Ghost global accounts having global permissions
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	MarcoAurelio
	Jan 20 2022, 3:29 PM

Description

For the queries that led to this, please see:

P18946 (An Untitled Masterwork)

1	MariaDB [centralauth_p]> SELECT gu_id, gu_name FROM globaluser JOIN global_user_groups ON gu_id=gug_user WHERE gug_group = 'steward';
2	+----------+-----------------+
3	\| gu_id \| gu_name \|
4	+----------+-----------------+
5	\| 217 \| DerHexer \|
6	\| 293 \| Masti \|
7	\| 327 \| Melos \|
8	\| 344 \| Vituzzu \|
9	\| 1091 \| Wim b \|
10	\| 7061 \| Linedwell \|
11	\| 25549 \| Ruslik0 \|
12	\| 133478 \| Cromium \|
13	\| 200064 \| Schniggendiller \|
14	\| 754815 \| MarcGarver \|
15	\| 1127005 \| RadiX \|
16	\| 1284147 \| Bsadowski1 \|
17	\| 1330592 \| Operator873 \|
18	\| 1577168 \| Sotiale \|
19	\| 2769878 \| Tegel \|
20	\| 3003335 \| Trijnstel \|
21	\| 3173603 \| Hoo man \|
22	\| 5422243 \| Teles \|
23	\| 7108377 \| AmandaNP \|
24	\| 7270407 \| -revi \|
25	\| 8015849 \| علاء \|
26	\| 8083616 \| Stryn \|
27	\| 9429345 \| Matanya \|
28	\| 10180704 \| Base \|
29	\| 10528483 \| Wiki13 \|
30	\| 10584730 \| MusikAnimal \|
31	\| 11117413 \| MarcoAurelio \|
32	\| 11390199 \| Defender \|
33	\| 32086292 \| Stanglavine \|
34	\| 33521456 \| Tks4Fish \|
35	\| 34722510 \| Martin Urbanec \|
36	\| 38085868 \| Sakretsu \|
37	\| 40996903 \| HakanIST \|
38	\| 48513248 \| Jon Kolbert \|
39	+----------+-----------------+
40	34 rows in set (0.01 sec)
41
42	MariaDB [centralauth_p]> SELECT * FROM global_user_groups WHERE gug_group = 'steward';
43	+----------+-----------+------------+
44	\| gug_user \| gug_group \| gug_expiry \|
45	+----------+-----------+------------+
46	\| 99 \| steward \| NULL \|
47	\| 217 \| steward \| NULL \|
48	\| 293 \| steward \| NULL \|
49	\| 327 \| steward \| NULL \|
50	\| 344 \| steward \| NULL \|
51	\| 456 \| steward \| NULL \|
52	\| 1091 \| steward \| NULL \|
53	\| 7061 \| steward \| NULL \|
54	\| 25549 \| steward \| NULL \|
55	\| 133478 \| steward \| NULL \|
56	\| 200064 \| steward \| NULL \|
57	\| 754815 \| steward \| NULL \|
58	\| 1127005 \| steward \| NULL \|
59	\| 1284147 \| steward \| NULL \|
60	\| 1330592 \| steward \| NULL \|
61	\| 1498691 \| steward \| NULL \|
62	\| 1577168 \| steward \| NULL \|
63	\| 2769878 \| steward \| NULL \|
64	\| 3003335 \| steward \| NULL \|
65	\| 3173603 \| steward \| NULL \|
66	\| 5422243 \| steward \| NULL \|
67	\| 7108377 \| steward \| NULL \|
68	\| 7270407 \| steward \| NULL \|
69	\| 8015849 \| steward \| NULL \|
70	\| 8083616 \| steward \| NULL \|
71	\| 9429345 \| steward \| NULL \|
72	\| 10180704 \| steward \| NULL \|
73	\| 10528483 \| steward \| NULL \|
74	\| 10584730 \| steward \| NULL \|
75	\| 11117413 \| steward \| NULL \|
76	\| 11390199 \| steward \| NULL \|
77	\| 32086292 \| steward \| NULL \|
78	\| 33521456 \| steward \| NULL \|
79	\| 34722510 \| steward \| NULL \|
80	\| 38085868 \| steward \| NULL \|
81	\| 40996903 \| steward \| NULL \|
82	\| 48513248 \| steward \| NULL \|
83	+----------+-----------+------------+
84	37 rows in set (0.00 sec)
85
86	MariaDB [centralauth_p]> SELECT * FROM globaluser WHERE gu_id = '99';
87	Empty set (0.00 sec)
88
89	MariaDB [centralauth_p]> SELECT * FROM globaluser WHERE gu_id = '456';
90	Empty set (0.00 sec)
91
92	MariaDB [centralauth_p]> SELECT * FROM globaluser WHERE gu_id = '1498691';
93	Empty set (0.00 sec)
94
95
96	MariaDB [centralauth_p]> SELECT DISTINCT gug_group from global_user_groups;
97	+-------------------------+
98	\| gug_group \|
99	+-------------------------+
100	\| Cabal \|
101	\| abusefilter-helper \|
102	\| abusefilter-maintainer \|
103	\| apihighlimits-requestor \|
104	\| captcha-exempt \|
105	\| founder \|
106	\| global-bot \|
107	\| global-deleter \|
108	\| global-flow-create \|
109	\| global-interface-editor \|
110	\| global-ipblock-exempt \|
111	\| global-rollbacker \|
112	\| global-sysop \|
113	\| new-wikis-importer \|
114	\| oathauth-tester \|
115	\| ombuds \|
116	\| staff \|
117	\| steward \|
118	\| sysadmin \|
119	\| vrt-permissions \|
120	\| wmf-ops-monitoring \|
121	\| wmf-researcher \|
122	+-------------------------+
123	22 rows in set (0.01 sec)
124
125	Note: 'Cabal' was deleted ages ago (joke global group), and is still listed. And:
126
127	MariaDB [centralauth_p]> select * from global_user_groups WHERE gug_group = 'Cabal';
128	+----------+-----------+------------+
129	\| gug_user \| gug_group \| gug_expiry \|
130	+----------+-----------+------------+
131	\| 99 \| Cabal \| NULL \|
132	+----------+-----------+------------+
133	1 row in set (0.00 sec)
134

CentralAuth should eliminate global user groups from global accounts before the account deletion/unattachment, and I assume we'd need a maintenance script to remove leftover global groups for these ghost global accounts on Wikimedia wikis too.

I assume those gu_id identifiers won't be used anymore, but still it'd be nice to get these cleaned up to ensure data consistency.

Related Objects
Search...

Status	Assigned	Task
Resolved	taavi	T299650 Ghost global accounts having global permissions
Resolved	taavi	T160464 Investigate global usergroup "Cabal" (which was created as a joke/test when global user rights got installed)
Resolved	taavi	T208046 Remove member from non-existent global group

Event Timeline

MarcoAurelio created this task.Jan 20 2022, 3:29 PM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 20 2022, 3:29 PM

MarcoAurelio added subtasks: T160464: Investigate global usergroup "Cabal" (which was created as a joke/test when global user rights got installed), T208046: Remove member from non-existent global group .Jan 20 2022, 3:30 PM

CentralAuth should eliminate global user groups from global accounts before the account deletion/unattachment

Are there any use cases for global account deletion/unattachement these days? I'm wondering if it's possible to just delete those features instead of adding more complexity to that logic.

In T299650#7636797, @Majavah wrote:

CentralAuth should eliminate global user groups from global accounts before the account deletion/unattachment

Are there any use cases for global account deletion/unattachement these days? I'm wondering if it's possible to just delete those features instead of adding more complexity to that logic.

There were 9 account deletions in the last 5 years (https://meta.wikimedia.org/wiki/Special:Log?type=globalauth&user=&page=&wpdate=&tagfilter=&subtype=delete). For most of them I don't really understand why it was performed.

In T299650#7636797, @Majavah wrote:

CentralAuth should eliminate global user groups from global accounts before the account deletion/unattachment

Are there any use cases for global account deletion/unattachement these days? I'm wondering if it's possible to just delete those features instead of adding more complexity to that logic.

At least on WMF wikis I have not encountered the need to delete global accounts in ages after SUL-Finalization. However CentralAuth is also used elsewhere, and I think it'd be great to fix the underlying issue so this stops happening in the future.

Another approach could be preventing global account deletions with global permissions, asking the steward to remove the user from these groups first; if that's simpler.

Mentioned in SAL (#wikimedia-operations) [2022-01-24T19:09:38Z] <taavi> deleted centralauth.global_user_groups for 10 non-existent users T299650

Manually deleted those rows:

wikiadmin@10.64.48.109(centralauth)> SELECT gu_id, gu_name FROM globaluser WHERE gu_id IN (99, 456, 6888, 25914, 1498691, 1936335, 3159104, 3179225);
Empty set (0.001 sec)

wikiadmin@10.64.48.109(centralauth)> SELECT gug_user, gug_group, gug_expiry FROM global_user_groups WHERE gug_user IN (99, 456, 6888, 25914, 1498691, 1936335, 3159104, 3179225);
+----------+-------------------------+------------+
| gug_user | gug_group               | gug_expiry |
+----------+-------------------------+------------+
|       99 | Cabal                   | NULL       |
|       99 | steward                 | NULL       |
|      456 | steward                 | NULL       |
|     6888 | global-sysop            | NULL       |
|    25914 | global-rollbacker       | NULL       |
|  1498691 | steward                 | NULL       |
|  1936335 | global-interface-editor | NULL       |
|  3159104 | global-rollbacker       | NULL       |
|  3159104 | global-sysop            | NULL       |
|  3179225 | global-rollbacker       | NULL       |
+----------+-------------------------+------------+
10 rows in set (0.001 sec)

wikiadmin@10.64.48.109(centralauth)> DELETE FROM global_user_groups WHERE gug_user IN (99, 456, 6888, 25914, 1498691, 1936335, 3159104, 3179225);
Query OK, 10 rows affected (0.001 sec)

wikiadmin@10.64.48.109(centralauth)> SELECT gug_user, gug_group, gug_expiry FROM global_user_groups WHERE gug_user IN (99, 456, 6888, 25914, 1498691, 1936335, 3159104, 3179225);
Empty set (0.000 sec)

Remaining action items are fixing global group deletion (https://gerrit.wikimedia.org/r/c/mediawiki/extensions/CentralAuth/+/755719/) and account deletion creating these stale rows.

taavi claimed this task.Jan 24 2022, 7:12 PM

taavi closed subtask T208046: Remove member from non-existent global group as Resolved.Jan 25 2022, 4:56 PM

taavi closed subtask T160464: Investigate global usergroup "Cabal" (which was created as a joke/test when global user rights got installed) as Resolved.

taavi closed this task as Resolved.Mar 30 2022, 7:12 AM

Ghost global accounts having global permissionsClosed, ResolvedPublicActions

Description

Related ObjectsSearch...

Event Timeline

Ghost global accounts having global permissions
Closed, ResolvedPublic
Actions

Related Objects
Search...