed.Apr 20 2022, 10:51 AM
joanna_borun removed projects: Infrastructure-Foundations, CAS-SSO.Jul 6 2023, 8:59 AM
joanna_borun subscribed.

After reviewing the task, it appears that no further action is required on our part. Therefore, I am removing the "Infrastructure Foundations" tag.

Aklapper removed a subtask: T97133: Login integration for Sentry.Jul 10 2023, 9:35 AM
SLyngshede-WMF mentioned this in T315867: Identity Management System for Wikimedia developer accounts.Sep 18 2023, 6:42 AM
jijiki changed the status of subtask T161859: Make Wikitech an SUL wiki from Open to In Progress.Jul 29 2024, 4:13 PM
zeljkofilipin unsubscribed.Jul 29 2024, 4:57 PM
jijiki added a subtask: T367287: Update Wikitech's LDAP credentials to be read-only.Jul 29 2024, 10:16 PM
jijiki closed subtask T363125: sustainability of wikitech.wikimedia.org as Resolved.Jul 30 2024, 10:03 AM
jijiki removed a subtask: T363125: sustainability of wikitech.wikimedia.org.
Andrew added a subtask: T359554: Use IDP for authentication in Striker.Aug 27 2024, 4:33 PM
Andrew added a subtask: T359590: Use IDP for authentication in Horizon.
Andrew closed subtask T359590: Use IDP for authentication in Horizon as Resolved.Sep 5 2024, 2:37 PM
Bugreporter changed the status of subtask T367287: Update Wikitech's LDAP credentials to be read-only from Stalled to Open.Oct 1 2024, 3:13 PM
A_smart_kitten subscribed.Jan 4 2025, 7:00 PM
nshahquinn-wmf updated the task description. (Show Details)Jan 21 2025, 8:28 PM
Aklapper added a subtask: T377061: Phabricator should use IDP for developer account logins.Jan 24 2025, 10:48 AM
Gigako1981 awarded a token.Feb 4 2025, 10:16 PM
Oranoc.220 set Due Date to Feb 16 2025, 12:00 AM.Feb 16 2025, 6:30 AM
Oranoc.220 claimed this task.Feb 16 2025, 6:36 AM
Oranoc.220 raised the priority of this task from High to Needs Triage.
Oranoc.220 closed this task as Resolved.Feb 16 2025, 6:39 AM
Oranoc.220 closed subtask T377061: Phabricator should use IDP for developer account logins as Resolved.
Oranoc.220 closed subtask T359554: Use IDP for authentication in Striker as Resolved.
taavi reopened this task as Open.Feb 16 2025, 8:03 AM
taavi removed Oranoc.220 as the assignee of this task.
taavi triaged this task as High priority.
taavi removed Due Date which was set to Feb 16 2025, 12:00 AM.
taavi reopened subtask T377061: Phabricator should use IDP for developer account logins as Open.
taavi reopened subtask T359554: Use IDP for authentication in Striker as Open.
taavi added a subscriber: Oranoc.220.
Arendpieter subscribed.Feb 21 2025, 10:07 PM
Ladsgroup closed subtask T161859: Make Wikitech an SUL wiki as Resolved.Feb 25 2025, 10:04 PM
Arendpieter changed the status of subtask T147864: Use IDP for authentication in Gerrit from Stalled to Open.Mar 2 2025, 8:53 PM
Arendpieter added a subtask: T388498: Inconsistent mapping of Developer accounts and SUL accounts across Phabricator, Bitu, and Striker.Mar 11 2025, 7:48 AM
Aklapper mentioned this in T388498: Inconsistent mapping of Developer accounts and SUL accounts across Phabricator, Bitu, and Striker.Mar 11 2025, 1:39 PM
fnegri subscribed.Mar 11 2025, 1:56 PM
Aklapper removed a subtask: T388498: Inconsistent mapping of Developer accounts and SUL accounts across Phabricator, Bitu, and Striker.Mar 11 2025, 2:40 PM
Arendpieter added a project: CAS-SSO.May 8 2025, 10:43 AM
Arendpieter added a comment.Aug 11 2025, 12:50 PM

Do I understand correctly that currently only bitu (https://idm.wikimedia.org/) is using CAS-SSO (https://idp.wikimedia.org/), while Phabricator (https://phabricator.wikimedia.org/), Striker (https://toolsadmin.wikimedia.org/), and Gerrit (https://gerrit.wikimedia.org/) still need to be integrated, as far as I can tell from the subtasks?

Aklapper added a comment.Aug 11 2025, 1:36 PM

yes

Arendpieter added a comment.Sep 22 2025, 3:03 PM
In T189531#11073700, @Aklapper wrote:

yes

Thank you! For Striker I pushed some code here: https://gerrit.wikimedia.org/r/1189915

hashar changed the status of subtask T147864: Use IDP for authentication in Gerrit from Open to Stalled.Oct 28 2025, 2:54 PM
Tacsipacsi changed the status of subtask T147864: Use IDP for authentication in Gerrit from Stalled to Open.Nov 27 2025, 1:19 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits