Page MenuHomePhabricator
Create Task
Maniphest T344667

Automatically approve GitLab accounts created by Striker integration
Open, MediumPublicFeature
Actions

Assigned To
None
Authored By
taavi
Aug 22 2023, 6:41 AM
Tags
Referenced Files
None
Subscribers
bd808
brennen
taavi
Tokens
"Like" token, awarded by thcipriani."Like" token, awarded by brennen."Like" token, awarded by bd808.

Description

GitLab accounts created by Striker have already been vetted by a human when the Toolforge access request was processed, so these people should not have to wait for a second approval when trying to host a tool repo on GitLab.

Details

TitleReferenceAuthorSource BranchDest Branch
Do the needful to approve GitLab accounts of folks who are already considered trusted contributors in other Wikimedia systemstoolforge-repos/gitlab-account-approval!1bd808work/bd808/lets-get-this-party-startedmain
Customize query in GitLab

Related Objects

Event Timeline

taavi created this task.Aug 22 2023, 6:41 AM
bd808 awarded a token.Aug 22 2023, 2:51 PM
bd808 changed the subtype of this task from "Task" to "Feature Request".Aug 22 2023, 2:55 PM
brennen awarded a token.Aug 22 2023, 2:58 PM
thcipriani awarded a token.Aug 22 2023, 3:00 PM
brennen edited projects, added Release-Engineering-Team (Radar), GitLab (Auth & Access); removed GitLab.Aug 22 2023, 3:00 PM
brennen subscribed.

This seems like a fine idea.

bd808 triaged this task as Medium priority.Aug 22 2023, 8:19 PM
bd808 moved this task from Backlog to Ready on the Striker board.
bd808 added a comment.Aug 22 2023, 8:57 PM

I think there are 2 variations that we would ideally handle here:

  • User has been created in GitLab via authn but is still pending admin approval
  • User has not yet been created in GitLab

For users that need approval, the /users API response for that user will contain 'state': 'blocked_pending_approval'. Granting approval can be done via the POST /users/:id/approve endpoint.

When the user is still pending creation Striker sends them an invitation to join the project that is being created. There is no obvious way to pre-approve the user via the invite API. Something like T317376: Update GitLab repo owners when tool maintainers change could re-check for users in 'blocked_pending_approval' state and then make the approvals. That will probably be pretty hidden and magic from the POV of the users however. Maybe it could be made less surprising with some info on the repo detail screen? Checking and possibly updating status on load of that screen would also seem reasonable to make state reconciliation easier to reason about.

CodeReviewBot added a project: Patch-For-Review.Dec 19 2023, 1:41 AM

bd808 opened https://gitlab.wikimedia.org/toolforge-repos/gitlab-account-approval/-/merge_requests/1

Do the needful to approve GitLab accounts of folks who are already considered trusted contributors in other Wikimedia systems

Maintenance_bot removed a project: Patch-For-Review.Dec 19 2023, 2:30 AM
bd808 added a comment.Jan 3 2024, 1:35 AM

The new Tool-gitlab-account-approval tool is now patrolling for unapproved accounts every 3 minutes and marking them as approved if it can find signs of trust for the related Developer account in multiple systems (Phabricator, Gerrit, Toolforge, ...). This is probably "good enough" for extending trust to newly created accounts.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits