Page MenuHomePhabricator
Create Task
Maniphest T351202

stewards1001 / stewards2001: automatically subscribe stewards to mailman lists (was: Enable API access for Mailman3)
Open, MediumPublic
Actions

Description

The stewards* production virtual machines were created (T344164) to facilitate onboarding and offboarding stewards from/their roles, see the parent task. One of the major bottlenecks when (on/off)boarding stewards is provisioning/revoking access to a number of mailing lists, such as:

  • stewards-l
  • global-sysops
  • global-renamers
  • checkuser-l
  • stewards-usergroup

I would like to wire membership management for those lists to the tool that I'm working on. However, Mailman3 doesn't have an easily accessible API. According to a discussion with @Ladsgroup I had about Mailman's API, the API exists, but it is restricted to production network and requires a secret that enables the client to access anything in Mailman.

Since the onboarding tool for stewards resides in production (ATM,stewards1001 and stewards2001), I believe it might be possible to provision the secret to those machines, and make use of the API to manage those lists automatically. Is that a correct assumption? Do we need to do anything else to make that possible? Is there a different way to automate list membership management in this case?

Details

SubjectRepoBranchLines +/-
stewards-onboarder: Add mediawiki_api to the configoperations/puppetproduction+5 -0
lists: start a class for automating certain subscriptionsoperations/puppetproduction+11 -0
stewards: add config and export dirs, steward onboarder configoperations/puppetproduction+30 -2
stewards: let puppet create /srv/exportsoperations/puppetproduction+2 -1
Customize query in gerrit

Related Objects
Search...

Event Timeline

Urbanecm created this task.Nov 14 2023, 12:05 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 14 2023, 12:05 PM
Urbanecm added a comment.Nov 14 2023, 12:06 PM

FTR, I'm currently working on automating the various MediaWiki accesses (group membership, accounts on private wikis, etc.), but I plan on proceeding with Mailman lists reasonably soon, so I'm filling this task to get the discussion on this started.

Peachey88 subscribed.Nov 14 2023, 8:56 PM

T279023: Expose mailman3 internal REST API inside Wikimedia production network

Legoktm added a subtask: T279023: Expose mailman3 internal REST API inside Wikimedia production network.Jan 3 2024, 6:15 AM
Legoktm subscribed.Jan 3 2024, 6:19 AM

Sorry for the late response. What @Peachey88 linked to is basically still up to date on the lack of API access inside the prod network. I would suggest that said onboarding tool publishes a list of stewards/email addresses somewhere, and then a script that runs on the lists100X server can fetch said list and make the necessary changes.

Dzahn subscribed.Mar 18 2024, 5:47 PM

Following up on the last comment by Legoktm. I am also in favor of this option and would be happy to make the relevant puppet change to add a systemd timer for this on the lists server.

Could you export the list of stewards/email addresses on the stewards* machines locally and let me know where they are and then I take a look at the rest?

Dzahn added a project: collaboration-services.Mar 18 2024, 5:47 PM
Dzahn added a comment.Mar 18 2024, 6:13 PM

Specifically the mailman-wrapper syncmembers command seems like the right thing for this:

syncmembers    Add and delete members as necessary to syncronize a list's...
Jelto assigned this task to Dzahn.Mar 25 2024, 4:44 PM
Jelto triaged this task as Medium priority.
Jelto moved this task from Incoming to Backlog on the collaboration-services board.
Dzahn added a comment.Apr 1 2024, 6:57 PM

@Urbanecm What do you think? Would it be reasonable to create a text file per list on the stewards* machines that contains just an email address per line of all the users who _should_ be subscribed?

I am thinking:

  • you create text files on stewards* automatically
  • we rsync them to lists* automatically
  • we run "syncmembers" commands automatically

This will both add new users and remove offboarded users.

[lists1001:~] $ sudo mailman-wrapper syncmembers --help
Usage: mailman syncmembers [OPTIONS] FILENAME LISTSPEC

  Add and delete members as necessary to syncronize a list's membership with
  an input file.  FILENAME is the file containing the new membership, one
  member per line.  Blank lines and lines that start with a '#' are ignored.
  Addresses in FILENAME which are not current list members will be added to
  the list with delivery mode as specified with -d/--delivery.  List members
  whose addresses are not in FILENAME will be removed from the list.
  FILENAME can be '-' to indicate standard input.

Options:
  -d, --delivery [regular|mime|plain|summary|disabled]
                                  Set the added members delivery mode to
                                  'regular', 'mime', 'plain', 'summary' or
                                  'disabled'.  I.e., one of regular, three
                                  modes of digest or no delivery.  If not
                                  given, the default is regular.
  -w, --welcome-msg / -W, --no-welcome-msg
                                  Override the list's setting for
                                  send_welcome_message to added members.
  -g, --goodbye-msg / -G, --no-goodbye-msg
                                  Override the list's setting for
                                  send_goodbye_message to deleted members.
  -a, --admin-notify / -A, --no-admin-notify
                                  Override the list's setting for
                                  admin_notify_mchanges.
  -n, --no-change                 Don't actually make the changes.  Instead,
                                  print out what would be done to the list.
  -h, --help                      Show this message and exit.
Dzahn renamed this task from stewards1001 / stewards2001: Enable API access for Mailman3 to stewards1001 / stewards2001: automatically subscribe stewards to mailman lists (was: Enable API access for Mailman3).Apr 1 2024, 6:59 PM
Urbanecm added a comment.Apr 1 2024, 7:27 PM

That sounds perfect to me @Dzahn! Thanks for the suggestion.

Urbanecm added a comment.Apr 2 2024, 6:26 AM
In T351202#9639225, @Dzahn wrote:

Following up on the last comment by Legoktm. I am also in favor of this option and would be happy to make the relevant puppet change to add a systemd timer for this on the lists server.

Could you export the list of stewards/email addresses on the stewards* machines locally and let me know where they are and then I take a look at the rest?

Done:

[urbanecm@stewards1001 /srv/repos/onboarding-system (main|u=)]$ ls /home/urbanecm/data/
[urbanecm@stewards1001 /srv/repos/onboarding-system (main|u=)]$ export STEWARD_ONBOARDER_CONFIG=/home/urbanecm/etc/steward-onboarder.yaml  # this config file should actually be in /etc
[urbanecm@stewards1001 /srv/repos/onboarding-system (main|u=)]$ python3 onboarder.py update
== Updating mailman_list
[urbanecm@stewards1001 /srv/repos/onboarding-system (main|u=)]$ ls /home/urbanecm/data/mailman_list/lists.wikimedia.org
stewards-l  stewards-usergroup
[urbanecm@stewards1001 /srv/repos/onboarding-system (main|u=)]$ grep Urbanec /home/urbanecm/data/mailman_list/lists.wikimedia.org/stewards-l
Martin Urbanec <martin.urbanec@wikimedia.cz>
[urbanecm@stewards1001 /srv/repos/onboarding-system (main|u=)]$

@Dzahn: Can you please make a dry-run of syncmembers and share it as a private past on this task, so that I can take a look at the changes it would make?

Urbanecm added a comment.Apr 2 2024, 7:11 AM

We also need to move the list of users from ~urbanecm/config/users.yaml to a better location. Filled T361547 to track that. Also, we should create a more reasonable export path than somewhere in my home. Maybe /srv/exports?

Once we settle on those, we should be able to move /home/urbanecm/etc/steward-onboarder.yaml under `/etc/.

Dzahn added a comment.EditedApr 2 2024, 3:38 PM

Thank you, will do! Yes, let's use /srv/.

gerritbot added a comment.Apr 2 2024, 8:58 PM

Change #1016439 had a related patch set uploaded (by Dzahn; author: Dzahn):

[operations/puppet@production] stewards: let puppet create /srv/exports

https://gerrit.wikimedia.org/r/1016439

gerritbot added a project: Patch-For-Review.Apr 2 2024, 8:58 PM
gerritbot added a comment.Apr 2 2024, 9:12 PM

Change #1016441 had a related patch set uploaded (by Dzahn; author: Dzahn):

[operations/puppet@production] stewards: puppetize steward-onboarder config file and paths

https://gerrit.wikimedia.org/r/1016441

Dzahn added a comment.Apr 2 2024, 9:26 PM
In T351202#9678542, @Urbanecm wrote:

@Dzahn: Can you please make a dry-run of syncmembers and share it as a private past on this task, so that I can take a look at the changes it would make?

Done. Please see P59236

Urbanecm added a comment.Apr 2 2024, 10:16 PM
In T351202#9682286, @Dzahn wrote:
In T351202#9678542, @Urbanecm wrote:

@Dzahn: Can you please make a dry-run of syncmembers and share it as a private past on this task, so that I can take a look at the changes it would make?

Done. Please see P59236

Thanks! Unfortunately, this doesn't look good (it changes e-mail addresses of several stewards to another one, which is not intended. I changed users.yaml and re-ran the script; the dry run should now be empty. If it is, it should be ready for setting up the rsync and timer (for the stewards-l list only for now).

In the meantime, I'll be working on the other maillists (with the script now working, it should be relatively easy).

gerritbot added a comment.Mon, Apr 8, 9:02 PM

Change #1016439 abandoned by Dzahn:

[operations/puppet@production] stewards: let puppet create /srv/exports

Reason:

replaced by I67cad69044d0306de

https://gerrit.wikimedia.org/r/1016439

gerritbot added a comment.Mon, Apr 8, 9:45 PM

Change #1016441 merged by Dzahn:

[operations/puppet@production] stewards: add config and export dirs, steward onboarder config

https://gerrit.wikimedia.org/r/1016441

Dzahn moved this task from Backlog to Work in Progress (Tracking tasks) on the collaboration-services board.Tue, Apr 16, 5:27 PM
Dzahn added a comment.Fri, Apr 19, 9:23 PM
In T351202#9682432, @Urbanecm wrote:

..it changes e-mail addresses of several stewards to another one, which is not intended. I changed users.yaml and re-ran the script; the dry run should now be empty.

confirmed.

[lists1001:~] $  sudo mailman-wrapper syncmembers -n ./stewards-l stewards-l@lists.wikimedia.org
Nothing to do
gerritbot added a comment.Fri, Apr 19, 9:42 PM

Change #1022193 had a related patch set uploaded (by Dzahn; author: Dzahn):

[operations/puppet@production] lists: start a class for automating certain subscriptions

https://gerrit.wikimedia.org/r/1022193

LSobanski moved this task from Work in Progress (Tracking tasks) to Work in Progress on the collaboration-services board.Tue, Apr 23, 10:20 AM
gerritbot added a comment.Tue, Apr 23, 9:29 PM

Change #1023505 had a related patch set uploaded (by Urbanecm; author: Urbanecm):

[operations/puppet@production] stewards-onboarder: Add mediawiki_api to the config

https://gerrit.wikimedia.org/r/1023505

gerritbot added a comment.Tue, Apr 23, 9:43 PM

Change #1023505 merged by Dzahn:

[operations/puppet@production] stewards-onboarder: Add mediawiki_api to the config

https://gerrit.wikimedia.org/r/1023505

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL