Page MenuHomePhabricator
Create Task
Maniphest T196171

Developer account creation without OpenStackManager
Closed, ResolvedPublic
Actions

Description

When an account is created on Wikitech, that account gets a 'shell name' in addition to other account attributes. I'm pretty sure this happens via a hook in OpenStackManager; we need a way to create that fully-featured account in the post-OSM world.

Related Objects
Search...

StatusSubtypeAssignedTask
 OpenNoneT189531 All Wikimedia developer services should use single sign-on
 OpenNoneT363125 sustainability of wikitech.wikimedia.org
 OpenNoneT161859 Make Wikitech an SUL wiki
 OpenSLyngshede-WMFT163478 Allow viewing/searching LDAP account creations including date
 ResolvedNoneT153821 wikitech.wikimedia.org missing from pageviews API
 OpenNoneT237773 Move Wikitech onto the production MW cluster
 Resolved MarosteguiT167973 Move database for wikitech (labswiki) to a main cluster section
 ResolvedAndrewT188029 Move labswiki database to m5
Resolved MarosteguiT282074 Audit labswiki grants
 ResolvedAndrewT282209 Enable connection from labweb1001/labweb1002 to s6
 DeclinedAndrewT282573 Move labweb/cloudweb hosts to private IPs
 ResolvedAndrewT284106 Replicate & sanitize wikitech data
 ResolvedAndrewT284108 Bring labswiki database tables up to date
 ResolvedLadsgroupT269348 wikitech database has almost all of its varbinary fields wrong
 DuplicateNoneT284736 Create views on labswiki on clouddb* hosts
 Resolved BstormT287442 Create views for labswiki (wikitech)
 DeclinedNoneT237889 Install php-ldap on all MW appservers
 ResolvedtaaviT237890 Remove and empty useless user groups
 ResolvedJdforrester-WMFT196466 Remove 'shell user' right on wikitech
 DeclinedNoneT246405 On wikitech, make sysops unable to edit site JS, and then retire contentadmin
 OpenjijikiT292707 Migrate Wikitech to Kubernetes
 OpenNoneT359551 Replace wikitech as source of two-factor auth protection for developer accounts
 OpenFeatureNoneT359554 Use IDP for authentication in Striker
 StalledFeatureNoneT359590 Use IDP for authentication in Horizon
 OpenFeatureSLyngshede-WMFT359552 Enable self-service IDP two-factor authentication management
 OpenNoneT359820 Add developer account (un)blocking support to Bitu
 OpenAndrewT360795 Set up a bitu instance for codfw1dev
 OpenSLyngshede-WMFT362128 Site: 1 VM for codfw1dev bitu deployment
 OpenABran-WMFT362619 Database request for Bitu Cloud DEV installation
 ResolvedtaaviT360883 Disable email address changes in Wikitech
 ResolvedPRODUCTION ERRORTgrT195253 Special:Notifications gives a consistent PHP exception on load ("The trash icon is not registered") for users with OpenStackManager notifications
 OpenNoneT106123 Extensions needing to be removed from Wikimedia wikis
 Resolvedbd808T53642 Get rid of SemanticMediaWiki/SRF/SF from wikitech.wikimedia.org
 ResolvedyuvipandaT103995 Build a simple tool to query which instances have which roles / puppet variables
 Resolvedbd808T161662 Replace SMW data on project instances with a tool using the OpenStack APIs
 Resolvedbd808T162508 Implement Tool Labs membership application and processing in Striker
 Resolvedbd808T164787 Keystone permissions exception when trying to approve Tool Labs membership request via Striker
 OpentaaviT161553 Remove OpenStackManager from Wikitech
 ResolvedtaaviT196171 Developer account creation without OpenStackManager
 DeclinedNoneT179463 Create a single application to provision and manage developer (LDAP) accounts
 DuplicateNoneT189639 Separate LDAP account creation bits from Striker to create a new identity management platform
 OpenNoneT319405 Create an IDM for Wikimedia developer accounts
 ResolvedSLyngshede-WMFT319407 IDM milestone 1 "Initial development work"
 ResolvedNoneT319409 Pick a name for the IDM
 ResolvedSLyngshede-WMFT319410 Initial Django project setup
 ResolvedSLyngshede-WMFT319415 Evaluate Striker codebase
 Resolved MarosteguiT320426 Figure out where/how to store IDM internal data
 ResolvedSLyngshede-WMFT320427 Design and implement async LDAP operations
 ResolvedSLyngshede-WMFT320428 Initial IDM puppetisation
 ResolvedSLyngshede-WMFT320430 Create an initial IDM/LDAP image for tests and CI
 ResolvedSLyngshede-WMFT320431 IDM: Central logging on all changes
 ResolvedSLyngshede-WMFT320603 IDM milestone 2 "Initial limited deployment"
 ResolvedSLyngshede-WMFT320604 Decide on model for serving idm.wikimedia.org
 ResolvedNoneT320605 Figure out an HA setup for the IDM
 ResolvedSLyngshede-WMFT320794 Extend LDAP to allow storing all necessary attributes
 ResolvedSLyngshede-WMFT320795 Implement a staging setup for the IDM
 ResolvedSLyngshede-WMFT320797 Initial production deployment of the IDM
 ResolvedSLyngshede-WMFT320799 IDM integration into CAS SSO
 ResolvedSLyngshede-WMFT320807 Implement OAuth account validation for linking an account to a wiki account
 ResolvedSLyngshede-WMFT320808 Implement email address validation workflow
 OpenNoneT148048 Store Wikimedia unified account name (SUL) in LDAP directory
 OpentaaviT359428 Striker should use ID instead of username to identify SUL accounts
 ResolvedSLyngshede-WMFT335091 Determine which sender address to use for email notification
 ResolvedSLyngshede-WMFT340721 Build Debian packages for Bookworm
 ResolvedSLyngshede-WMFT340722 Update IDM servers to Bookworm
 OpenSLyngshede-WMFT320801 Build-out for self service
 ResolvedSLyngshede-WMFT320802 Create a mockup and involve designers
 ResolvedBUG REPORTSLyngshede-WMFT338824 Bitu is not responsive
 InvalidNoneT320805 Define the core attribute list managed in the IDM with all stakeholders
 ResolvedSLyngshede-WMFT320806 Consider reusing some wiki data sources for signup/restrictions
 ResolvedSLyngshede-WMFT320809 Figure out a captcha option for IDM
 OpenNoneT335478 Automatic detection of inactive LDAP account
 OpenNoneT335485 Automatically deploy documentation to docs.wikimedia.org
 ResolvedSLyngshede-WMFT340636 Implement "Forgot my username" feature
 ResolvedSLyngshede-WMFT340637 Implement "update email" functionality
 OpenSLyngshede-WMFT340717 Implement "source" field on user objects
 OpenSLyngshede-WMFT345168 Live validation of usernames
 ResolvedSLyngshede-WMFT345226 Switch developer account creation to Bitu
 OpenSLyngshede-WMFT347572 SSH Key type expiry

Event Timeline

Andrew created this task.Jun 1 2018, 3:46 PM
Andrew added a comment.Jun 1 2018, 4:17 PM

... I suppose another option is to leave OpenStackManager in place but unused apart for user creation, until we make wikitech SUL and move all developer account creation to Striker.

Liuxinyu970226 unsubscribed.Jun 2 2018, 2:13 PM
Harej subscribed.Jun 20 2018, 3:57 AM

Doesn't Striker support doing this? We could just take the account creation logic out of Striker and have people create accounts that way.

Dzahn unsubscribed.Jun 20 2018, 7:30 AM
bd808 added a comment.Jun 20 2018, 4:49 PM
In T196171#4301425, @Harej wrote:

Doesn't Striker support doing this? We could just take the account creation logic out of Striker and have people create accounts that way.

Yes, that solution is described in T179463: Create a single application to provision and manage developer (LDAP) accounts. Doing this would mean developing a new Django based application, getting it through security review, and getting it deployed followed by some amount of support for fixing bugs once it is rolled out. Not impossible at all, but not a trivial amount of work either. It is my preferred long term solution, but it would be nice to find a way to keep that from blocking the removal of MediaWiki-extensions-OpenStackManager from wikitech which is the main blocker to hosting wikitech in the main wiki cluster.

Harej added a comment.Jun 21 2018, 12:38 AM

This sounds hacky, but until we provision a new identity management application, couldn't we just tell people to sign up via Striker?

bd808 added a comment.Jun 21 2018, 5:32 PM
In T196171#4304295, @Harej wrote:

This sounds hacky, but until we provision a new identity management application, couldn't we just tell people to sign up via Striker?

Yes, that would be possible. It would not be too difficult to make some mostly cosmetic changes to the workflow there as well to make that a bit less confusing. The most efficient thing to do by time and effort would be to combine the developer account and Toolforge use-cases into a single tool (Striker). In the longer term however that may be working counter to other goals (e.g. streamlining the Toolforge on-boarding process).

When I started planning Striker my intent was to hide as many of the "power user" use-cases as I could so that the experience of joining and using Toolforge was as simple and direct as possible. The assumption was that a typical new Tool maintainer does not care about VPS instances, Gerrit, or even Phabricator; they care about deploying a webservice or bot to help on their home wiki. I still generally believe this, so I'm hesitant to "temporarily" move in the other direction because I know that once the pressure is off we are less likely to build the better solution (T179463).

Vvjjkkii renamed this task from Developer account creation without OpenStackManager to 4tbaaaaaaa.Jul 1 2018, 1:06 AM
Vvjjkkii triaged this task as High priority.
Vvjjkkii added projects: CheckUser, Connected-Open-Heritage-Batch-uploads (RAÄ-KMB_1_2017-02), Tamil-Sites, Gamepress, Hashtags, Jade, KartoEditor, Language-2018-Apr-June, New-Editor-Experiences, Mail, TCB-Team (now WMDE-TechWish).
Vvjjkkii updated the task description. (Show Details)
Vvjjkkii removed subscribers: Aklapper, gerritbot, MarcoAurelio.
TerraCodes renamed this task from 4tbaaaaaaa to Developer account creation without OpenStackManager.Jul 1 2018, 12:58 PM
TerraCodes raised the priority of this task from High to Needs Triage.
TerraCodes removed projects: TCB-Team (now WMDE-TechWish), Mail, New-Editor-Experiences, Language-2018-Apr-June, KartoEditor, Jade, Hashtags, Gamepress, Tamil-Sites, Connected-Open-Heritage-Batch-uploads (RAÄ-KMB_1_2017-02), CheckUser.
TerraCodes updated the task description. (Show Details)
TerraCodes added subscribers: Aklapper, gerritbot, MarcoAurelio.
Liuxinyu970226 subscribed.Nov 6 2018, 12:33 PM
GTirloni edited projects, added cloud-services-team (Kanban); removed cloud-services-team.Mar 24 2019, 12:03 PM
bd808 mentioned this in T229392: Cleanup wikitech registration page.Aug 5 2019, 11:18 PM
bd808 mentioned this in T233236: Move labtestwikitech database to clouddb2001-dev.Oct 16 2019, 4:44 PM
Reedy removed a project: MediaWiki-extensions-OpenStackManager.Nov 10 2019, 3:56 AM
bd808 mentioned this in T167973: Move database for wikitech (labswiki) to a main cluster section.Nov 10 2019, 10:56 PM
bd808 removed a subtask: T196466: Remove 'shell user' right on wikitech.Nov 11 2019, 12:01 AM
Harej unsubscribed.Feb 10 2020, 11:37 PM
Bstorm changed the task status from Open to Stalled.Feb 11 2020, 5:16 PM
Bstorm triaged this task as High priority.
Bstorm subscribed.

Waiting on SSO stuff

Andrew moved this task from Inbox to Watching on the cloud-services-team (Kanban) board.Mar 10 2020, 4:26 PM
bd808 mentioned this in T237889: Install php-ldap on all MW appservers.Apr 13 2020, 7:56 PM
taavi subscribed.Dec 29 2020, 5:28 PM

Is this still stalled? CAS-SSO was rolled out earlier this year

Bstorm added a comment.Jan 4 2021, 5:22 PM

That's a good question! We'll review that.

bd808 added a comment.Jan 4 2021, 5:24 PM

I'm not sure the the introduction of CAS service has done anything to change the world here. CAS is backed by the Developer account LDAP directory but only does authentication and does not provide any account creation system which is what this ticket is about.

Bstorm added a comment.Jan 4 2021, 5:27 PM

Yes, but we stalled waiting for the rollout so we'd know what it looks like. It might actually be stalled on us not working on it now 😁

Bstorm changed the task status from Stalled to Open.Jan 6 2021, 4:05 PM
bd808 mentioned this in T161859: Make Wikitech an SUL wiki.Apr 30 2021, 4:02 PM
jbond subscribed.Sep 30 2021, 10:55 AM
bd808 added a comment.Oct 5 2022, 5:17 PM

I think that T319405: Create an IDM for Wikimedia developer accounts is going to be the likely resolution of this task as the practical implementation of T179463: Create a single application to provision and manage developer (LDAP) accounts.

Aklapper added a subtask: T179463: Create a single application to provision and manage developer (LDAP) accounts.Nov 30 2022, 9:10 AM
fnegri edited projects, added cloud-services-team; removed cloud-services-team (Kanban).Jan 18 2023, 6:40 PM
fnegri moved this task from Kanban to Watching on the cloud-services-team board.
SLyngshede-WMF changed the task status from Open to In Progress.Sep 21 2023, 9:42 AM
SLyngshede-WMF subscribed.

This patch https://gerrit.wikimedia.org/r/c/operations/software/bitu/+/959211 will enable SSH Keymanagement for WMCS in the Bitu IDM.
SSH key management appears to be the only remaining feature of OpenStackManager in Wikitech.

SLyngshede-WMF closed subtask T179463: Create a single application to provision and manage developer (LDAP) accounts as Declined.Jan 29 2024, 4:02 PM
taavi closed this task as Resolved.Mar 7 2024, 1:42 PM
taavi claimed this task.

Account creation on Wikitech is currently disabled. I've filed T359544: Disable SSH key management on Wikitech for the SSH key management functionality that's currently blocking OSM undeployment.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL