Page MenuHomePhabricator
Create Task
Maniphest T326802

Rotate wikiuser and wikiadmin passwords
Closed, ResolvedPublic
Actions

Description

It's a new year and it makes sense to rotate our passwords to make sure we keep this habit of doing it at least once a year (and not because they get leaked).

Following the established system: New users: wikiadmin2023 and wikiuser2023. Then deploy the changes and then start dropping the old users. For wikiuser it should take at most a couple of hours but with wikiadmin we have to wait for all maint scripts to finish which might take a week.

Details

SubjectRepoBranchLines +/-
mariadb: Centralize and change wikiadmin user grantsoperations/puppetproduction+44 -33
dbtools: Update call to wikiadminoperations/softwaremaster+3 -3
dbtools: Rotate wikiuseroperations/softwaremaster+11 -11
mariadb: Rotate wikiuser to wikiuser2023operations/puppetproduction+2 -2
Customize query in gerrit

Related Objects

Event Timeline

Ladsgroup created this task.Jan 12 2023, 1:19 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 12 2023, 1:19 PM
Ladsgroup triaged this task as Medium priority.Jan 12 2023, 1:19 PM
Ladsgroup moved this task from Triage to Ready on the DBA board.
LSobanski subscribed.Jan 12 2023, 1:28 PM
RhinosF1 subscribed.Jan 12 2023, 4:46 PM
Legoktm awarded a token.Jan 12 2023, 5:19 PM
Ladsgroup moved this task from Ready to In progress on the DBA board.Jan 26 2023, 5:52 AM

Doing it.

Stashbot added a comment.Jan 26 2023, 6:32 AM

Mentioned in SAL (#wikimedia-operations) [2023-01-26T06:32:49Z] <ladsgroup@deploy1002> Synchronized private/PrivateSettings.php: Rotating wikiuser password (T326802) (duration: 07m 23s)

Ladsgroup added a comment.Jan 26 2023, 6:36 AM

wikiuser2023 is now deployed to all databases and appservers. I'm not seeing anything on wikiuser202206 anymore but I'll wait a bit before dropping the old user. Now it's time for puppet and other changes

gerritbot added a comment.Jan 26 2023, 6:37 AM

Change 883693 had a related patch set uploaded (by Ladsgroup; author: Amir Sarabadani):

[operations/puppet@production] mariadb: Rotate wikiuser to wikiuser2023

https://gerrit.wikimedia.org/r/883693

gerritbot added a project: Patch-For-Review.Jan 26 2023, 6:37 AM
gerritbot added a comment.Jan 26 2023, 6:42 AM

Change 883695 had a related patch set uploaded (by Ladsgroup; author: Amir Sarabadani):

[operations/software@master] dbtools: Rotate wikiuser

https://gerrit.wikimedia.org/r/883695

gerritbot added a comment.Jan 26 2023, 10:32 AM

Change 883693 merged by Ladsgroup:

[operations/puppet@production] mariadb: Rotate wikiuser to wikiuser2023

https://gerrit.wikimedia.org/r/883693

gerritbot added a comment.Jan 26 2023, 10:35 AM

Change 883695 merged by jenkins-bot:

[operations/software@master] dbtools: Rotate wikiuser

https://gerrit.wikimedia.org/r/883695

Maintenance_bot removed a project: Patch-For-Review.Jan 26 2023, 11:31 AM
Ladsgroup added a comment.Jan 26 2023, 1:55 PM

wikiuser is done, except doing labstestwiki

Ladsgroup added a comment.Jan 26 2023, 2:06 PM

Doing wikiadmin now. FWIW I made https://wikitech.wikimedia.org/wiki/MariaDB/Changing_user_passwords and will put the code somewhere today and link them in the doc.

Stashbot added a comment.Jan 26 2023, 2:31 PM

Mentioned in SAL (#wikimedia-operations) [2023-01-26T14:31:01Z] <ladsgroup@deploy1002> Synchronized private/PrivateSettings.php: Rotating wikiadmin password (T326802) (duration: 07m 04s)

gerritbot added a comment.Jan 26 2023, 2:31 PM

Change 883957 had a related patch set uploaded (by Ladsgroup; author: Amir Sarabadani):

[operations/software@master] dbtools: Update call to wikiadmin

https://gerrit.wikimedia.org/r/883957

gerritbot added a project: Patch-For-Review.Jan 26 2023, 2:31 PM
gerritbot added a comment.Jan 26 2023, 2:48 PM

Change 883961 had a related patch set uploaded (by Ladsgroup; author: Amir Sarabadani):

[operations/puppet@production] mariadb: Centralize and change wikiadmin user grants

https://gerrit.wikimedia.org/r/883961

gerritbot added a comment.Jan 26 2023, 3:09 PM

Change 883957 merged by jenkins-bot:

[operations/software@master] dbtools: Update call to wikiadmin

https://gerrit.wikimedia.org/r/883957

Andrew mentioned this in T328131: oathauth_users schema drift on labtestwiki.Jan 27 2023, 2:00 PM
gerritbot added a comment.Jan 30 2023, 11:06 AM

Change 883961 merged by Ladsgroup:

[operations/puppet@production] mariadb: Centralize and change wikiadmin user grants

https://gerrit.wikimedia.org/r/883961

Maintenance_bot removed a project: Patch-For-Review.Jan 30 2023, 11:30 AM
Stashbot added a comment.Jan 30 2023, 11:41 AM

Mentioned in SAL (#wikimedia-operations) [2023-01-30T11:41:31Z] <Amir1> dropping old wikiadmin user (T326802)

Ladsgroup added a comment.Jan 30 2023, 1:03 PM

This is done, the next steps:

  • Update labtestwiki. I'll create a ticket
  • Improve docs and publish the automation code.
Ladsgroup closed this task as Resolved.Jan 30 2023, 1:03 PM
Ladsgroup mentioned this in T328289: update labtestwiki user and password.Jan 30 2023, 1:05 PM
Maintenance_bot moved this task from In progress to Done on the DBA board.Jan 30 2023, 1:15 PM
hashar mentioned this in T330185: Wikimedia\Rdbms\DBConnectionError: Cannot access the database: could not connect to any replica DB server; Access denied for user 'wikiuser2023'@'10.194.137.171' (using password: YES) (db2170:3311).Feb 21 2023, 4:47 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL