Maniphest T320426

Figure out where/how to store IDM internal data
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	MoritzMuehlenhoff
	Oct 10 2022, 2:37 PM

Description

Various data will be modified when operating/using the IDM:

The majority of settings managed by the IDM are stored within the LDAP directory (which is already redundantly stored and allows for multi master changes)
Some settings are specific to the setup of the IDM (e.g. configuring which attributes are required/optional e.g.). These will be modified via Puppet centrally
Some settings will likely only be stored within the IDM (e.g. preferences within the Django admin backend). One option would be to store these e.g. in sqlite3, but given that we already operate a highly performant MySQL cluster (which is also redundant across data centers), it makes sense to use a MariaDB/MySQL database. This means we need to work with the DBAs to create database(s), manage grants and sort out backups.

Details

	Subject	Repo	Branch	Lines +/-
	production-m5.sql.erb: Add idm and idm_staging users	operations/puppet	production	+19 -0

Customize query in gerrit

Related Objects
Search...

Status	Subtype	Assigned	Task
Open		None	T189531 All Wikimedia developer services should use single sign-on
Open		None	T363125 sustainability of wikitech.wikimedia.org
Open		None	T161859 Make Wikitech an SUL wiki
Open		SLyngshede-WMF	T163478 Allow viewing/searching LDAP account creations including date
Resolved		None	T153821 wikitech.wikimedia.org missing from pageviews API
Open		None	T148048 Store Wikimedia unified account name (SUL) in LDAP directory
Open		taavi	T359428 Striker should use ID instead of username to identify SUL accounts
Open		None	T237773 Move Wikitech onto the production MW cluster
Resolved		• Marostegui	T167973 Move database for wikitech (labswiki) to a main cluster section
Resolved		Andrew	T188029 Move labswiki database to m5
Resolved		• Marostegui	T282074 Audit labswiki grants
Resolved		Andrew	T282209 Enable connection from labweb1001/labweb1002 to s6
Declined		Andrew	T282573 Move labweb/cloudweb hosts to private IPs
Resolved		Andrew	T284106 Replicate & sanitize wikitech data
Resolved		Andrew	T284108 Bring labswiki database tables up to date
Resolved		Ladsgroup	T269348 wikitech database has almost all of its varbinary fields wrong
Duplicate		None	T284736 Create views on labswiki on clouddb* hosts
Resolved		• Bstorm	T287442 Create views for labswiki (wikitech)
Declined		None	T237889 Install php-ldap on all MW appservers
Resolved		taavi	T237890 Remove and empty useless user groups
Resolved		Jdforrester-WMF	T196466 Remove 'shell user' right on wikitech
Declined		None	T246405 On wikitech, make sysops unable to edit site JS, and then retire contentadmin
Open		jijiki	T292707 Migrate Wikitech to Kubernetes
Open		None	T359551 Replace wikitech as source of two-factor auth protection for developer accounts
Open	Feature	None	T359554 Use IDP for authentication in Striker
Stalled	Feature	None	T359590 Use IDP for authentication in Horizon
Open	Feature	SLyngshede-WMF	T359552 Enable self-service IDP two-factor authentication management
Open		None	T359820 Add developer account (un)blocking support to Bitu
Open		Andrew	T360795 Set up a bitu instance for codfw1dev
Open		SLyngshede-WMF	T362128 Site: 1 VM for codfw1dev bitu deployment
Open		ABran-WMF	T362619 Database request for Bitu Cloud DEV installation
Resolved		taavi	T360883 Disable email address changes in Wikitech
Resolved	PRODUCTION ERROR	Tgr	T195253 Special:Notifications gives a consistent PHP exception on load ("The trash icon is not registered") for users with OpenStackManager notifications
Open		None	T106123 Extensions needing to be removed from Wikimedia wikis
Resolved		bd808	T53642 Get rid of SemanticMediaWiki/SRF/SF from wikitech.wikimedia.org
Resolved		yuvipanda	T103995 Build a simple tool to query which instances have which roles / puppet variables
Resolved		bd808	T161662 Replace SMW data on project instances with a tool using the OpenStack APIs
Resolved		bd808	T162508 Implement Tool Labs membership application and processing in Striker
Resolved		bd808	T164787 Keystone permissions exception when trying to approve Tool Labs membership request via Striker
Open		taavi	T161553 Remove OpenStackManager from Wikitech
Resolved		taavi	T196171 Developer account creation without OpenStackManager
Declined		None	T179463 Create a single application to provision and manage developer (LDAP) accounts
Open		None	T319405 Create an IDM for Wikimedia developer accounts
Resolved		SLyngshede-WMF	T319407 IDM milestone 1 "Initial development work"
Resolved		• Marostegui	T320426 Figure out where/how to store IDM internal data

Event Timeline

MoritzMuehlenhoff created this task.Oct 10 2022, 2:37 PM

We need two databases, one for production and one for staging.

The size of the databases are not expected to exceed a few hundred MB.

Do you have any expected size/growth for those databases?
Amount of writes/reads (roughly)?
Also, the hosts should be able to connect to the dbproxy* hosts, as we route our connections via them.
ie: m5-master.eqiad.wmnet

• Marostegui moved this task from Triage to In progress on the DBA board.Nov 2 2022, 12:16 PM

Growth is expected to be very low, as in 10 - 20 MB per month at the most. Similarly writes/reads will be pretty low as well as users will only need to interact with the system to request access to new systems, or approve/decline requests. Current estimate is at most 100 read requests per minute, when users interact with the system, then large periods of time with little to no reads. Write are expected to be lower.

As development processes I expect to be able to deliver better estimates.

Access via dbproxy is fine, whatever ever the DBA deems best.

That seems fine indeed.
How many users would you need? One with all privileges? one for writes and another one for reads?

Just one user with all privileges. The application is based on Django and will need to be able to manage schema migration internally. I don't think it makes sense to split read and write operation into two users for our use case.

But different users for the production and stage databases.

In T320426#8362747, @SLyngshede-WMF wrote:

But different users for the production and stage databases.

That makes sense.

In T320426#8362744, @SLyngshede-WMF wrote:

Just one user with all privileges. The application is based on Django and will need to be able to manage schema migration internally. I don't think it makes sense to split read and write operation into two users for our use case.

Are you able to figure out which ones those are?
Obviously I would guess: INSERT, DELETE, UPDATE, SELECT, ALTER, CREATE?

The documentation mostly says "all", but CREATE, ALTER, INDEX, SELECT, UPDATE, INSERT, DELETE, REFERENCES should be the minimum.

Django do prefer that the database is create as utf8, but I suspect that's default: https://docs.djangoproject.com/en/3.2/ref/databases/#creating-your-database

That's ok - any preferred database(s) and user(s) name?

I'm think something like "idm" or identitymanager for the user. Database name is "chefs choice" :-)

We should probably go for something like:

idm
idm_staging

And same for the database name.

Seems ideal :-)

Cool, I will try to get it in place tomorrow :)

• Marostegui claimed this task.Nov 2 2022, 1:27 PM

Mentioned in SAL (#wikimedia-operations) [2022-11-03T07:14:59Z] <marostegui> Create idm and idm_staging databases on m5 T320426

Change 852728 had a related patch set uploaded (by Marostegui; author: Marostegui):

[operations/puppet@production] production-m5.sql.erb: Add idm and idm_staging users

https://gerrit.wikimedia.org/r/852728

gerritbot added a project: Patch-For-Review.Nov 3 2022, 7:26 AM

I have created both databases on m5 (m5-master.eqiad.wmnet)
The users are also there and avaiable:

root@cumin1001:~# mysql --ssl-verify-server-cert=false -uidm -p -h m5-master.eqiad.wmnet idm
Enter password:
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 12237022
Server version: 10.4.26-MariaDB-log MariaDB Server

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

idm@m5-master.eqiad.wmnet[idm]> use idm_staging;
ERROR 1044 (42000): Access denied for user 'idm'@'10.64.48.43' to database 'idm_staging'
idm@m5-master.eqiad.wmnet[idm]> Ctrl-C -- exit!
Aborted
root@cumin1001:~# mysql --ssl-verify-server-cert=false -uidm_staging -p -h m5-master.eqiad.wmnet idm_staging
Enter password:
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 12237049
Server version: 10.4.26-MariaDB-log MariaDB Server

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

idm_staging@m5-master.eqiad.wmnet[idm_staging]> Ctrl-C -- exit!

@SLyngshede-WMF I have left the passwords for you to productionize them on our private repo at: puppetmaster1001:/home/slyngshede/idm

Change 852728 merged by Marostegui:

[operations/puppet@production] production-m5.sql.erb: Add idm and idm_staging users

https://gerrit.wikimedia.org/r/852728