Page MenuHomePhabricator
Create Task
Maniphest T261424

Limit maps serving to Wikimedia hosted sites only
Closed, ResolvedPublic
Actions

Description

Per this email to maps-l, in order to manage potential costs and traffic spikes, and allow our maps resources to focus on wiki community uses, we need to limit access to our maps.wilkimedia.org/osm-intl/ API to ONLY support requests FROM the Wikimedia cluster.
This means that uses of maps on the Wikimedia wikis, Cloud Services hosted tools, and any internal development or testing tools should NOT be affected.

Requests made from all other domains should be declined. There is an existing patch for this at https://gerrit.wikimedia.org/r/c/operations/puppet/+/570156

Per the announcement, we will give 45 days for the shutdown to occur, so this ticket should go into effect Monday Oct 12th.
If you have a free knowledge related use case that’s impacted by this announcement, please let us know below, or on the maps-l mailing list.

Details

SubjectRepoBranchLines +/-
Map tiles for 3rd parties: block (403) all requests, not just missesoperations/puppetproduction+40 -35
VCL: Maps Referer block: no-op!: comments & redo regex w/ commentsoperations/puppetproduction+40 -16
Customize query in gerrit

Related Objects
Search...

Event Timeline

JMinor created this task.Aug 27 2020, 3:53 PM
Restricted Application added a project: SRE. · View Herald TranscriptAug 27 2020, 3:53 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
CDanis subscribed.Aug 27 2020, 3:53 PM
Mholloway subscribed.Aug 27 2020, 4:01 PM
JMinor updated the task description. (Show Details)Aug 27 2020, 4:02 PM
Elitre updated the task description. (Show Details)Aug 27 2020, 4:28 PM
AntiCompositeNumber subscribed.Aug 27 2020, 5:35 PM

https://lists.wikimedia.org/pipermail/maps-l/2020-August/001729.html

Elitre updated the task description. (Show Details)Aug 27 2020, 5:35 PM
AntiCompositeNumber added a comment.Aug 27 2020, 5:39 PM

Note on https://wiki.openstreetmap.org/wiki/Tile_servers#Base_maps is updated with the deprecation notice. I'll remove it from the list entirely when external access is fully disabled.

AntiCompositeNumber updated the task description. (Show Details)Aug 27 2020, 5:39 PM
Elitre added a comment.Aug 27 2020, 5:42 PM
In T261424#6416783, @AntiCompositeNumber wrote:

Note on https://wiki.openstreetmap.org/wiki/Tile_servers#Base_maps is updated with the deprecation notice. I'll remove it from the list entirely when external access is fully disabled.

@JMinor and I were wondering how to make that happen - super grateful that you are volunteering! Thanks on behalf of the entire team.

MaxSem subscribed.Aug 27 2020, 5:58 PM
Nemo_bis subscribed.Aug 27 2020, 6:43 PM
jijiki changed the task status from Open to Stalled.Aug 27 2020, 7:51 PM
jijiki triaged this task as High priority.
jijiki subscribed.

@JMinor Please change the task's status to 'Open' when everything is ready to be merged. Thank you!

Naveenpf subscribed.Aug 28 2020, 6:39 AM
Abbe98 subscribed.Aug 28 2020, 9:06 AM
Abbe98 added a comment.Aug 28 2020, 10:12 AM

Aren't the referenced patch blocking access to all services on maps.wikimedia.org and not only osm-intl? This issue and the deprecation message sent to maps-l only addresses maps.wikimedia.org/osm-intl/.

robbi5 subscribed.Aug 28 2020, 2:34 PM
AntiCompositeNumber added a comment.Aug 28 2020, 3:25 PM

There are some uses of maps.wikimedia.org by websites that are definitely movement-affiliated but may not be hosted on Wikimedia servers (T261506: wikimedia.pl returns a HTTP 429 error (let it access varnish maps_domains), T260520: maps.wikilovesmonuments.org returns a HTTP 429 error (let it access varnish maps_domains)). The deprecation notice implies that these uses will no longer be permitted. @Elitre, can you confirm that this is the case?

AntiCompositeNumber added a project: Maps.Aug 28 2020, 3:27 PM
mxn subscribed.Aug 28 2020, 4:26 PM
Dzahn subscribed.Aug 28 2020, 6:03 PM

Isn't this already the case? I mean we just recently had to add wikilovesmonuments to the regex of allowed domains to let it use maps.wikimedia.org (T260520) and wikimedia.pl is asking to be added (T261506).

So if "limit maps serving to Wikimedia hosted sites only" wasn't already the status quo then why would we have to add to this:

https://gerrit.wikimedia.org/r/c/operations/puppet/+/621342/3/modules/varnish/templates/upload-frontend.inc.vcl.erb

Dzahn added a comment.Aug 28 2020, 6:06 PM

It seems like this statement:

only support requests from the Wikimedia cluster

is in conflict with this statement:

Cloud Services hosted tools, and any internal development or testing tools should not be affected.

Per comments on Gerrit, this would only work if wmcloud.org etc would also be added.

JMinor added a comment.Aug 28 2020, 6:08 PM

@AntiCompositeNumber our intention was to create a clear, maintainable, line around what domains would be supported. We'd really like to avoid setting up policies and processes to build exception lists, so the limit to "hosted domains" came from that. However, we don't want to impede or remove support for something vital, and obviously an exception was already made for the existing "cache only" policy for wikilovesmonuments.org.

For the Polish affiliate, we could consider including affiliates domains, though I don't know, apart from the bug you link to, what scale of support or how many domains that would involve.

If people know Wikimedia affiliated groups potentially negatively impacted by this, please consider connecting us, either here or via email to @Elitre or me.

CDanis added a comment.Aug 28 2020, 6:09 PM

My two cents:

I suspect it's merely the case that the language in the announcement was somewhat imprecise. That's understandable; this isn't a simple situation.

It seems very reasonable to me that we'd support all WMCS usages, as well as usages by Wikimedia affiliates, as well as anything of direct value to the overall movement.

What we don't want to support are (for instance) Pokémon GO fan sites, which were once a double-digit percentage of traffic.

I am happy to +2 and merge any patches to implement the above into reality.

JMinor added a comment.EditedAug 28 2020, 6:10 PM

" from the Wikimedia cluster"

is a naive Product person's use of that term. I apologize if that imprecision is causing misunderstanding.

Cloud Services hosted tools, and any internal development or testing tools should not be affected.

Is the ultimate intention.

So I'd say changes to the patch to support that are welcome.

@CDanis captures the situation well!

BBlack subscribed.Aug 28 2020, 6:16 PM
This comment was removed by BBlack.
BBlack added a comment.Aug 28 2020, 6:21 PM

[Removed my earlier comment because I had failed to refresh this ticket and catch up on all the other recent traffic, which changes everything]

If we're going to preserve access for community sites that request it, we're going to need some reasonable mechanism around that, or it will devolve into a case of infrastructure staff making educated guesses as to the legitimacy of requests from unrelated 3rd-party sites and domains that claim a community connection...

JMinor added a comment.Aug 28 2020, 6:37 PM

"So if "limit maps serving to Wikimedia hosted sites only" wasn't already the status quo then why would we have to add to this

My understanding is that, currently, cached tiles are returned to all requests, uncached tiles only to "hosted sites" (+the exception(s) being discussed). This change is to decline all requests, not just uncached requests, for "non Wikimedia hosted" domains. Additionally the status quo is a "temporary" response to an incident. This change is a deliberate and "permanent" (as any wiki thing can be) change in who we support with our maps.

@BBlack Totally agree. We tried to draw a bright line partly because of that. Not only should individual infrastructure staff not be in that position, I don't think we want anyone in that position!

For now I'd like to give the announcement time for people to be aware of it, and @Elitre and I will make an effort to reach out to anyone who might fall into these cracks and understand if there are alternatives or if we need to "grandfather" some folks in before this change goes into effect.

CDanis added a comment.Aug 28 2020, 6:43 PM

@JMinor @Elitre Although some of this is already mentioned upwards in this task, here's a summary of the community objections I'm aware of so far:

One bright line that we could draw is "affiliates and other community projects that are listed on metawiki". I think that would be both reasonable and workable. (Although I think any additions to the list of allowed sites should be reactive to requests, not proactive based on everything already on meta.)

Multichill awarded a token.Aug 28 2020, 8:10 PM
Multichill added subscribers: Katherine-WMF, Multichill.Aug 28 2020, 8:20 PM

I noticed the announcement on the maps-l list and I also noticed https://twitter.com/krmaher/status/1299203640188690434 where @Katherine-WMF replied. Someone recently mention to me "the only way to prevent WMF people from doing making stupid mistakes these days is tagging Katherine on Twitter".

This is one of those mistakes. The maps service was always something the volunteers wanted more than the WMF. Finally after many years we have a production service, but the quality of managing the service is probably best described as "leaving it rot somewhere in the corner". Of course it gets more popular and any service with such poor maintenance will fall over at some point. That's what happened. Instead of severely limiting this service you should start maintaining it properly. The current state of the maps service is a disgrace.

Multichill added a subscriber: Tnegrin.Aug 28 2020, 8:21 PM
Elitre updated the task description. (Show Details)Aug 31 2020, 11:49 AM
Elitre updated the task description. (Show Details)
JeanFred subscribed.Aug 31 2020, 12:23 PM
CDanis added a subscriber: Gehel.Aug 31 2020, 4:43 PM

FTR, in T261506 I added wikimedia.pl to our list of allowed domains.

  • They're an affiliate, listed on metawiki for some time, which I think is the closest thing we have to a 'bright line' right now.
  • It was a time-sensitive request
  • It was similar in nature to the already-allowed wikilovesmonuments, which seemed uncontroversial.

Although I haven't had a chance to discuss with @Elitre @JMinor & @Gehel I think supporting affiliates makes some sense.

JMinor added a comment.Aug 31 2020, 8:33 PM

@CDanis

Yes, I will make a subtask for tracking these and any other affiliated domains that need an exemption.

We're also send an update to the mailing list letting people know they can reach out to me or @Elitre or comment on the subtask to request an exception for their affiliate site or recognized user group.

JMinor added a comment.Aug 31 2020, 8:34 PM

To this specifically:

Someone recently mention to me "the only way to prevent WMF people from doing making stupid mistakes these days is tagging Katherine on Twitter".

The person who tweeted at Katherine did not reply to the email announcement or comment on this ticket. So no, it wasn't the "only way" to get our attention or point to potential issues. In fact, because we generally don't consider Twitter a movement venue (like mailing lists or phab) it is actually a really inefficient way to get our attention.

LGoto moved this task from Needs triage to Tracking on the Product-Infrastructure-Team-Backlog-Deprecated board.Sep 2 2020, 3:47 PM
seav subscribed.Sep 3 2020, 10:03 AM
CamelCaseNick subscribed.Sep 12 2020, 10:32 PM
MSantos moved this task from All map-related tasks to Production Infrastructure on the Maps board.Sep 24 2020, 10:44 AM
gerritbot added a comment.Oct 6 2020, 7:35 PM

Change 632539 had a related patch set uploaded (by CDanis; owner: CDanis):
[operations/puppet@production] VCL: Maps Referer block: no-op!: comments & redo regex w/ comments

https://gerrit.wikimedia.org/r/632539

gerritbot added a project: Patch-For-Review.Oct 6 2020, 7:35 PM
gerritbot added a comment.Oct 6 2020, 8:02 PM

Change 632539 merged by CDanis:
[operations/puppet@production] VCL: Maps Referer block: no-op!: comments & redo regex w/ comments

https://gerrit.wikimedia.org/r/632539

Maintenance_bot removed a project: Patch-For-Review.Oct 6 2020, 8:10 PM
Elitre added a comment.Oct 13 2020, 9:27 AM

@JMinor @JKatzWMF please give your Go to get this done. Thanks!

MSantos mentioned this in T261694: Support maps serving for affiliate sites via an allow list.Oct 13 2020, 1:29 PM
JMinor added a comment.Oct 13 2020, 4:56 PM

Yes, I think everyone who requested to be added to the allow list has been added. There were a couple questions on the mailing list related to OSM chapters usage. I have reached out to those folks a couple times, but received no answer. So, I think we are clear to merge the change, as is.

@sdkim

CDanis added a comment.Oct 13 2020, 5:42 PM
In T261424#6539494, @JMinor wrote:

Yes, I think everyone who requested to be added to the allow list has been added. There were a couple questions on the mailing list related to OSM chapters usage. I have reached out to those folks a couple times, but received no answer. So, I think we are clear to merge the change, as is.

Thanks @JMinor. I should have time to write and deploy the patch later this week.

CDanis claimed this task.Oct 13 2020, 5:42 PM
gerritbot added a comment.Oct 14 2020, 2:07 PM

Change 634024 had a related patch set uploaded (by CDanis; owner: CDanis):
[operations/puppet@production] Map tiles for 3rd parties: block (403) all requests, not just misses

https://gerrit.wikimedia.org/r/634024

gerritbot added a project: Patch-For-Review.Oct 14 2020, 2:07 PM
gerritbot added a comment.Oct 14 2020, 2:22 PM

Change 634024 merged by CDanis:
[operations/puppet@production] Map tiles for 3rd parties: block (403) all requests, not just misses

https://gerrit.wikimedia.org/r/634024

CDanis closed this task as Resolved.Oct 14 2020, 2:23 PM

This will be taking effect over the next half hour.

If you are affected by this, and believe you have a maptiles use case that supports the Movement, please post at T261694.

AntiCompositeNumber added a comment.Oct 14 2020, 2:54 PM

I've removed Wikimedia Maps from https://wiki.openstreetmap.org/wiki/Tile_servers.

Maintenance_bot removed a project: Patch-For-Review.Oct 14 2020, 3:10 PM
Elitre awarded a token.Oct 14 2020, 3:49 PM

Thanks to everyone involved.

aapeli mentioned this in T267170: Update Maps Terms of Service to reflect changes in third-party use.Nov 3 2020, 9:48 PM
AntiCompositeNumber added a subtask: T267170: Update Maps Terms of Service to reflect changes in third-party use.Nov 3 2020, 11:35 PM
Legoktm closed subtask T267170: Update Maps Terms of Service to reflect changes in third-party use as Resolved.Jul 28 2021, 5:31 PM
Legoktm closed subtask T261694: Support maps serving for affiliate sites via an allow list as Resolved.Aug 5 2021, 11:19 AM
C933103 subscribed.EditedMar 4 2023, 12:30 PM

Is it an intended effect of this ticket or is it a bug that now when I access https://maps.wikimedia.org/ from browser by entering the URL into browser URL bar directly, I get an error saying

Request from 221.127.107.156 via cp5026 cp5026, Varnish XID 729746413
Upstream caches: cp5026 int
Error: 403, Forbidden: Map tiles are restricted to Wikimedia & affiliated sites only. See https://wikitech.wikimedia.org/wiki/Maps/External_usage if you believe your usage supports the Movement. at Sat, 04 Mar 2023 12:24:42 GMT

?

Aklapper added a comment.Mar 4 2023, 1:05 PM

@C933103: This ticket has been closed for 29 months. Please file separate tickets for separate topics. Thanks. (Plus I cannot reproduce.)

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL