Page MenuHomePhabricator
Create Task
Maniphest T309382

DataHub rights assignment is case-sensitive
Closed, ResolvedPublic
Actions

Description

When logging into DataHub it is possible to enter your username in either upper, lower, or mixed case.

e.g. I could use btullis, Btullis or BTULLIS as my username - as long as I supply the correct LDAP password authentication will succeed and I will be permitted access to DataHub.

However, it is only if I log in using the lowercase version of my username I am correctly added to the 'datahubadmins` group.

This is the URN for the datahubadmins group: https://datahub.wikimedia.org/group/urn:li:corpGroup:76fbf709-8faa-47e0-b31e-dee18a1b403d

This is the URN for my LDAP user: https://datahub.wikimedia.org/user/urn:li:corpuser:btullis

I have recorded the following screen capture demonstrating this. In the animation I initially log in with btullis and we can see the Domains, Users & Groups, Ingestion, and Policies lnks at the top right. Then I log out and log back in with the same password, but change the username to Btullis - this time those links have gone from the rop right.

firefox_8vIZcGKt1L.gif (960×1 px, 478 KB)

Related Objects

Event Timeline

BTullis created this task.May 27 2022, 9:13 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 27 2022, 9:13 AM
BTullis updated the task description. (Show Details)May 27 2022, 9:15 AM
BTullis added subscribers: odimitrijevic, Milimetric, EChetty.May 27 2022, 9:19 AM

This relates to T307711: User Experience: Authentication and T305874: Switch DataHub authentication to OIDC but the effects are quite specific, so I thought it worth creating a specific ticket about it.

BTullis mentioned this in T307711: User Experience: Authentication.May 27 2022, 9:33 AM
Milimetric added a comment.May 27 2022, 5:53 PM

seems like a bug to me. If this is a requirement of the system, it should just lowercase transparent to the user.

odimitrijevic triaged this task as High priority.Jun 6 2022, 2:38 PM
odimitrijevic moved this task from Incoming (new tickets) to Security & Governance on the Data-Engineering board.
EChetty edited projects, added Data-Engineering-Planning; removed Data-Engineering.Jun 30 2022, 3:03 PM
EChetty moved this task from Backlog to To be Discussed on the Data-Engineering-Planning board.Jun 30 2022, 5:49 PM
EChetty moved this task from To be Discussed to Backlog on the Data-Engineering-Planning board.
JArguello-WMF moved this task from Backlog to To be Discussed on the Data-Engineering-Planning board.Jul 7 2022, 3:34 PM
EChetty moved this task from To be Discussed to Data Catalog on the Data-Engineering-Planning board.Aug 15 2022, 8:42 AM
JArguello-WMF removed a project: Data-Catalog.Jun 29 2023, 3:42 PM
JArguello-WMF added a project: Data-Catalog.Jun 29 2023, 9:24 PM
JArguello-WMF edited projects, added Data-Engineering; removed Data-Engineering-Planning.Jun 29 2023, 9:28 PM
JArguello-WMF moved this task from Security & Governance to Data Products & Metrics on the Data-Engineering board.Jun 29 2023, 10:51 PM
BTullis added a project: Data-Platform-SRE.Jun 29 2023, 11:05 PM
JArguello-WMF moved this task from Data Products & Metrics to Icebox (not considered in current quarter) on the Data-Engineering board.Jun 29 2023, 11:08 PM
JArguello-WMF removed a project: Data-Engineering.Jun 29 2023, 11:09 PM
BTullis moved this task from Incoming to Blocked / Waiting on the Data-Platform-SRE board.Aug 16 2023, 1:28 PM

Moving this to blocked, whlist we implement T305874: Switch DataHub authentication to OIDC, which we believe will fix this issue.

BTullis mentioned this in T305874: Switch DataHub authentication to OIDC.Aug 17 2023, 10:32 AM
BTullis mentioned this in T344212: nshahquinn-wmf cannot edit in DataHub.Aug 17 2023, 10:53 AM
jbond subscribed.Aug 17 2023, 11:21 AM
BTullis added a comment.Sep 4 2023, 3:16 PM

This is looking good for closure, once we can promote the change in T305874: Switch DataHub authentication to OIDC to production.
The users will log into the https://idp.wikimedia.org using their wikitech username (which is their LDAP CN value) and their shell username will always be what is passed through to DataHub as the username.

Stevemunene claimed this task.Sep 18 2023, 1:31 PM
Stevemunene moved this task from Blocked / Waiting to In Progress on the Data-Platform-SRE board.
Stevemunene closed this task as Resolved.Sep 19 2023, 2:50 PM

This was resolved by the switch to OIDC, marking it as resolved.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL