Page MenuHomePhabricator

wikitech: Update user groups following OpenStackManager rights removal
Open, Needs TriagePublic

Description

In https://gerrit.wikimedia.org/r/#/c/mediawiki/extensions/OpenStackManager/+/548939/ and https://gerrit.wikimedia.org/r/#/c/mediawiki/extensions/OpenStackManager/+/549999/, the following user rights were removed from MediaWiki-extensions-OpenStackManager:

  • listall
  • manageproject
  • managednsdomain
  • loginviashell
  • accessrestrictedregions
  • editallhiera

Currently, cloud admins are granted accessrestrictedregions, editallhiera, listall, managednsdomain, and manageproject in InitialiseSettings, and the "shell users" group is likewise granted loginviashell

Those rights should be removed, since they no longer actually grant any rights. This would leave cloud admins with only userrights and autopatrol, and the group should be considered for merging with local stewards, who only have userrights and noratelimit. This would leave the shell users group with no rights, and so the members of the group should be removed. There are currently over 500 such users.

Once the shell user group is removed from config, WikimediaMessages should be updated to remove the group from translation (and if cloud admins are merged into stewards, those should also be removed).

Event Timeline

Restricted Application added a project: User-DannyS712. · View Herald TranscriptDec 18 2019, 4:01 AM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript

See also T235708: Redesign for wmcs custom puppet settings (editallhiera removed as part of that task)

Quiddity added a subscriber: Quiddity.EditedDec 19 2019, 8:00 PM

@DannyS712 Yes to everything else (as far as I understand it), but I suggest removing/rewriting the part of the description that says "... merging with local stewards ...", because there is still a hope/plan to make wikitech part of SUL someday (T161859 et al), in which case that merge would cause an additional & unnecessary complication.

bd808 added a comment.Dec 19 2019, 8:45 PM

I think we can just remove the cloud admins group and members. The purpose of that group was granting super user powers for doing OpenStackManager actions. That is no longer needed/useful with MediaWiki-extensions-OpenStackManager reduced to functionally only adding steps to developer account creation (collecting shell name, altering generated LDAP records).

It sounds like the steps needed here are:

  1. mwscript emptyUserGroup.php --wiki=labswiki --group shell
  2. mwscript emptyUserGroup.php --wiki=labswiki --group cloudadmin
  3. Patch to remove shell and cloudadmin definitions from operations/mediawiki-config.git
  4. Patch to remove messages from WikimediaMessages

@DannyS712 Yes to everything else (as far as I understand it), but I suggest removing/rewriting the part of the description that says "... merging with local stewards ...", because there is still a hope/plan to make wikitech part of SUL someday (T161859 et al), in which case that merge would cause an additional & unnecessary complication.

In that case, maybe local crats? I don't think a separate group is needed...

DannyS712 added a comment.EditedDec 19 2019, 9:34 PM

I think we can just remove the cloud admins group and members. The purpose of that group was granting super user powers for doing OpenStackManager actions. That is no longer needed/useful with MediaWiki-extensions-OpenStackManager reduced to functionally only adding steps to developer account creation (collecting shell name, altering generated LDAP records).
It sounds like the steps needed here are:

  1. mwscript emptyUserGroup.php --wiki=labswiki --group shell
  2. mwscript emptyUserGroup.php --wiki=labswiki --group cloudadmin
  3. Patch to remove shell and cloudadmin definitions from operations/mediawiki-config.git
  4. Patch to remove messages from WikimediaMessages

Would it be helpful to log the removal on-wiki? emptyUserGroup.php doesn't do that, but doing it client side would create logs. Since crats (who can remove shell users) have noratelimit, it should only take a minute to remove the group in a logged manner, which I think would be better. If someone wants to flag DannyS712 as a crat for a bit, I can take care of that and link here for the reason (and I promise not to do anything else with the rights). Via api, query users[1] and then map to action=userrights for removal.

[1] https://wikitech.wikimedia.org/w/api.php?action=query&list=allusers&augroup=shell&aulimit=max

I think the script way is better and efficient here. Wikitech is a special wiki nonetheless, and there's no point in removing 500+ users manually (cloudadmin and shell combined).