Page MenuHomePhabricator
Create Task
Maniphest T361172

Purge rows from cu_useragent
Closed, ResolvedPublic1 Estimated Story Points
Actions

Description

The cu_useragent table added in T359312: Create cu_useragent table has private data (user agent strings) which, per DBA and to ensure privacy, must be purged. The exact strategy to do this has not been decided and needs consideration because when implementing Client Hints, we did not purge rows from cu_useragent_client_hints because of the difficulty in reliably deleting rows.

The following strategies could be used:

  1. Only deleting when the primary key is below 99% (as suggested in T359312#9614750)
  2. Using a "pending deletion" column strategy:
    1. If a cu_useragent row is un-used, mark the row as "pending deletion" by updating a column for the row to be deleted in the cu_useragent table - A dedicated column would need to be added for this.
    2. Wait for this change to be applied to all replicas
    3. Check if the row pending deletion is being used again
      1. If the row is being used, then mark the row as no longer pending deletion
      2. If the row isn't being used, then delete it.

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Prune rows from cu_useragent in purgeOldData.phpmediawiki/extensions/CheckUsermaster+333 -67
Customize query in gerrit

Related Objects
Search...

StatusSubtypeAssignedTask
 Resolved TBolligerT120734 Epic ⚡️ Improve MediaWiki's blocking tools
 OpenNoneT146837 Add ability to search by user agent from CheckUser interface
 OpenNoneT249374 CU 2.0: Filter out exact UAs in the Compare tab
 OpenNoneT147894 Create index for agent_id columns in the CheckUser result tables
 ResolvedDreamy_JazzT305930 Normalize cu_changes table
 ResolvedDreamy_JazzT361139 Normalise the user agent column in CheckUser result tables
 ResolvedDreamy_JazzT361208 Remove agent columns from CheckUser result tables
 ResolvedDreamy_JazzT361206 Stop writing old for user agent schema migration on WMF wikis
 ResolvedDreamy_JazzT361205 Stop writing old for user agent schema migration
 ResolvedDreamy_JazzT361199 Set user agent schema migration config to read new on WMF wikis
 ResolvedDreamy_JazzT361201 Set user agent schema migration config to read new in extension.json
 ResolvedDreamy_JazzT361192 Read user agent strings from the cu_useragent table in Special:CheckUser
 ResolvedDreamy_JazzT361193 Read user agent strings from the cu_useragent table in the CheckUser API
 ResolvedDreamy_JazzT361195 Read user agent strings from the cu_useragent table in Special:Investigate
 ResolvedDreamy_JazzT413893 Read from the agent_id column in misc interfaces
 ResolvedDreamy_JazzT413868 Populate the cu_useragent table and agent_id columns on WMF wikis
 ResolvedDreamy_JazzT361198 Create a maintenance script to populate the cu_useragent table and agent_id columns with values from the agent columns
 ResolvedDreamy_JazzT361196 Write to the cu_useragent table and agent_id columns on WMF wikis
 ResolvedDreamy_JazzT361197 Write to the cu_useragent table and agent_id columns on by default in extension.json
 ResolvedDreamy_JazzT361172 Purge rows from cu_useragent
 ResolvedDreamy_JazzT361173 Add schema migration config for cu_useragent table
 ResolvedDreamy_JazzT361140 Add user agent ID column to each CheckUser result table
 ResolvedDreamy_JazzT359312 Create cu_useragent table
 ResolvedMarosteguiT361631 Unable to create table cu_useragent on labtestwiki
 DeclinedNoneT328289 update labtestwiki user and password
 ResolvedPapaulT369308 Decommission clouddb2002-dev.codfw.wmnet
 ResolvedtaaviT378260 Retire labtestwiki
 ResolvedMarosteguiT361673 Filter cu_useragent on sanitarium
 ResolvedSnwachukwuT361210 Changes to the cuc_agent column in the cu_changes table

Event Timeline

Dreamy_Jazz created this task.Mar 27 2024, 11:54 PM
Dreamy_Jazz added a subtask: T359560: Create the CheckUserDataPruner service.Mar 27 2024, 11:57 PM
Dreamy_Jazz added a subtask: T361173: Add schema migration config for cu_useragent table.Mar 28 2024, 9:31 AM
Dreamy_Jazz mentioned this in T361196: Write to the cu_useragent table and agent_id columns on WMF wikis.Mar 28 2024, 10:00 AM
Dreamy_Jazz mentioned this in T361197: Write to the cu_useragent table and agent_id columns on by default in extension.json.
Dreamy_Jazz added a parent task: T361197: Write to the cu_useragent table and agent_id columns on by default in extension.json.Mar 28 2024, 10:02 AM
Dreamy_Jazz removed a project: Epic.Mar 28 2024, 10:05 AM
Dreamy_Jazz removed a parent task: T361139: Normalise the user agent column in CheckUser result tables.Mar 28 2024, 10:30 AM
Dreamy_Jazz closed subtask T359560: Create the CheckUserDataPruner service as Declined.Aug 20 2024, 4:48 PM
Dreamy_Jazz removed a subtask: T359560: Create the CheckUserDataPruner service.
Dreamy_Jazz moved this task from Inbox to Engineering on the Trust and Safety Product Team board.Aug 6 2025, 12:24 PM
Dreamy_Jazz added a project: Trust and Safety Product Sprint.Aug 6 2025, 12:43 PM
Dreamy_Jazz moved this task from Backlog to Maintenance to triage on the Trust and Safety Product Sprint board.
Dreamy_Jazz set the point value for this task to 1.Aug 11 2025, 2:13 PM
OKryva-WMF added a project: Essential-Work.Aug 14 2025, 10:03 AM
OKryva-WMF edited projects, added Product Safety and Integrity; removed Trust and Safety Product Sprint.Sep 26 2025, 12:56 PM
OKryva-WMF moved this task from Inbox to Next sprint on the Product Safety and Integrity board.Sep 26 2025, 12:57 PM
OKryva-WMF removed a project: Trust and Safety Product Team.Oct 10 2025, 9:54 AM
Dreamy_Jazz moved this task from Next sprint to Essential Work Sprint (Dec 15th - Jan 9th) on the Product Safety and Integrity board.Nov 19 2025, 12:40 PM
Dreamy_Jazz edited projects, added Product Safety and Integrity (Essential Work Sprint (Dec 15th - Jan 9th)); removed Product Safety and Integrity.
OKryva-WMF moved this task from Backlog to Ready on the Product Safety and Integrity (Essential Work Sprint (Dec 15th - Jan 9th)) board.Dec 15 2025, 2:18 PM
mszwarc closed subtask T361173: Add schema migration config for cu_useragent table as Resolved.Dec 17 2025, 1:39 PM
Dreamy_Jazz claimed this task.Dec 18 2025, 5:24 PM
Dreamy_Jazz moved this task from Ready to In progress on the Product Safety and Integrity (Essential Work Sprint (Dec 15th - Jan 9th)) board.
Dreamy_Jazz added a subscriber: Ladsgroup.Dec 18 2025, 6:19 PM

Having investigated the first option I think that seems unlikely to be reliable enough:

  • If a replica read gets the ID that is being currently purged, it use that in a new row even though it has been purged
    • Reading the ID from the primary DB doesn't solve this (without locks) because the transaction for purging may run the check first and then commit after the reference was fetched by a different primary DB connection
  • While only touching primary keys that are in the 1% of smallest primary keys should significantly reduce the chance of that happening, it feels like that doesn't really solve the problem
  • Additionally, doing the delete and then checking for uses after replication also won't be 100% reliable because the replica being checked may not be the one that is the furthest behind in terms of replication lag

I think the only safe approach here is to create a new column in cu_useragent which stores the date the row was deleted:

  • Tthis could be an integer field as it could store the integer 20251217 which is parsed as a date but stored as an integer to save on space, given that we don't need too much accuracy in the deleted timestamp
  • When row has been deleted for over a day (or a smaller supported interval of time if the field is a timestamp field), a new check can be made to ensure that it's not referenced anywhere and then the code can either delete it for real or undo the deletion

@Ladsgroup does the above sound okay? I know you suggested a 99% deletion but I am concerned that this wouldn't be reliable enough? Are there examples of where this is used elsewhere in MediaWiki while ensuring data is never lost?

Ladsgroup added a comment.Dec 19 2025, 1:38 AM

Adding an extra column will add a lot of complexity that'll be hard to maintain. We do a lot of purging and clean ups and we never do something like that. Do you have numbers on why 99% is not reliable enough? You can also run some queries to see what value would be the most reliable (maybe 98%). We use that 99% in PruneUnusedLinkTargetRows already with no issues. Wikibase also has a job to clean up target when it becomes orphan which has been working reliably for around half a decade: https://github.com/wikimedia/mediawiki-extensions-Wikibase/blob/master/lib/includes/Store/Sql/Terms/CleanTermsIfUnusedJob.php on top of that, even if we lose pointers to let's say one edit a month, would that be really bad? I don't think so. Most actions won't (and shouldn't) be checked by a CU. We call that error budget: https://sre.google/sre-book/embracing-risk/

MohammedSGomaa awarded a token.Dec 19 2025, 6:46 AM
Dreamy_Jazz added a comment.Dec 19 2025, 10:14 AM
In T361172#11474998, @Ladsgroup wrote:

Adding an extra column will add a lot of complexity that'll be hard to maintain. We do a lot of purging and clean ups and we never do something like that. Do you have numbers on why 99% is not reliable enough? You can also run some queries to see what value would be the most reliable (maybe 98%). We use that 99% in PruneUnusedLinkTargetRows already with no issues. Wikibase also has a job to clean up target when it becomes orphan which has been working reliably for around half a decade: https://github.com/wikimedia/mediawiki-extensions-Wikibase/blob/master/lib/includes/Store/Sql/Terms/CleanTermsIfUnusedJob.php on top of that, even if we lose pointers to let's say one edit a month, would that be really bad? I don't think so. Most actions won't (and shouldn't) be checked by a CU. We call that error budget: https://sre.google/sre-book/embracing-risk/

My concern was primarily from the point of loosing pointers, but I guess you are right about this being within a reasonable error budget. Thanks for the comments.

I'll look at PruneUnusedLinkTargetRows and use that. Thanks

gerritbot added a comment.Jan 5 2026, 3:36 PM

Change #1223208 had a related patch set uploaded (by Dreamy Jazz; author: Dreamy Jazz):

[mediawiki/extensions/CheckUser@master] [WIP] Prune rows from cu_useragent

https://gerrit.wikimedia.org/r/1223208

gerritbot added a project: Patch-For-Review.Jan 5 2026, 3:36 PM
Dreamy_Jazz moved this task from In progress to Needs review on the Product Safety and Integrity (Essential Work Sprint (Dec 15th - Jan 9th)) board.Jan 5 2026, 6:34 PM
gerritbot added a comment.Jan 7 2026, 12:55 PM

Change #1223208 merged by jenkins-bot:

[mediawiki/extensions/CheckUser@master] Prune rows from cu_useragent in purgeOldData.php

https://gerrit.wikimedia.org/r/1223208

Dreamy_Jazz moved this task from Needs review to Needs QA on the Product Safety and Integrity (Essential Work Sprint (Dec 15th - Jan 9th)) board.Jan 7 2026, 12:56 PM
Maintenance_bot removed a project: Patch-For-Review.Jan 7 2026, 1:31 PM
Dreamy_Jazz closed this task as Resolved.Jan 19 2026, 4:22 PM
Dreamy_Jazz moved this task from Needs QA to Done on the Product Safety and Integrity (Essential Work Sprint (Dec 15th - Jan 9th)) board.

I will verify this later

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits