Maniphest T320806

Consider reusing some wiki data sources for signup/restrictions
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	MoritzMuehlenhoff
	Oct 14 2022, 12:41 PM

Description

@bd808 mentioned that some features of Mediawiki (in particular meta.wikimedia.org) provide useful functionality to the IDM as well:

IP range block checking via action=query&list=blocks is used to provide a small degree of protection against known abusers. This check also includes global blocks which have been created by Stewards.
User name allowed checking via action=query&list=users&usprop=cancreate. This checks against the local MediaWiki:Titleblacklist which we mostly use reserve the names of various system level accounts. Additionally the cross-wiki meta:Title blacklist is checked. The API call also invokes the protections of mw:Extension:AntiSpoof which are largely unnecessary for shell account names due to their ascii charset restrictions, but which may be useful for cn or sn attributes depending on how they are expected to be used in the resulting dataset. For currently existing developer accounts both cn and sn (should) contain the same value which is also known as the developer account's "username". This attribute is commonly used by wikitech as the wiki account username as well as being used in Gerrit, Phabricator, Horizon, Striker, and some other LDAP backed authn as the account name for authentication.

We should consider the best way to incorporate these data sources into the IDM. IP range checks might also be useful for other services in production besides the IDM.

Details

	Subject	Repo	Branch	Lines +/-
	signup: allow blocking of username with regex	operations/software/bitu	master	+174 -13

Customize query in gerrit

Related Objects
Search...

Status	Subtype	Assigned	Task
Open		None	T189531 All Wikimedia developer services should use single sign-on
Open		None	T363125 sustainability of wikitech.wikimedia.org
Open		None	T161859 Make Wikitech an SUL wiki
Open		SLyngshede-WMF	T163478 Allow viewing/searching LDAP account creations including date
Resolved		None	T153821 wikitech.wikimedia.org missing from pageviews API
Open		None	T148048 Store Wikimedia unified account name (SUL) in LDAP directory
Open		taavi	T359428 Striker should use ID instead of username to identify SUL accounts
Open		None	T237773 Move Wikitech onto the production MW cluster
Resolved		• Marostegui	T167973 Move database for wikitech (labswiki) to a main cluster section
Resolved		Andrew	T188029 Move labswiki database to m5
Resolved		• Marostegui	T282074 Audit labswiki grants
Resolved		Andrew	T282209 Enable connection from labweb1001/labweb1002 to s6
Declined		Andrew	T282573 Move labweb/cloudweb hosts to private IPs
Resolved		Andrew	T284106 Replicate & sanitize wikitech data
Resolved		Andrew	T284108 Bring labswiki database tables up to date
Resolved		Ladsgroup	T269348 wikitech database has almost all of its varbinary fields wrong
Duplicate		None	T284736 Create views on labswiki on clouddb* hosts
Resolved		• Bstorm	T287442 Create views for labswiki (wikitech)
Declined		None	T237889 Install php-ldap on all MW appservers
Resolved		taavi	T237890 Remove and empty useless user groups
Resolved		Jdforrester-WMF	T196466 Remove 'shell user' right on wikitech
Declined		None	T246405 On wikitech, make sysops unable to edit site JS, and then retire contentadmin
Open		jijiki	T292707 Migrate Wikitech to Kubernetes
Open		None	T359551 Replace wikitech as source of two-factor auth protection for developer accounts
Open	Feature	None	T359554 Use IDP for authentication in Striker
Stalled	Feature	None	T359590 Use IDP for authentication in Horizon
Open	Feature	SLyngshede-WMF	T359552 Enable self-service IDP two-factor authentication management
Open		None	T359820 Add developer account (un)blocking support to Bitu
Open		Andrew	T360795 Set up a bitu instance for codfw1dev
Open		SLyngshede-WMF	T362128 Site: 1 VM for codfw1dev bitu deployment
Open		ABran-WMF	T362619 Database request for Bitu Cloud DEV installation
Resolved		taavi	T360883 Disable email address changes in Wikitech
Resolved	PRODUCTION ERROR	Tgr	T195253 Special:Notifications gives a consistent PHP exception on load ("The trash icon is not registered") for users with OpenStackManager notifications
Open		None	T106123 Extensions needing to be removed from Wikimedia wikis
Resolved		bd808	T53642 Get rid of SemanticMediaWiki/SRF/SF from wikitech.wikimedia.org
Resolved		yuvipanda	T103995 Build a simple tool to query which instances have which roles / puppet variables
Resolved		bd808	T161662 Replace SMW data on project instances with a tool using the OpenStack APIs
Resolved		bd808	T162508 Implement Tool Labs membership application and processing in Striker
Resolved		bd808	T164787 Keystone permissions exception when trying to approve Tool Labs membership request via Striker
Open		taavi	T161553 Remove OpenStackManager from Wikitech
Resolved		taavi	T196171 Developer account creation without OpenStackManager
Declined		None	T179463 Create a single application to provision and manage developer (LDAP) accounts
Open		None	T319405 Create an IDM for Wikimedia developer accounts
Open		SLyngshede-WMF	T320801 Build-out for self service
Resolved		SLyngshede-WMF	T320806 Consider reusing some wiki data sources for signup/restrictions