Page MenuHomePhabricator

LDAP access to the wmf group for Sam Walton
Closed, ResolvedPublic

Description

Username: Samwalton9
Shell access: Yes
Purpose: I'd like to access Superset for my work as a Product Manager at WMF
Group: (The specific group you want to be added to - optional).

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald Transcript

Hi @Samwalton9, as far as I know for Superset access only the shell access is not required. I'm CC'ing @Nuria for signoff on Superset access itself.

as far as I know for Superset access only the shell access is not required

Oh, sure, it wasn't clear to me if the 'shell access' question was about whether I already had a shell account or needed access :)

Hi Sam,

Looks like you already have an account on wikitech (Samwalton), so I've given that account membership in the wmf group. You should have Superset access with it now.

(I don't believe @Nuria's signoff is necessary for access, rather simply that she receive a notification of new users.)

Change 591177 had a related patch set uploaded (by CDanis; owner: CDanis):
[operations/puppet@production] admin: add samwalton to ldap_only_users

https://gerrit.wikimedia.org/r/591177

Change 591177 merged by CDanis:
[operations/puppet@production] admin: add samwalton to ldap_only_users

https://gerrit.wikimedia.org/r/591177

CDanis claimed this task.

Please re-open if this doesn't work for you!

I don't seem to be able to log in, using my Wikitech login :(

Sam,

Which username did you use? Can you confirm that logging into Wikitech
itself works?

Thanks!

I log into Wikitech using Samwalton9, which works as expected. I've tried both Samwalton9 and samwalton on Superset.

Ah, sorry, I hadn't realized you had multiple wikitech accounts. There's also a Samwalton (not samwalton) on wikitech. The uppercased one is the one I added to the wmf group (since that's the one I found using your WMF email address as the key).

Make sure you can log into wikitech using Samwalton, and then those same credentials should work for superset (just note the capitalization in the username).

Do you want to retain both wikitech accounts? (I've also asked around some other SREs if we have any usual policies here.)

For reference, here's the set of groups and permissions and other data about each wikitech account:

https://tools.wmflabs.org/ldap/user/samwalton9
https://tools.wmflabs.org/ldap/user/samwalton

Oh, yep, the fun that comes with the overlaps of your volunteer and staff accounts :)

samwalton9 is the ideal account to have set here, since that's the login I use for Horizon. Is that OK?

AIUI, we aren't generally in the business of giving wmf access for volunteer accounts, since that becomes too hard to track for offboarding procedures.

That makes sense, I'll use my staff account then.

I'm a little confused about that, though, since I can't find any Wikitech login details for my staff account. https://tools.wmflabs.org/ldap/user/samwalton implies I should have a User:Samwalton at Wikitech, but that account (https://wikitech.wikimedia.org/wiki/User:Samwalton) doesn't exist. I tried resetting the password on it but received nothing.

This looks like a legit bug. The user samwalton is definitely in LDAP ( using ldapsearch on mwmaint1002) and it's even listed as member of various toolforge groups and project-bastion. It should not be possible to be the case while the user is also "not registered" on Wikitech. Adding @bd808

This looks like a legit bug. The user samwalton is definitely in LDAP ( using ldapsearch on mwmaint1002) and it's even listed as member of various toolforge groups and project-bastion. It should not be possible to be the case while the user is also "not registered" on Wikitech. Adding @bd808

This has been possible for nearly four years. T144710: Create Wikitech/LDAP accounts via a new user friendly guided workflow added the ability to create new Wikimedia Developer accounts via Striker. Striker asks Wikitech to help validate some bits (TitleBlacklist, etc), but then creates the account directly in the LDAP directory. MediaWiki's MediaWiki-extensions-LdapAuthentication integration does not poll LDAP for accounts. Instead local MediaWiki accounts are created ad hoc when an authentication check against LDAP succeeds and no matching local user is found. There are actually numerically many Developer accounts in LDAP which are not local users on Wikitech.

Hm. I have no idea what my password is for that account - is there somewhere I can reset it?

Hm. I have no idea what my password is for that account - is there somewhere I can reset it?

You can use https://wikitech.wikimedia.org/wiki/Special:PasswordReset

Per the above, I don't have a Wikitech account, just an LDAP login, so the Wikitech password reset form won't work.

Oh perfect, that was the domain I needed for my password manager to locate the right login details for me 😁 Confirmed I have access to Superset with that login.

Great, glad to hear it!

I also updated SRE's docs with some of what @bd808 said, as I don't think that was widely understood on the SRE team.

I also updated SRE's docs with some of what @bd808 said, as I don't think that was widely understood on the SRE team.

One related thing to this that should be documented somewhere is the attachLdapUser.php maintenance script which lives in MediaWiki-extensions-OpenStackManager. This script can be used to force creation of a local Wikitech user account for any Developer account in the LDAP directory that does not have one. It was invented as a bandaid for T174469: LDAP account that is not attached on wikitech has no means for password reset so that a user who has lost their password can use Special:PasswordReset to get a new one even if they had not previously attached their account to Wikitech by logging in.