Page MenuHomePhabricator

replace phabricator db passwords with longer passwords
Closed, ResolvedPublic


per IRC with Jaime, the database passwords used by phabricator users:

  • phadmin
  • phuser
  • new phd user
  • phstats (already done)
  • manifest
  • bzmigrate
  • fabmigrate

Should be replaced with longer passwords

Event Timeline

  • schedule a short maintenance window for phabricator
  • change the passwords live
  • change the passwords in private repo in class passwords::mysql::phabricator
  • run puppet on phabricator servers and confirm everything works


cc: @20after4

fgiunchedi triaged this task as Medium priority.Apr 17 2020, 7:41 AM

@mmodell could we schedule a specific date for this, so it is not forgotten? How much time do you need to prepare T146055? Work on our side is not too time consuming, but maybe yours may take more...

ugh. @jcrespo, I apologize, I let the ball drop on this one. It wouldn't take much effort on my part, we already have the puppet scaffolding to support separating them.

Maybe this can be scheduled before or after the maintenance for T259589?

I don't have the bandwidth to prepare this change before Tuesday - @jcrespo if you happen to have some room to prepare this before Tuesday (or after), please take the lead!

I made a note about how we go about setting a separate password for PHD daemons in a comment at T146055#6378825.

Essentially we just need to define a new password variable and reference it from modules/profile/manifests/phabricator/main.pp.

Mentioned in SAL (#wikimedia-operations) [2020-08-18T06:48:39Z] <jynus> deploy another password change to phabricator service (potentially disruptive) T250361

Mentioned in SAL (#wikimedia-operations) [2020-08-18T07:16:41Z] <jynus> update rest of phabricator passwords T250361

Change 620879 had a related patch set uploaded (by Jcrespo; owner: Jcrespo):
[operations/puppet@production] phabricator: Add new db user for the daemon, separate from web request user

Change 620879 merged by Jcrespo:
[operations/puppet@production] phabricator: Add new db user for the daemon, separate from web request user

jcrespo claimed this task.