Page MenuHomePhabricator

All Wikimedia developer services should use single sign-on
Open, HighPublic

Description

Wikimedia developer services here refers to things like Phabricator, Gerrit, Kibana, Grafana, Wikitech/Horizon etc.

Most of these currently use LDAP to share credentials, but that's not true single sign-on, authentication still happens locally. That's bad for usability (people have to type in passwords all the time) and bad for security (if any one of these services gets compromised, the attacker can harvest the credentials for all the others). It also prevents the use of shared credentials in less secure environments (such as the beta cluster), resulting in awkward workarounds.

There should be an easy way (probably some kind of Apache config that can be enabled by applying a puppet role) to put a website behind single sign-on and limit it to certain user groups.

Related Objects

StatusSubtypeAssignedTask
OpenNone
OpenNone
OpenNone
ResolvedAndrew
ResolvedAndrew
ResolvedAndrew
ResolvedAndrew
ResolvedMarcoAurelio
ResolvedAndrew
StalledNone
Resolvedbd808
Resolved yuvipanda
Resolvedbd808
Resolvedbd808
Resolvedbd808
OpenNone
ResolvedNone
OpenNone
DuplicateNone
OpenNone
OpenNone
ResolvedAndrew
OpenNone
OpenNone
ResolvedJdforrester-WMF
DeclinedNone
StalledNone
OpenNone
OpenNone

Event Timeline

Tgr created this task.Mar 12 2018, 9:50 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 12 2018, 9:50 PM
Tgr added a comment.Mar 12 2018, 10:13 PM

One option would be to use Wikimedia SUL via mod_authnz_fcgi and a custom authentication client frontend (probably based on oauthclient-php). That would require T148048: Store Wikimedia unified account name (SUL) in LDAP directory, and the auth frontend doing an LDAP group lookup or providing it some way to fetch those groups via the OAuth identify request.

Tgr moved this task from Backlog to Project on the Wikimedia-Hackathon-2018 board.
Tgr added a project: User-Tgr.
1997kB added a subscriber: 1997kB.Aug 9 2018, 12:47 PM
greg added a subscriber: greg.Oct 10 2018, 3:59 PM
Meno25 added a subscriber: Meno25.May 31 2019, 4:31 PM
chasemp triaged this task as High priority.Dec 9 2019, 5:06 PM
chasemp added a project: Security-Team.

@MoritzMuehlenhoff seems like maybe some merging of this stuff into T233921 and co would make sense?

chasemp moved this task from Incoming to Watching on the Security-Team board.Dec 9 2019, 5:30 PM
greg removed a subscriber: greg.Dec 9 2019, 11:27 PM