Page MenuHomePhabricator

Rename account Zoranzoki21 to Kizule on Gerrit
Open, Needs TriagePublicRequest

Description

Per T260645, I want to request renaming my account Zoranzoki21 to Kizule and on Gerrit/Wikitech also.

Event Timeline

Kizule changed the subtype of this task from "Task" to "Administrative Request".
Kizule changed the task status from Open to Stalled.Aug 18 2020, 10:43 AM

Stalled until 18th September when account should be renamed on wikis.

Kizule changed the task status from Stalled to Open.Sep 17 2020, 9:17 PM

After renaming my account on Wikimedia wikis, you can do this. :)

Gerrit = LDAP (there is nothing to do in Gerrit or wikitech.wm.org itself in my understanding)

Gerrit = LDAP (there is nothing to do in Gerrit or wikitech.wm.org itself in my understanding)

@Aklapper Oh, yes, thanks for correcting me, I appreciate it. :)

bd808 added subscribers: thcipriani, bd808.

Developer accounts are stored in LDAP, but the management interface for renaming is Wikitech. The local MediaWiki account there that is attached to the LDAP storage for the developer account would need to be renamed. Historically there is also a need to do manual database surgery on Gerrit to handle a change of name in a Developer account.

https://wikitech.wikimedia.org/wiki/LDAP/Renaming_users has some docs. I'm not sure if we have done any Developer account renames since Chad left, but maybe @thcipriani has helped with one since then.

Umm.. Will "instance shell account" be renamed, or I have to request it in another task? I have access to toolforge and Cloud VPS.

Umm.. Will "instance shell account" be renamed, or I have to request it in another task? I have access to toolforge and Cloud VPS.

Changing the shell account name of an existing Developer account is close to impossible to accomplish. By this I don't mean that we cannot set a new uid attribute on the LDAP record, but that doing so will make every virtual machine you have used the prior account with (bastions, Toolforge instances, other Cloud VPS project instances) confused.

If you want a whole new Developer account identity, I would recommend creating a new Developer account, and then working to get that new account the same memberships and rights as you old account. Once you have that access, you can poke us and we can disable the older account by blocking it on Wikitech (which cascades to blocking any Gerrit and Phabricator accounts that are associated with the Developer account).

https://wikitech.wikimedia.org/wiki/LDAP/Renaming_users has some docs. I'm not sure if we have done any Developer account renames since Chad left, but maybe @thcipriani has helped with one since then.

I finally tracked down @thcipriani's comment at T171417#4507006 which seems to say that we are not sure what the process is anymore for a rename on Gerrit. This is another point towards just making a new Developer account if you are dissatisfied with your current Developer account's name(s).

Uhh. I can't understand well everything what you said, but let's make this easier: What can be done, what not?

Uhh. I can't understand well everything what you said, but let's make this easier: What can be done, what not?

We can try to change the cn (common name) attribute of your Developer account and then fix all the things that may break. The cn is the value that you would recognize as your wikitech user name. There is still an open question of if this renaming can be accomplished in Gerrit per T171417#4507006. So you may end up with a renamed Wikitech user, but loss of access to Gerrit using that account.

The uid attribute of the Developer account record is what would be known as your "shell account name" in documents on Wikitech. This value is the primary key for the Developer account in LDAP and also the value that gets embedded in your $HOME directory path. Changing this value is untested per https://wikitech.wikimedia.org/wiki/LDAP/Renaming_users. We have changed uid values in the past to break conflicts between new system level software and legacy LDAP records/Developer accounts, but only after the account to be renamed has been abandoned by its original human owner.

Gerrit no more relies on a MySQL database, all the data are now stored in git repositories.

Accounts are in the special repository All-Users.git repository. The mappings to LDAP are stored under the reference refs/meta/external-ids which is documented at https://gerrit.wikimedia.org/r/Documentation/config-accounts.html#external-ids

There is one entry for Gerrit itself:

$ echo -n 'gerrit:zoranzoki21' | shasum
fc3ff7ac488fa7d1418e7be239550d560492f114  -
fc/3ff7ac488fa7d1418e7be239550d560492f114
name=
[externalId "gerrit:zoranzoki21"]
	accountId = 12345
	email = xxx@example.org

And another one for LDAP:

echo -n 'username:zoranzoki21' | shasum
462337f8159ebadcf37609e25b80142dbc972455  -
46/2337f8159ebadcf37609e25b80142dbc972455
[externalId "username:zoranzoki21"]
	accountId = 12345

So theoretically we need to craft a commit that:

  • delete those two files
  • create two new files using the new username and refering to the new username.
  • push to refs/meta/external-ids

And most probably flush the caches. Not sure what will happen with the web_sessions one though.

Thanks for explanations! So, renaming account would be possible?