Page MenuHomePhabricator
Create Task
Maniphest T196171

Developer account creation without OpenStackManager
Open, In Progress, HighPublic
Actions

Description

When an account is created on Wikitech, that account gets a 'shell name' in addition to other account attributes. I'm pretty sure this happens via a hook in OpenStackManager; we need a way to create that fully-featured account in the post-OSM world.

Related Objects
Search...

StatusSubtypeAssignedTask
 OpenNoneT189531 All Wikimedia developer services should use single sign-on
 OpenNoneT161859 Make Wikitech an SUL wiki
 ResolvedPRODUCTION ERRORTgrT195253 Special:Notifications gives a consistent PHP exception on load ("The trash icon is not registered") for users with OpenStackManager notifications
 OpenNoneT106123 Extensions needing to be removed from Wikimedia wikis
 OpenNoneT161553 Remove OpenStackManager from Wikitech
 In ProgressNoneT196171 Developer account creation without OpenStackManager
 OpenNoneT179463 Create a single application to provision and manage developer (LDAP) accounts
 DuplicateNoneT189639 Separate LDAP account creation bits from Striker to create a new identity management platform
 OpenNoneT319405 Create an IDM for Wikimedia developer accounts
 ResolvedSLyngshede-WMFT319407 IDM milestone 1 "Initial development work"
 ResolvedNoneT319409 Pick a name for the IDM
 ResolvedSLyngshede-WMFT319410 Initial Django project setup
 ResolvedSLyngshede-WMFT319415 Evaluate Striker codebase
 ResolvedMarosteguiT320426 Figure out where/how to store IDM internal data
 ResolvedSLyngshede-WMFT320427 Design and implement async LDAP operations
 ResolvedSLyngshede-WMFT320428 Initial IDM puppetisation
 ResolvedSLyngshede-WMFT320430 Create an initial IDM/LDAP image for tests and CI
 ResolvedSLyngshede-WMFT320431 IDM: Central logging on all changes
 OpenNoneT320603 IDM milestone 2 "Initial limited deployment"
 ResolvedSLyngshede-WMFT320604 Decide on model for serving idm.wikimedia.org
 ResolvedNoneT320605 Figure out an HA setup for the IDM
 ResolvedSLyngshede-WMFT320794 Extend LDAP to allow storing all necessary attributes
 ResolvedSLyngshede-WMFT320795 Implement a staging setup for the IDM
 ResolvedSLyngshede-WMFT320797 Initial production deployment of the IDM
 ResolvedSLyngshede-WMFT320799 IDM integration into CAS SSO
 ResolvedSLyngshede-WMFT320807 Implement OAuth account validation for linking an account to a wiki account
 ResolvedSLyngshede-WMFT320808 Implement email address validation workflow
 In ProgressSLyngshede-WMFT148048 Store Wikimedia unified account name (SUL) in LDAP directory
 ResolvedSLyngshede-WMFT335091 Determine which sender address to use for email notification
 ResolvedSLyngshede-WMFT340721 Build Debian packages for Bookworm
 ResolvedSLyngshede-WMFT340722 Update IDM servers to Bookworm
 OpenSLyngshede-WMFT320801 Build-out for self service
 ResolvedSLyngshede-WMFT320802 Create a mockup and involve designers
 ResolvedBUG REPORTSLyngshede-WMFT338824 Bitu is not responsive
 OpenNoneT320805 Define the core attribute list managed in the IDM with all stakeholders
 ResolvedSLyngshede-WMFT320806 Consider reusing some wiki data sources for signup/restrictions
 ResolvedSLyngshede-WMFT320809 Figure out a captcha option for IDM
 OpenNoneT335478 Automatic detection of inactive LDAP account
 OpenNoneT335485 Automatically deploy documentation to docs.wikimedia.org
 ResolvedSLyngshede-WMFT340636 Implement "Forgot my username" feature
 ResolvedSLyngshede-WMFT340637 Implement "update email" functionality
 OpenSLyngshede-WMFT340717 Implement "source" field on user objects
 OpenSLyngshede-WMFT345168 Live validation of usernames
 ResolvedSLyngshede-WMFT345226 Switch developer account creation to Bitu
 OpenSLyngshede-WMFT347572 SSH Key type expiry

Event Timeline

Andrew created this task.Jun 1 2018, 3:46 PM
Andrew added a comment.Jun 1 2018, 4:17 PM

... I suppose another option is to leave OpenStackManager in place but unused apart for user creation, until we make wikitech SUL and move all developer account creation to Striker.

Liuxinyu970226 removed a subscriber: Liuxinyu970226.Jun 2 2018, 2:13 PM
Harej added a subscriber: Harej.Jun 20 2018, 3:57 AM

Doesn't Striker support doing this? We could just take the account creation logic out of Striker and have people create accounts that way.

Dzahn removed a subscriber: Dzahn.Jun 20 2018, 7:30 AM
bd808 added a comment.Jun 20 2018, 4:49 PM
In T196171#4301425, @Harej wrote:

Doesn't Striker support doing this? We could just take the account creation logic out of Striker and have people create accounts that way.

Yes, that solution is described in T179463: Create a single application to provision and manage developer (LDAP) accounts. Doing this would mean developing a new Django based application, getting it through security review, and getting it deployed followed by some amount of support for fixing bugs once it is rolled out. Not impossible at all, but not a trivial amount of work either. It is my preferred long term solution, but it would be nice to find a way to keep that from blocking the removal of MediaWiki-extensions-OpenStackManager from wikitech which is the main blocker to hosting wikitech in the main wiki cluster.

Harej added a comment.Jun 21 2018, 12:38 AM

This sounds hacky, but until we provision a new identity management application, couldn't we just tell people to sign up via Striker?

bd808 added a comment.Jun 21 2018, 5:32 PM
In T196171#4304295, @Harej wrote:

This sounds hacky, but until we provision a new identity management application, couldn't we just tell people to sign up via Striker?

Yes, that would be possible. It would not be too difficult to make some mostly cosmetic changes to the workflow there as well to make that a bit less confusing. The most efficient thing to do by time and effort would be to combine the developer account and Toolforge use-cases into a single tool (Striker). In the longer term however that may be working counter to other goals (e.g. streamlining the Toolforge on-boarding process).

When I started planning Striker my intent was to hide as many of the "power user" use-cases as I could so that the experience of joining and using Toolforge was as simple and direct as possible. The assumption was that a typical new Tool maintainer does not care about VPS instances, Gerrit, or even Phabricator; they care about deploying a webservice or bot to help on their home wiki. I still generally believe this, so I'm hesitant to "temporarily" move in the other direction because I know that once the pressure is off we are less likely to build the better solution (T179463).

Vvjjkkii renamed this task from Developer account creation without OpenStackManager to 4tbaaaaaaa.Jul 1 2018, 1:06 AM
Vvjjkkii triaged this task as High priority.
Vvjjkkii added projects: CheckUser, Connected-Open-Heritage-Batch-uploads (RAÄ-KMB_1_2017-02), Tamil-Sites, Gamepress, Hashtags, Jade, KartoEditor, Language-2018-Apr-June, New-Editor-Experiences, Mail, TCB-Team (now WMDE-TechWish).
Vvjjkkii updated the task description. (Show Details)
Vvjjkkii removed subscribers: Aklapper, gerritbot, MarcoAurelio.
TerraCodes renamed this task from 4tbaaaaaaa to Developer account creation without OpenStackManager.Jul 1 2018, 12:58 PM
TerraCodes raised the priority of this task from High to Needs Triage.
TerraCodes removed projects: TCB-Team (now WMDE-TechWish), Mail, New-Editor-Experiences, Language-2018-Apr-June, KartoEditor, Jade, Hashtags, Gamepress, Tamil-Sites, Connected-Open-Heritage-Batch-uploads (RAÄ-KMB_1_2017-02), CheckUser.
TerraCodes updated the task description. (Show Details)
TerraCodes added subscribers: Aklapper, gerritbot, MarcoAurelio.
Liuxinyu970226 added a subscriber: Liuxinyu970226.Nov 6 2018, 12:33 PM
GTirloni edited projects, added cloud-services-team (Kanban); removed cloud-services-team.Mar 24 2019, 12:03 PM
bd808 mentioned this in T229392: Cleanup wikitech registration page.Aug 5 2019, 11:18 PM
bd808 mentioned this in T233236: Move labtestwikitech database to clouddb2001-dev.Oct 16 2019, 4:44 PM
Reedy removed a project: MediaWiki-extensions-OpenStackManager.Nov 10 2019, 3:56 AM
bd808 mentioned this in T167973: Move database for wikitech (labswiki) to a main cluster section.Nov 10 2019, 10:56 PM
bd808 removed a subtask: T196466: Remove 'shell user' right on wikitech.Nov 11 2019, 12:01 AM
Harej removed a subscriber: Harej.Feb 10 2020, 11:37 PM
Bstorm changed the task status from Open to Stalled.Feb 11 2020, 5:16 PM
Bstorm triaged this task as High priority.
Bstorm added a subscriber: Bstorm.

Waiting on SSO stuff

Andrew moved this task from Inbox to Watching on the cloud-services-team (Kanban) board.Mar 10 2020, 4:26 PM
bd808 mentioned this in T237889: Install php-ldap on all MW appservers.Apr 13 2020, 7:56 PM
taavi added a subscriber: taavi.Dec 29 2020, 5:28 PM

Is this still stalled? CAS-SSO was rolled out earlier this year

Bstorm added a comment.Jan 4 2021, 5:22 PM

That's a good question! We'll review that.

bd808 added a comment.Jan 4 2021, 5:24 PM

I'm not sure the the introduction of CAS service has done anything to change the world here. CAS is backed by the Developer account LDAP directory but only does authentication and does not provide any account creation system which is what this ticket is about.

Bstorm added a comment.Jan 4 2021, 5:27 PM

Yes, but we stalled waiting for the rollout so we'd know what it looks like. It might actually be stalled on us not working on it now 😁

Bstorm changed the task status from Stalled to Open.Jan 6 2021, 4:05 PM
bd808 mentioned this in T161859: Make Wikitech an SUL wiki.Apr 30 2021, 4:02 PM
jbond added a subscriber: jbond.Sep 30 2021, 10:55 AM
bd808 added a comment.Oct 5 2022, 5:17 PM

I think that T319405: Create an IDM for Wikimedia developer accounts is going to be the likely resolution of this task as the practical implementation of T179463: Create a single application to provision and manage developer (LDAP) accounts.

Aklapper added a subtask: T179463: Create a single application to provision and manage developer (LDAP) accounts.Nov 30 2022, 9:10 AM
fnegri edited projects, added cloud-services-team; removed cloud-services-team (Kanban).Jan 18 2023, 6:40 PM
fnegri moved this task from Kanban to Watching on the cloud-services-team board.
SLyngshede-WMF changed the task status from Open to In Progress.Sep 21 2023, 9:42 AM
SLyngshede-WMF added a subscriber: SLyngshede-WMF.

This patch https://gerrit.wikimedia.org/r/c/operations/software/bitu/+/959211 will enable SSH Keymanagement for WMCS in the Bitu IDM.
SSH key management appears to be the only remaining feature of OpenStackManager in Wikitech.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL