Page MenuHomePhabricator
Create Task
Maniphest T227650

Migrate web services using LDAP authentication towards the readonly LDAP replicas
Open, MediumPublic
Actions

Description

We recently introduced two new LDAP readonly replicas which are behind LVS, the Cloud VPS instances are in the process of migrating fully towards those. This task tracks the migration of our web-based services (where applicable).

Once all readonly consumers are migrated we can doublecheck via tcpdump for a few days and restrict access to serpens/seaborgium to the services performing actual write changes.

Details

SubjectRepoBranchLines +/-
kibana: Read LDAP servers from standard Hiera and switch to read-only replicasoperations/puppetproduction+18 -14
maintain_dbusers: Read LDAP servers from Hiera and switch to read-only replicasoperations/puppetproduction+4 -3
kibana: Switch to read-only LDAPreplicasoperations/puppetproduction+4 -4
xhgui: Read LDAP servers from Hiera and switch to read-only replicasoperations/puppetproduction+4 -2
librenms: Read LDAP servers from Hiera and switch to read-only replicasoperations/puppetproduction+2 -1
tendril: use ldap-ro, use Hiera, refactor to profileoperations/puppetproduction+19 -14
netbox: stop using ::passwords::ldap:wmf_clusteroperations/puppetproduction+2 -2
static-rt: LDAP config, use ro, Hiera and new password classesoperations/puppetproduction+11 -6
xhgui::app: use ldap-ro, stop using ldap-labsoperations/puppetproduction+1 -1
microsites/transparency: use ldap-ro, stop using ldap-labs, use Hieraoperations/puppetproduction+4 -2
grafana: Read LDAP servers from Hiera and switch to read-only replicasoperations/puppetproduction+4 -3
Superset: Read LDAP servers from Hiera and switch to read-only replicasoperations/puppetproduction+6 -2
yarn: Read LDAP servers from Hiera and switch to read-only replicasoperations/puppetproduction+6 -2
turnilo: Read LDAP servers from Hiera and switch to read-only replicasoperations/puppetproduction+9 -4
icinga: Read LDAP servers from Hiera and switch to read-only replicasoperations/puppetproduction+6 -1
debmonitor: Read LDAP servers from Hiera and switch to read-only replicasoperations/puppetproduction+8 -5
librenms: use ldap-ro, stop using ldap-labs, use Hieraoperations/puppetproduction+2 -1
netbox: Read LDAP server from Hiera and switch to read-only replicasoperations/puppetproduction+5 -2
graphite: use ldap-ro, stop using ldap-labs, use Hieraoperations/puppetproduction+2 -1
puppetboard: Read LDAP servers from Hiera and switch to read-only replicasoperations/puppetproduction+5 -2
icinga: stop using ::passwords::ldap:wmf_clusteroperations/puppetproduction+2 -2
grafana: stop using ldap-labs, use ldap-rooperations/puppetproduction+1 -1
piwik: Read LDAP servers from Hiera and switch to read-only replicasoperations/puppetproduction+2 -1
Show related patches Customize query in gerrit

Related Objects
Search...

Event Timeline

MoritzMuehlenhoff created this task.Jul 10 2019, 10:58 AM
Restricted Application added a subscriber: Aklapper. ยท View Herald TranscriptJul 10 2019, 10:58 AM
MoritzMuehlenhoff triaged this task as Medium priority.Jul 15 2019, 1:48 PM
elukey mentioned this in T227611: LDAP ldap-ro.eqiad.wikimedia.org not reachable from Analytics VLAN.Jul 16 2019, 6:59 AM
gerritbot added a comment.Jul 19 2019, 9:41 AM

Change 524479 had a related patch set uploaded (by Muehlenhoff; owner: Muehlenhoff):
[operations/puppet@production] piwik: Read LDAP servers from Hiera and switch to read-only replicas

https://gerrit.wikimedia.org/r/524479

gerritbot added a project: Patch-For-Review.Jul 19 2019, 9:41 AM
gerritbot added a comment.Jul 19 2019, 10:13 AM

Change 524487 had a related patch set uploaded (by Muehlenhoff; owner: Muehlenhoff):
[operations/puppet@production] puppetboard: Read LDAP servers from Hiera and switch to read-only replicas

https://gerrit.wikimedia.org/r/524487

gerritbot added a comment.Jul 19 2019, 10:22 AM

Change 524489 had a related patch set uploaded (by Muehlenhoff; owner: Muehlenhoff):
[operations/puppet@production] debmonitor: Read LDAP servers from Hiera and switch to read-only replicas

https://gerrit.wikimedia.org/r/524489

gerritbot added a comment.Jul 19 2019, 11:04 AM

Change 524494 had a related patch set uploaded (by Muehlenhoff; owner: Muehlenhoff):
[operations/puppet@production] netbox: Read LDAP server from Hiera and switch to read-only replicas

https://gerrit.wikimedia.org/r/524494

gerritbot added a comment.Jul 19 2019, 1:19 PM

Change 524479 merged by Elukey:
[operations/puppet@production] piwik: Read LDAP servers from Hiera and switch to read-only replicas

https://gerrit.wikimedia.org/r/524479

gerritbot added a comment.Jul 19 2019, 2:11 PM

Change 524519 had a related patch set uploaded (by Muehlenhoff; owner: Muehlenhoff):
[operations/puppet@production] grafana: Read LDAP servers from Hiera and switch to read-only replicas

https://gerrit.wikimedia.org/r/524519

gerritbot added a comment.Jul 19 2019, 3:24 PM

Change 524540 had a related patch set uploaded (by Muehlenhoff; owner: Muehlenhoff):
[operations/puppet@production] icinga: Read LDAP servers from Hiera and switch to read-only replicas

https://gerrit.wikimedia.org/r/524540

Dzahn subscribed.Jul 19 2019, 5:32 PM
gerritbot added a comment.Jul 19 2019, 6:06 PM

Change 523992 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] static-rt: LDAP config, use ro, Hiera and new password classes

https://gerrit.wikimedia.org/r/523992

gerritbot added a comment.Jul 19 2019, 6:31 PM

Change 523994 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] librenms: use ldap-ro, stop using ldap-labs, use Hiera

https://gerrit.wikimedia.org/r/523994

gerritbot added a comment.Jul 19 2019, 6:35 PM

Change 523991 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] microsites/transparency: use ldap-ro, stop using ldap-labs, use Hiera

https://gerrit.wikimedia.org/r/523991

gerritbot added a comment.Jul 19 2019, 6:38 PM

Change 523995 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] xhgui::app: use ldap-ro, stop using ldap-labs, use Hiera

https://gerrit.wikimedia.org/r/523995

gerritbot added a comment.Jul 19 2019, 6:45 PM

Change 523993 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] tendril: use ldap-ro, use Hiera, refactor to profile

https://gerrit.wikimedia.org/r/523993

gerritbot added a comment.Jul 19 2019, 6:50 PM

Change 524583 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] netbox: stop using ::passwords::ldap:wmf_cluster

https://gerrit.wikimedia.org/r/524583

gerritbot added a comment.Jul 19 2019, 6:52 PM

Change 524584 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] icinga: stop using ::passwords::ldap:wmf_cluster

https://gerrit.wikimedia.org/r/524584

gerritbot added a comment.Jul 19 2019, 6:57 PM

Change 524585 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] grafana: stop using ldap-labs, use ldap-ro

https://gerrit.wikimedia.org/r/524585

gerritbot added a comment.Jul 19 2019, 7:01 PM

Change 524586 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] graphite: use ldap-ro, stop using ldap-labs, use Hiera

https://gerrit.wikimedia.org/r/524586

gerritbot added a comment.Jul 19 2019, 8:18 PM

Change 524585 abandoned by Dzahn:
grafana: stop using ldap-labs, use ldap-ro

Reason:
duplicate of https://gerrit.wikimedia.org/r/c/operations/puppet/ /524519/

https://gerrit.wikimedia.org/r/524585

gerritbot added a comment.Jul 19 2019, 10:08 PM

Change 524584 merged by Dzahn:
[operations/puppet@production] icinga: stop using ::passwords::ldap:wmf_cluster

https://gerrit.wikimedia.org/r/524584

gerritbot added a comment.Jul 22 2019, 8:10 AM

Change 524487 merged by Muehlenhoff:
[operations/puppet@production] puppetboard: Read LDAP servers from Hiera and switch to read-only replicas

https://gerrit.wikimedia.org/r/524487

gerritbot added a comment.Jul 22 2019, 9:08 AM

Change 524586 merged by Muehlenhoff:
[operations/puppet@production] graphite: use ldap-ro, stop using ldap-labs, use Hiera

https://gerrit.wikimedia.org/r/524586

gerritbot added a comment.Jul 22 2019, 9:23 AM

Change 524494 merged by Muehlenhoff:
[operations/puppet@production] netbox: Read LDAP server from Hiera and switch to read-only replicas

https://gerrit.wikimedia.org/r/524494

gerritbot added a comment.Jul 22 2019, 10:00 AM

Change 523994 merged by Muehlenhoff:
[operations/puppet@production] librenms: use ldap-ro, stop using ldap-labs, use Hiera

https://gerrit.wikimedia.org/r/523994

gerritbot added a comment.Jul 22 2019, 10:32 AM

Change 524742 had a related patch set uploaded (by Muehlenhoff; owner: Muehlenhoff):
[operations/puppet@production] yarn: Read LDAP servers from Hiera and switch to read-only replicas

https://gerrit.wikimedia.org/r/524742

gerritbot added a comment.Jul 22 2019, 11:11 AM

Change 524749 had a related patch set uploaded (by Muehlenhoff; owner: Muehlenhoff):
[operations/puppet@production] Superset: Read LDAP servers from Hiera and switch to read-only replicas

https://gerrit.wikimedia.org/r/524749

gerritbot added a comment.Jul 22 2019, 11:28 AM

Change 524752 had a related patch set uploaded (by Muehlenhoff; owner: Muehlenhoff):
[operations/puppet@production] turnilo: Read LDAP servers from Hiera and switch to read-only replicas

https://gerrit.wikimedia.org/r/524752

gerritbot added a comment.Jul 22 2019, 12:07 PM

Change 524489 merged by Muehlenhoff:
[operations/puppet@production] debmonitor: Read LDAP servers from Hiera and switch to read-only replicas

https://gerrit.wikimedia.org/r/524489

gerritbot added a comment.Jul 22 2019, 12:53 PM

Change 524540 merged by Muehlenhoff:
[operations/puppet@production] icinga: Read LDAP servers from Hiera and switch to read-only replicas

https://gerrit.wikimedia.org/r/524540

gerritbot added a comment.Jul 22 2019, 1:03 PM

Change 524752 merged by Elukey:
[operations/puppet@production] turnilo: Read LDAP servers from Hiera and switch to read-only replicas

https://gerrit.wikimedia.org/r/524752

gerritbot added a comment.Jul 22 2019, 1:08 PM

Change 524742 merged by Elukey:
[operations/puppet@production] yarn: Read LDAP servers from Hiera and switch to read-only replicas

https://gerrit.wikimedia.org/r/524742

gerritbot added a comment.Jul 22 2019, 1:10 PM

Change 524749 merged by Elukey:
[operations/puppet@production] Superset: Read LDAP servers from Hiera and switch to read-only replicas

https://gerrit.wikimedia.org/r/524749

gerritbot added a comment.Jul 22 2019, 1:21 PM

Change 524519 merged by Muehlenhoff:
[operations/puppet@production] grafana: Read LDAP servers from Hiera and switch to read-only replicas

https://gerrit.wikimedia.org/r/524519

gerritbot added a comment.Jul 22 2019, 2:03 PM

Change 523991 merged by Muehlenhoff:
[operations/puppet@production] microsites/transparency: use ldap-ro, stop using ldap-labs, use Hiera

https://gerrit.wikimedia.org/r/523991

gerritbot added a comment.Jul 22 2019, 2:12 PM

Change 524791 had a related patch set uploaded (by Muehlenhoff; owner: Muehlenhoff):
[operations/puppet@production] profile::webperf::xhgui: Read LDAP servers from Hiera and switch to read-only replicas

https://gerrit.wikimedia.org/r/524791

gerritbot added a comment.Jul 22 2019, 2:58 PM

Change 524798 had a related patch set uploaded (by Muehlenhoff; owner: Muehlenhoff):
[operations/puppet@production] librenms: Read LDAP servers from Hiera and switch to read-only replicas

https://gerrit.wikimedia.org/r/524798

gerritbot added a comment.Jul 22 2019, 3:48 PM

Change 524810 had a related patch set uploaded (by Muehlenhoff; owner: Muehlenhoff):
[operations/puppet@production] maintain_dbusers: Read LDAP servers from Hiera and switch to read-only replicas

https://gerrit.wikimedia.org/r/524810

gerritbot added a comment.Jul 22 2019, 6:04 PM

Change 523995 merged by Dzahn:
[operations/puppet@production] xhgui::app: use ldap-ro, stop using ldap-labs

https://gerrit.wikimedia.org/r/523995

gerritbot added a comment.Jul 22 2019, 6:44 PM

Change 523992 merged by Dzahn:
[operations/puppet@production] static-rt: LDAP config, use ro, Hiera and new password classes

https://gerrit.wikimedia.org/r/523992

gerritbot added a comment.Jul 22 2019, 6:51 PM

Change 524583 merged by Dzahn:
[operations/puppet@production] netbox: stop using ::passwords::ldap:wmf_cluster

https://gerrit.wikimedia.org/r/524583

gerritbot added a comment.Jul 22 2019, 7:08 PM

Change 523993 merged by Dzahn:
[operations/puppet@production] tendril: use ldap-ro, use Hiera, refactor to profile

https://gerrit.wikimedia.org/r/523993

gerritbot added a comment.Jul 22 2019, 7:29 PM

Change 524798 merged by Dzahn:
[operations/puppet@production] librenms: Read LDAP servers from Hiera and switch to read-only replicas

https://gerrit.wikimedia.org/r/524798

gerritbot added a comment.Jul 23 2019, 6:28 AM

Change 524791 merged by Muehlenhoff:
[operations/puppet@production] xhgui: Read LDAP servers from Hiera and switch to read-only replicas

https://gerrit.wikimedia.org/r/524791

gerritbot added a comment.Jul 23 2019, 10:15 AM

Change 525057 had a related patch set uploaded (by Muehlenhoff; owner: Muehlenhoff):
[operations/puppet@production] kibana: Read LDAP servers from standard Hiera and switch to read-only replicas

https://gerrit.wikimedia.org/r/525057

gerritbot added a comment.Jul 23 2019, 11:48 AM

Change 525069 had a related patch set uploaded (by Muehlenhoff; owner: Muehlenhoff):
[operations/puppet@production] kibana: Switch to read-only LDAPreplicas

https://gerrit.wikimedia.org/r/525069

gerritbot added a comment.Jul 23 2019, 12:55 PM

Change 525069 merged by Muehlenhoff:
[operations/puppet@production] kibana: Switch to read-only LDAPreplicas

https://gerrit.wikimedia.org/r/525069

gerritbot added a comment.Jul 23 2019, 1:17 PM

Change 524810 merged by Muehlenhoff:
[operations/puppet@production] maintain_dbusers: Read LDAP servers from Hiera and switch to read-only replicas

https://gerrit.wikimedia.org/r/524810

MoritzMuehlenhoff claimed this task.Jul 23 2019, 1:42 PM

The following services have been converted to use the read-only replicas:

  • DB users sync on labstore100[45]
  • Debmonitor
  • Grafana
  • Graphite
  • Hive
  • Icinga
  • Kibana
  • LibreNMS
  • Netbox
  • Piwik
  • Puppetboard
  • Superset
  • Swap
  • Tendril/DBMonitor
  • Transparency report
  • Turnilo
  • XHGui
  • Yarn

Once the remaining Cloud VPS instances are switched to use the eqiad r/o servers, we can narrow down access to the r/w servers in Ferm.

gerritbot added a comment.Jul 25 2019, 6:51 AM

Change 525057 abandoned by Muehlenhoff:
kibana: Read LDAP servers from standard Hiera and switch to read-only replicas

https://gerrit.wikimedia.org/r/525057

Maintenance_bot removed a project: Patch-For-Review.Jul 25 2019, 7:10 AM
MoritzMuehlenhoff closed subtask T227778: Create an LDAP replica in codfw (using LVS) as Resolved.Aug 6 2019, 6:52 AM
Dzahn added a comment.Sep 25 2019, 12:24 AM

Gerrit has been switched to use readonly replicas today.

jbond added a project: User-jbond.Oct 30 2019, 5:58 PM
jbond moved this task from Unsorted ๐Ÿ’ฃ to Back Burner ๐Ÿ›๏ธ on the User-jbond board.Oct 30 2019, 6:08 PM
jbond added a comment.Nov 7 2019, 5:52 PM

what is still left to change in order to complete this?

MoritzMuehlenhoff added a comment.Nov 7 2019, 6:29 PM

The last remaining patch should be https://gerrit.wikimedia.org/r/#/c/operations/puppet/+/525220/ (and some semi-related refactoring to switch more prod hosts to the new ldap Hiera settings.

Once that is done, I'm planning to tcpdump remaining accesses to the r/w servers to doublecheck and when that is all tightened down, ferm rules can be added to restrict access to the r/w hosts.

jbond added a comment.Nov 7 2019, 6:30 PM

awesome thanks

Dzahn awarded a token.Nov 8 2019, 6:21 PM
Aklapper removed MoritzMuehlenhoff as the assignee of this task.Mar 13 2022, 7:51 PM

Removing task assignee due to inactivity, as this open task has been assigned for more than two years. See the email sent to the task assignee on February 06th 2022 (and T295729).

Please assign this task to yourself again if you still realistically [plan to] work on this task - it would be welcome.

If this task has been resolved in the meantime, or should not be worked on ("declined"), please update its task status via "Add Actionโ€ฆ ๐Ÿก’ Change Status".

Also see https://www.mediawiki.org/wiki/Bug_management/Assignee_cleanup for tips how to best manage your individual work in Phabricator.

MoritzMuehlenhoff claimed this task.Mar 14 2022, 4:39 PM
MoritzMuehlenhoff added a comment.May 10 2022, 11:24 AM

I ran tcpdump for the LDAP ports on seaborgium and serpens for a little over an hour:

On serpens:

  • alert1001
  • alert2001
  • ldap-replica2005.wikimedia.org
  • ldap-replica2006.wikimedia.org
  • seaborgium

On seaborgium:

  • alert1001
  • alert2001
  • archiva1002
  • cloudcontrol1003
  • cloudcontrol1004
  • cloudcontrol1005
  • contint1001
  • labweb1001
  • labweb1002
  • ldap-replica1003
  • ldap-replica1004
  • nat.cloudgw.eqiad1.wikimediacloud.org
  • scan-08b.shadowserver.org
  • serpens

This looks promising, the only cases which a closer look at contint1001 and archiva, which should both be doing just fine by only using the replicas. Then we'd be close to restricting access to the r/w servers via Ferm.

MoritzMuehlenhoff removed MoritzMuehlenhoff as the assignee of this task.Thu, Apr 18, 11:17 AM
MoritzMuehlenhoff claimed this task.
MoritzMuehlenhoff mentioned this in T363125: sustainability of wikitech.wikimedia.org.Tue, Apr 23, 7:53 AM
taavi subscribed.Tue, Apr 23, 7:56 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. ยท Wikimedia Foundation ยท Privacy Policy ยท Code of Conduct ยท Terms of Use ยท Disclaimer ยท CC-BY-SA ยท GPL