Page MenuHomePhabricator

Remove 'shell user' right on wikitech
Closed, ResolvedPublic

Description

Wikitech has a 'shell user' user right. This used to be checked before permitting logins; I don't know if it still is, or how it's checked if it is.

As we move our developer account workflow away from wikitech, having logins require a particular bit on a particular wiki seems wrong. If bit right is already ignored, then we should remove it from wikitech; if it's still used we should replace it or ignore it and rely on keystone roles exclusively.

Related Objects

StatusSubtypeAssignedTask
ResolvedClement_Goubert
OpenClement_Goubert
OpenNone
OpenNone
OpenNone
Opentaavi
ResolvedAndrew
ResolvedAndrew
ResolvedAndrew
ResolvedAndrew
ResolvedMarcoAurelio
ResolvedAndrew
Resolvedtaavi
DeclinedNone
DuplicateNone
OpenNone
ResolvedSLyngshede-WMF
ResolvedNone
ResolvedSLyngshede-WMF
ResolvedSLyngshede-WMF
Resolved Marostegui
ResolvedSLyngshede-WMF
ResolvedSLyngshede-WMF
ResolvedSLyngshede-WMF
ResolvedSLyngshede-WMF
ResolvedSLyngshede-WMF
ResolvedSLyngshede-WMF
ResolvedNone
ResolvedSLyngshede-WMF
ResolvedSLyngshede-WMF
ResolvedSLyngshede-WMF
ResolvedSLyngshede-WMF
ResolvedSLyngshede-WMF
ResolvedSLyngshede-WMF
OpenNone
Opentaavi
ResolvedSLyngshede-WMF
ResolvedSLyngshede-WMF
ResolvedSLyngshede-WMF
OpenSLyngshede-WMF
ResolvedSLyngshede-WMF
ResolvedBUG REPORTSLyngshede-WMF
InvalidNone
ResolvedSLyngshede-WMF
ResolvedSLyngshede-WMF
OpenNone
OpenNone
ResolvedSLyngshede-WMF
ResolvedSLyngshede-WMF
OpenSLyngshede-WMF
OpenSLyngshede-WMF
ResolvedSLyngshede-WMF
OpenSLyngshede-WMF
Opentaavi
Opentaavi
ResolvedFeatureSLyngshede-WMF
ResolvedBUG REPORTSLyngshede-WMF
Resolvedbd808
Resolvedyuvipanda
Resolvedbd808
Resolvedbd808
Resolvedbd808
OpenSLyngshede-WMF
ResolvedNone
OpenNone
OpenFeatureNone
StalledFeatureNone
OpenFeatureSLyngshede-WMF
OpenNone
OpenAndrew
OpenSLyngshede-WMF
OpenABran-WMF
Resolvedtaavi
DuplicateNone
OpenNone
OpenNone
Resolved Marostegui
ResolvedAndrew
Resolved Marostegui
ResolvedAndrew
DeclinedAndrew
ResolvedAndrew
ResolvedAndrew
ResolvedLadsgroup
DuplicateNone
Resolved Bstorm
Resolvedtaavi
ResolvedJdforrester-WMF

Event Timeline

AFAIK this used be a way to disable abusive accounts (by removing this right they could no longer log in, which normal blocking on wikitech didn't do iirc). Did keystone roles take that functionality over? Even if rarely used, there should be a easy way to disable abusive accounts on wmcs.

Vvjjkkii renamed this task from Review (and remove?) use of 'shell user' right on wikitech to xlbaaaaaaa.Jul 1 2018, 1:06 AM
Vvjjkkii triaged this task as High priority.
Vvjjkkii updated the task description. (Show Details)
TerraCodes renamed this task from xlbaaaaaaa to Review (and remove?) use of 'shell user' right on wikitech.Jul 1 2018, 12:55 PM
TerraCodes raised the priority of this task from High to Needs Triage.
TerraCodes updated the task description. (Show Details)

AFAIK this used be a way to disable abusive accounts (by removing this right they could no longer log in, which normal blocking on wikitech didn't do iirc). Did keystone roles take that functionality over? Even if rarely used, there should be a easy way to disable abusive accounts on wmcs.

Blocking an account on Wikitech disables the associated Developer account including preventing new ssh sessions to Cloud VPS projects. The checks for this are in ssh-key-ldap-lookup.py in ops/puppet.

bd808 renamed this task from Review (and remove?) use of 'shell user' right on wikitech to Remove 'shell user' right on wikitech.Nov 10 2019, 11:43 PM
bd808 triaged this task as Medium priority.

Mentioned in SAL (#wikimedia-operations) [2020-02-28T01:05:01Z] <James_F> Running mwscript emptyUserGroup.php --wiki=labswiki shell for T196466

Change 575387 had a related patch set uploaded (by Jforrester; owner: Jforrester):
[operations/mediawiki-config@master] [wikitech] Remove the 'shell' user right from assignment and rights lists

https://gerrit.wikimedia.org/r/575387

Change 575387 merged by jenkins-bot:
[operations/mediawiki-config@master] [wikitech] Remove the 'shell' user right from assignment and rights lists

https://gerrit.wikimedia.org/r/575387

Mentioned in SAL (#wikimedia-operations) [2020-02-28T01:19:30Z] <jforrester@deploy1001> Synchronized wmf-config/InitialiseSettings.php: T196466 [wikitech] Remove the 'shell' user right from assignment and rights lists (duration: 00m 58s)