Page MenuHomePhabricator
Create Task
Maniphest T278195

Sort out the 5 tool accounts with strange mysql usernames
Open, MediumPublic
Actions

Description

There's something strange going on with 5 tools accounts that surfaced due to the attached patch when I manually patched it into the server to try it out while I was watching.

tools.sbot, tools.xtools-ec, tools.pagepile, tools.ib2test, tools.wikidata-recon have mysql usernames that do NOT match their UIDs. In every case, it's some other number, typically for a different tool.

Therefore, when trying to check for new tools by UID instead of username, they come up as "new" tools and then fail because you cannot have two of the same exact username in the accounts table of the database for maintain-dbusers.

Write access to toolsdb is handled by username, so this does not seem like a good or sensible situation. It also makes these user accounts somewhat fragile if we need to rotate their credentials.

Details

SubjectRepoBranchLines +/-
maintain-dbusers: rely on the UIDS, not username for all accountsoperations/puppetproduction+13 -25
Customize query in gerrit

Event Timeline

Bstorm triaged this task as Medium priority.Mar 22 2021, 11:39 PM
Bstorm created this task.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 22 2021, 11:39 PM
Bstorm added a comment.Mar 22 2021, 11:43 PM

tools.sbot is using the mysql name s51848 (which would seem like the correct username for tools.db).

bstorm@tools-sgebastion-08:~$ id tools.sbot
uid=51916(tools.sbot) gid=51916(tools.sbot) groups=51916(tools.sbot)
bstorm@tools-sgebastion-08:~$ id 51848
uid=51848(tools.db) gid=51848(tools.db) groups=51848(tools.db)

Incidentally, tools.db has the same credentials file as sbot, which makes me think this was intentional. tools.xtools-ec is using the account of xtools (also apparently intentional). This doesn't seem very supportable.

gerritbot added a comment.Mar 22 2021, 11:43 PM

Change 674151 had a related patch set uploaded (by Bstorm; owner: Bstorm):
[operations/puppet@production] maintain-dbusers: rely on the UIDS, not username

https://gerrit.wikimedia.org/r/674151

gerritbot added a project: Patch-For-Review.Mar 22 2021, 11:43 PM
JJMC89 added a subscriber: MusikAnimal.Mar 23 2021, 12:18 AM
bd808 subscribed.Apr 26 2021, 11:36 PM
In T278195#6936628, @Bstorm wrote:

Incidentally, tools.db has the same credentials file as sbot, which makes me think this was intentional. tools.xtools-ec is using the account of xtools (also apparently intentional). This doesn't seem very supportable.

This may have been done purposefully at some point in the past to give multiple tools read-write access to the same toolsdb databases.

Bstorm added a comment.Apr 26 2021, 11:51 PM

That's my guess here. It's not a very sustainable practice across multiple servers and rebuilds. I think it's likely that some may even have been overwritten over time and there were once more than 5.

MusikAnimal added a comment.Apr 27 2021, 2:54 AM

tools.xtools-ec is using the account of xtools (also apparently intentional). This doesn't seem very supportable.

This may have been done purposefully at some point in the past to give multiple tools read-write access to the same toolsdb databases.

I have no memory of doing this, but your theory sounds correct. At any rate, xtools-ec has long been retired. We only need the redirect to keep all the old backlinks working, so if you need to rotate the credentials for that account or whatever, go for it. The main xtools account credentials (s51187) is still in use, though.

gerritbot added a comment.Jul 19 2021, 9:54 PM

Change 674151 abandoned by Bstorm:

[operations/puppet@production] maintain-dbusers: rely on the UIDS, not username for all accounts

Reason:

Until the underlying problem of duplicate accounts if fixed, this isn't worth keeping open.

https://gerrit.wikimedia.org/r/674151

Maintenance_bot removed a project: Patch-For-Review.Jul 19 2021, 10:10 PM
fnegri edited projects, added cloud-services-team; removed cloud-services-team (Kanban).Jan 18 2023, 6:53 PM
fnegri moved this task from Kanban to Inbox on the cloud-services-team board.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL