Page MenuHomePhabricator
Create Task
Maniphest T196466

Remove 'shell user' right on wikitech
Closed, ResolvedPublic
Actions

Description

Wikitech has a 'shell user' user right. This used to be checked before permitting logins; I don't know if it still is, or how it's checked if it is.

As we move our developer account workflow away from wikitech, having logins require a particular bit on a particular wiki seems wrong. If bit right is already ignored, then we should remove it from wikitech; if it's still used we should replace it or ignore it and rely on keystone roles exclusively.

Details

SubjectRepoBranchLines +/-
[wikitech] Remove the 'shell' user right from assignment and rights listsoperations/mediawiki-configmaster+0 -3
Customize query in gerrit

Related Objects
Search...

Event Timeline

Andrew created this task.Jun 5 2018, 1:44 PM
Quiddity subscribed.Jun 5 2018, 4:57 PM
EddieGP added a comment.Jun 6 2018, 10:06 AM

AFAIK this used be a way to disable abusive accounts (by removing this right they could no longer log in, which normal blocking on wikitech didn't do iirc). Did keystone roles take that functionality over? Even if rarely used, there should be a easy way to disable abusive accounts on wmcs.

Vvjjkkii renamed this task from Review (and remove?) use of 'shell user' right on wikitech to xlbaaaaaaa.Jul 1 2018, 1:06 AM
Vvjjkkii triaged this task as High priority.
Vvjjkkii added projects: CheckUser, Connected-Open-Heritage-Batch-uploads (RAÄ-KMB_1_2017-02), Tamil-Sites, Gamepress, Hashtags, Jade, KartoEditor, Language-2018-Apr-June, New-Editor-Experiences, Mail, TCB-Team (now WMDE-TechWish).
Vvjjkkii updated the task description. (Show Details)
Vvjjkkii removed subscribers: MarcoAurelio, gerritbot, Aklapper.
TerraCodes renamed this task from xlbaaaaaaa to Review (and remove?) use of 'shell user' right on wikitech.Jul 1 2018, 12:55 PM
TerraCodes raised the priority of this task from High to Needs Triage.
TerraCodes updated the task description. (Show Details)
TerraCodes removed projects: TCB-Team (now WMDE-TechWish), Mail, New-Editor-Experiences, Language-2018-Apr-June, KartoEditor, Jade, Hashtags, Gamepress, Tamil-Sites, Connected-Open-Heritage-Batch-uploads (RAÄ-KMB_1_2017-02), CheckUser.
TerraCodes added subscribers: gerritbot, MarcoAurelio, Aklapper.
Liuxinyu970226 subscribed.Nov 6 2018, 12:33 PM
GTirloni edited projects, added cloud-services-team (Kanban); removed cloud-services-team.Mar 24 2019, 12:03 PM
Meno25 subscribed.May 31 2019, 4:29 PM
Reedy removed a project: MediaWiki-extensions-OpenStackManager.Nov 10 2019, 3:53 AM
bd808 added a comment.Nov 10 2019, 11:42 PM
In T196466#4260440, @EddieGP wrote:

AFAIK this used be a way to disable abusive accounts (by removing this right they could no longer log in, which normal blocking on wikitech didn't do iirc). Did keystone roles take that functionality over? Even if rarely used, there should be a easy way to disable abusive accounts on wmcs.

Blocking an account on Wikitech disables the associated Developer account including preventing new ssh sessions to Cloud VPS projects. The checks for this are in ssh-key-ldap-lookup.py in ops/puppet.

bd808 renamed this task from Review (and remove?) use of 'shell user' right on wikitech to Remove 'shell user' right on wikitech.Nov 10 2019, 11:43 PM
bd808 triaged this task as Medium priority.
bd808 edited parent tasks, added: T237773: Move Wikitech onto the production MW cluster; removed: T196171: Developer account creation without OpenStackManager.Nov 11 2019, 12:01 AM
Reedy added a parent task: T237890: Remove and empty useless user groups.Nov 11 2019, 12:08 AM
bd808 moved this task from Backlog to Config on the wikitech.wikimedia.org board.Nov 11 2019, 12:29 AM
Stashbot added a comment.Feb 28 2020, 1:05 AM

Mentioned in SAL (#wikimedia-operations) [2020-02-28T01:05:01Z] <James_F> Running mwscript emptyUserGroup.php --wiki=labswiki shell for T196466

gerritbot added a comment.Feb 28 2020, 1:11 AM

Change 575387 had a related patch set uploaded (by Jforrester; owner: Jforrester):
[operations/mediawiki-config@master] [wikitech] Remove the 'shell' user right from assignment and rights lists

https://gerrit.wikimedia.org/r/575387

gerritbot added a project: Patch-For-Review.Feb 28 2020, 1:11 AM
gerritbot added a comment.Feb 28 2020, 1:15 AM

Change 575387 merged by jenkins-bot:
[operations/mediawiki-config@master] [wikitech] Remove the 'shell' user right from assignment and rights lists

https://gerrit.wikimedia.org/r/575387

Stashbot added a comment.Feb 28 2020, 1:19 AM

Mentioned in SAL (#wikimedia-operations) [2020-02-28T01:19:30Z] <jforrester@deploy1001> Synchronized wmf-config/InitialiseSettings.php: T196466 [wikitech] Remove the 'shell' user right from assignment and rights lists (duration: 00m 58s)

Jdforrester-WMF closed this task as Resolved.Feb 28 2020, 1:21 AM
Jdforrester-WMF claimed this task.

https://wikitech.wikimedia.org/w/index.php?title=Special:ListUsers&group=shell is now empty.

The 'shell' group no longer appears on https://wikitech.wikimedia.org/wiki/Special:ListGroupRights

Declaring done.

Jdforrester-WMF removed a parent task: T237773: Move Wikitech onto the production MW cluster.Feb 28 2020, 1:45 AM
Maintenance_bot removed a project: Patch-For-Review.Feb 28 2020, 2:10 AM
Meno25 unsubscribed.Apr 2 2020, 9:03 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL