Page MenuHomePhabricator

Requesting contentadmin access for 'Lucas Werkmeister (WMDE)' on Wikitech
Closed, DeclinedPublic

Description

I just noticed that I don’t have permissions to update the SSH fingerprints page (instead, I sent the new content to @aborrero to save him some time, and he pasted it in). This seems a bit pointless since I already have deployment access (T208518), so presumably I’m somewhat trusted… is there a defined process for user rights on the Wikitech wiki? (If yes, I can’t find it.)

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 14 2019, 11:50 AM

No defined process other than create a task and wait for someone to action. There are two types of admins: sysop and contentadmin. With the creation and rollout of interface admins probably the segregation doesn't make much of the sense that it had in the past, though; although probably still makes sense. Usually @bd808 or @scfc handled user rights requests in the past for me, so I'm taking the liberty to mention them in here. Regards.

I wonder if the only legitimate use case for modifying that page is accompanied by the ability to change that SSH key, and so potentially is sanest as a right limited to toolforge admins/roots.

chasemp triaged this task as Normal priority.Feb 14 2019, 2:42 PM
chasemp added a project: Toolforge.

In this case the page needed to be updated not because the keys on any system changed, but because the hostname was changed to point to a different system (tools-sgebastion-[06→07], due to the WMCS incident).

In this case the page needed to be updated not because the keys on any system changed, but because the hostname was changed to point to a different system (tools-sgebastion-[06→07], due to the WMCS incident).

yeah totally, and I'm not trying to be emphatic about this -- more curious. That action (replacing the host) would also be an activity limited to toolforge admins. I worry that any other group of folks are not adequately able to ensure it's the right key before updating the page.

activity limited to toolforge admins

IFF all toolforge admins do belong to a particular user group (cloudadmin?) then we can profit from $wgRestrictionLevels and create a new restriction (clouadmin protected) so that or other pages could be protected and editted only by cloud administrators.

Tools is a small fraction of the stuff with fingerprints recorded on wikitech: https://wikitech.wikimedia.org/wiki/Help:SSH_Fingerprints

bd808 added a comment.Feb 14 2019, 7:10 PM

WP:BEANS, but sysop on wikitech is a very sensitive user right. For the particular content in question, page protection restrictions are reasonable to prevent edits from bad actors who have somehow figured out how to ssh connections to compromised servers.

contentadmin can edit normal protected pages, and seems reasonable for anyone with deploy access. The page there even gives a handy form for requesting it ;-)

bd808 renamed this task from Administrator rights on Wikitech to Requesting contentadmin access for 'Lucas Werkmeister (WMDE)' on Wikitech.Feb 17 2019, 12:34 AM

@Lucas_Werkmeister_WMDE I have changed the title here to reflect a request for contentadmin. Granting full sysop on Wikitech is unlikely without also granting Cloud-wide root. Contentadmin is a much easier right to approve, assuming that you have a desire to help maintain sensitive content on wikitech in the long term. Please do respond here an let us know if you are actively seeking this right or were just a bit annoyed to find that there was content that you could not change on wikitech.

bd808 changed the task status from Open to Stalled.Feb 18 2019, 5:38 AM

Well, it was more out of surprise that I was told to edit the page and then couldn’t do it, but since I do edit content on Wikitech from time to time, it would be useful to have this right, sure. (Though I don’t think I’ve run into protected pages before – most of my contributions outside of Wikidata stuff are just random things I find while going through the documentation.)

bd808 closed this task as Declined.Feb 26 2019, 6:59 PM

@Lucas_Werkmeister_WMDE based on your comments in T216126#4980825 I am going to decline this request. Not because I don't feel that you are trustworthy, but because I don't see any demonstrated need for the additional rights. I do not believe the contentadmin right itself would actually have let you fix the fingerprint page, and in reality that edit should be made by a root user who can actually verify the fingerprints before publishing anyway.

If you do come up with a project that makes editing protected content on Wikitech necessary, please do apply again, especially if you can set a time limit on how long the advanced rights will be needed.