Page MenuHomePhabricator

wikitech: INSERT command denied to user 'wikiuser'@'10.64.32.36' for table 'comment' (10.64.0.98)
Open, Stalled, LowestPublic

Description

I just saw the following error on logstash from the jobrunner:

INSERT command denied to user 'wikiuser'@'10.64.32.36' for table 'comment' (10.64.0.98)


message	   	Error 1142 from CommentStore::createComment, INSERT command denied to user 'wikiuser'@'10.64.32.36' for table 'comment' (10.64.0.98) INSERT INTO `comment` (comment_hash,comment_text,comment_data) VALUES (2078472998,'/* Tech News: 2020-47 */ new section',NULL) 10.64.0.98

 server	   	jobrunner.discovery.wmnet
t servergroup	   	other
t severity	   	err
t shard	   	s10
t sql1line	   	INSERT INTO `comment` (comment_hash,comment_text,comment_data) VALUES (2078472998,'/* Tech News: 2020-47 */ new section',NULL)
t tags	   	input-kafka-rsyslog-udp-localhost, rsyslog-udp-localhost, kafka, es, es
t timestamp	   	2020-11-16T15:44:35+00:00
t type	   	mediawiki
t url	   	/rpc/RunSingleJob.php
t wiki	   	labswiki

@Andrew has something changed there? The error was on db1128 (m5/wikitech master)

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald Transcript

Nothing has changed that I know of. That IP is a prod mw server (mw1334.eqiad.wmnet); I've no idea why it would be trying to insert into the wikitech database.

Assuming nothing nefarious is happening and this is just an attempt to write to every wiki everywhere, T167973 would almost certainly resolve this. I'm not sure this particular bug is worth investigating.

It's coming from the job runner, given the values shown this is likely a
post distributed via MassMessage or something that expects to be able to
write cross-wiki, and a wikitech page was one of the expected destinations?
This probably should've been permitted

Andrew changed the task status from Open to Stalled.Dec 8 2020, 5:34 PM
Andrew triaged this task as Lowest priority.
Andrew moved this task from Inbox to Graveyard on the cloud-services-team (Kanban) board.

oh, we already have a task :)

I honestly think this should be lifted. Namely, this prevents stewards from touching wikitech's permissions from Meta. That might be desired, but I would prefer a no-exception solution to that :).

This is yet another side effect of T237773: Move Wikitech onto the production MW cluster / T167973: Move database for wikitech (labswiki) to a main cluster section lingering in the backlog. Wikitech is a snowflake and will continue to be a snowflake until it is merged in to the shared MediaWiki hosting infrastructure.