Page MenuHomePhabricator
Create Task
Maniphest T369610

Give the `abusefilter-access-protected-vars` right to global maintainers
Closed, ResolvedPublic
Actions

Description

We've decided to give the right to global maintainers for the pilot wiki deploys. See acceptance criteria.

(historical)

As part of the temporary accounts rollout, IPs are now considered PII and access to them is limited. In AbuseFilter, they're considered a protected variable (user_unnamed_ip) and require the abusefilter-access-protected-vars to see and use. As of writing, no one has this right which means no one can use user_unnamed_ip). We (presumably in consultation with Legal and the community) need to decide who gets this right.

A few notes:

Acceptance criteria:

  • sysop has the rights needed to use/see protected variables
  • abusefilter-maintainer has the rights needed to use/see protected variables

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Give the sysop group protected vars access rightsmediawiki/extensions/AbuseFiltermaster+5 -2
Apply wmf-specific protected vars rights accessoperations/mediawiki-configmaster+6 -0
Customize query in gerrit

Related Objects
Search...

Event Timeline

STran created this task.Jul 9 2024, 9:56 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 9 2024, 9:56 AM
STran added a parent task: T363906: [Epic] Ensure filters that use PII-sensitive variables are protected.Jul 9 2024, 9:56 AM
STran mentioned this in T369611: Coordinate the updates of IP-using AbuseFilter filters to use `user_unnamed_ip`.
STran added a subtask: T369611: Coordinate the updates of IP-using AbuseFilter filters to use `user_unnamed_ip`.
Tchanders added a project: Temporary accounts (Blockers to minor pilot wiki deployment).Jul 9 2024, 10:27 AM
Tchanders changed the task status from Open to Stalled.Jul 9 2024, 10:36 AM
Tchanders added subscribers: Madalina, Tchanders.

Stalled on legal conversations. FAO @Madalina

STran added a comment.Jul 9 2024, 11:45 AM

Tentatively, perhaps we should only give this right to the sysop group at the moment? We had a discussion at our last check-in meeting and as far as any of us knows, there's no other standard group cross-wikis that meet the minimum reqs and should also presumptively have this right.

Johannnes89 subscribed.Jul 13 2024, 7:06 AM
Dreamy_Jazz subscribed.Jul 23 2024, 11:04 AM
In T369610#9965104, @STran wrote:

Tentatively, perhaps we should only give this right to the sysop group at the moment? We had a discussion at our last check-in meeting and as far as any of us knows, there's no other standard group cross-wikis that meet the minimum reqs and should also presumptively have this right.

If we do give this to sysop, we will need to ensure that they have checked the preference to view temporary account IPs for at least just the user_unnamed_ip variable.

Tchanders changed the task status from Stalled to Open.Aug 5 2024, 10:43 AM
Tchanders added a project: Trust and Safety Product Sprint (Sprint Erhu (August 5th - August 16th)).
Tchanders moved this task from Priority Backlog to Ready on the Trust and Safety Product Sprint (Sprint Erhu (August 5th - August 16th)) board.
Dreamy_Jazz moved this task from Sprint Erhu (August 5th - August 16th) to Sprint Theremin (Aug 26 - Sept. 6) on the Trust and Safety Product Sprint board.Aug 27 2024, 12:31 PM
Dreamy_Jazz edited projects, added Trust and Safety Product Sprint (Sprint Theremin (Aug 26 - Sept. 6)); removed Trust and Safety Product Sprint (Sprint Erhu (August 5th - August 16th)).
Dreamy_Jazz moved this task from Priority Backlog to Ready on the Trust and Safety Product Sprint (Sprint Theremin (Aug 26 - Sept. 6)) board.
STran claimed this task.Aug 29 2024, 2:01 PM
STran moved this task from Ready to Priority Backlog on the Trust and Safety Product Sprint (Sprint Theremin (Aug 26 - Sept. 6)) board.
Jules78120 subscribed.Sep 3 2024, 7:25 PM
kostajh moved this task from Backlog to In progress on the Temporary accounts (Blockers to minor pilot wiki deployment) board.Sep 16 2024, 8:42 AM
kostajh edited projects, added Trust and Safety Product Sprint (Sprint Beatboxing (Sept 16-27)); removed Trust and Safety Product Sprint (Sprint Theremin (Aug 26 - Sept. 6)).Sep 16 2024, 10:05 AM
kostajh subscribed.Sep 16 2024, 10:23 AM

Remaining work here is a config change to assign the right to sysop on wikis in pilot wiki deployment list.

STran moved this task from Priority Backlog to Ready on the Trust and Safety Product Sprint (Sprint Beatboxing (Sept 16-27)) board.Oct 4 2024, 8:15 AM
Niharika edited projects, added Trust and Safety Product Sprint (Sprint Cello (Oct 7 - 18)); removed Trust and Safety Product Sprint (Sprint Beatboxing (Sept 16-27)).Oct 8 2024, 10:30 AM
Niharika moved this task from Priority Backlog to Ready on the Trust and Safety Product Sprint (Sprint Cello (Oct 7 - 18)) board.
Titore subscribed.Oct 10 2024, 12:05 AM
gerritbot added a comment.Oct 15 2024, 9:55 AM

Change #1080244 had a related patch set uploaded (by STran; author: STran):

[mediawiki/extensions/AbuseFilter@master] Give the sysop group protected vars access rights

https://gerrit.wikimedia.org/r/1080244

gerritbot added a project: Patch-For-Review.Oct 15 2024, 9:55 AM
STran added a comment.Oct 15 2024, 10:03 AM

Per Legal:

Discussed on Oct 8 check-in call that this is data they already have, and is covered by the current policy, so if this raises no new risks, it's fine from a legal perspective to give global abuse filter maintainers access to IPs as protected vars for abusefilter purposes.

So we should also give this right to abusefilter-maintainer

STran updated the task description. (Show Details)Oct 15 2024, 10:03 AM
gerritbot added a comment.Oct 15 2024, 10:08 AM

Change #1080250 had a related patch set uploaded (by STran; author: STran):

[operations/mediawiki-config@master] Give the `abusefilter-maintainer` group protected vars access

https://gerrit.wikimedia.org/r/1080250

STran moved this task from Ready to Needs review on the Trust and Safety Product Sprint (Sprint Cello (Oct 7 - 18)) board.Oct 15 2024, 11:25 AM
STran added a subscriber: Urbanecm.Oct 15 2024, 12:28 PM

@Urbanecm I saw your comment on another task about manually adding a global permission. Does this apply to giving abusefilter-maintainer the abusefilter-access-protected-vars right? I did it in a config but can obviously easily not if that's not the correct practice.

Urbanecm added a comment.EditedOct 15 2024, 1:16 PM

Thanks for the ping @STran! Sort of :). It does, but after we cleared adding abusefilter-access-protected-vars to AbuseFilter maintainers in the check-in, I immediately applied the change. You can see the right is already assigned at https://meta.wikimedia.org/wiki/Special:GlobalGroupPermissions.

We still need to properly assign (global) access to logs, at least to stewards and ombuds, presumably also staff (the same as for checkuser-log). I can do that on-wiki, but it requires https://gerrit.wikimedia.org/r/c/mediawiki/extensions/AbuseFilter/+/1080244 to be deployed (to be more precise: it requires AvailableRights to contain the right one wants to assign).

Does this clarify?

1AmNobody24 subscribed.Oct 16 2024, 12:54 PM

So we should also give this right to abusefilter-maintainer

Could this mean that Edit filter managers and Edit filter helpers on enwiki might also get access to this?

Strainu subscribed.Oct 18 2024, 7:54 AM
In T369610#10228321, @gerritbot wrote:

Change #1080250 had a related patch set uploaded (by STran; author: STran):

[operations/mediawiki-config@master] Give the `abusefilter-maintainer` group protected vars access

https://gerrit.wikimedia.org/r/1080250

I'm a bit confused by this MR. In the task description it is mentioned that sysops should have access to the variables, but this removes the right from sysops and assigns it to checkuser. What's the final list of local users who will have access to these variables?

STran added a comment.Oct 18 2024, 8:23 AM

Does this clarify?

Yes thank you!

Could this mean that Edit filter managers and Edit filter helpers on enwiki might also get access to this?

I don't have an answer but could get one. Is this something that's needed/wanted sooner rather than later? So far we want to enable it to the most limited group we can (sysops and global maintainers) to help with the needed filter migrations in preparation for the minor pilots deploy but I assume that we'll have to expand access as temporary accounts continues to deploy. At this point, I'm not sure enwiki is affected as temporary accounts won't be enabled there for some time and iirc, global filters don't apply to enwiki (sorry if I've misremembered this)?

I'm a bit confused by this MR. In the task description it is mentioned that sysops should have access to the variables, but this removes the right from sysops and assigns it to checkuser.

There are 2 rights associated with protected variables, abusefilter-access-protected-vars which allows using and viewing protected variables in filters and logs generated by filters, and abusefilter-protected-vars-log which gates access to the audit/usage logs of when someone views information around protected variables. The latter is the right being re-assigned to checkuser as it's matching the permissions around checkuser-temporary-account-log. The right to use the variables is still being assigned to sysop here: https://gerrit.wikimedia.org/r/c/mediawiki/extensions/AbuseFilter/+/1080244.

What's the final list of local users who will have access to these variables?

sysop and abusefilter-maintainer should be able to use the variables in filters and see hits on the filters that have protected variables. checkuser should be able to see the audit/usage logs.

Per Martin, stewards, ombuds, and possibly staff will end up with this right as well (I was not part of this Legal discussion).

H78c67c subscribed.Oct 18 2024, 8:40 AM
1AmNobody24 added a comment.Oct 21 2024, 11:07 AM

Is this something that's needed/wanted sooner rather than later?

Probably not, but it's something to keep in mind for when temporary accounts come to enwiki.

global filters don't apply to enwiki

True, but there's some overlap, as some local filters target the same LTAs.

gerritbot added a comment.Oct 21 2024, 1:41 PM

Change #1080250 merged by jenkins-bot:

[operations/mediawiki-config@master] Apply wmf-specific protected vars rights access

https://gerrit.wikimedia.org/r/1080250

Stashbot added a comment.Oct 21 2024, 1:41 PM

Mentioned in SAL (#wikimedia-operations) [2024-10-21T13:41:21Z] <stran@deploy2002> Started scap sync-world: Backport for [[gerrit:1080250|Apply wmf-specific protected vars rights access (T369610)]]

Stashbot added a comment.Oct 21 2024, 1:43 PM

Mentioned in SAL (#wikimedia-operations) [2024-10-21T13:43:28Z] <stran@deploy2002> stran: Backport for [[gerrit:1080250|Apply wmf-specific protected vars rights access (T369610)]] synced to the testservers (https://wikitech.wikimedia.org/wiki/Mwdebug)

Stashbot added a comment.Oct 21 2024, 1:50 PM

Mentioned in SAL (#wikimedia-operations) [2024-10-21T13:50:15Z] <stran@deploy2002> Finished scap sync-world: Backport for [[gerrit:1080250|Apply wmf-specific protected vars rights access (T369610)]] (duration: 08m 53s)

gerritbot added a comment.Oct 21 2024, 2:17 PM

Change #1080244 merged by jenkins-bot:

[mediawiki/extensions/AbuseFilter@master] Give the sysop group protected vars access rights

https://gerrit.wikimedia.org/r/1080244

Maintenance_bot removed a project: Patch-For-Review.Oct 21 2024, 2:31 PM
ReleaseTaggerBot added a project: MW-1.43-notes (1.43.0-wmf.28; 2024-10-22).Oct 21 2024, 3:00 PM
XXBlackburnXx subscribed.Oct 21 2024, 6:05 PM
Dreamy_Jazz moved this task from Needs review to Ready on the Trust and Safety Product Sprint (Sprint Cello (Oct 7 - 18)) board.Oct 23 2024, 1:53 PM

(Not sure if this is ready for QA, so moving back to Ready as there are no longer any patches to review).

STran added a comment.Oct 25 2024, 7:02 AM

sysop on meta now has the right as of the .28 rollout and global groups also have the right already. I think this can now be moved to QA.

Probably not, but it's something to keep in mind for when temporary accounts come to enwiki.

Yes I think we'll have this discussion as we deploy to wikis which have larger moderation teams.

STran renamed this task from Decide who gets the `abusefilter-access-protected-vars` right to Give the `abusefilter-access-protected-vars` right to global maintainers.Oct 25 2024, 7:03 AM
STran updated the task description. (Show Details)
STran moved this task from Ready to Needs QA on the Trust and Safety Product Sprint (Sprint Cello (Oct 7 - 18)) board.
kostajh edited projects, added Trust and Safety Product Sprint (Sprint Accordion October 28 - November 15); removed Trust and Safety Product Sprint (Sprint Cello (Oct 7 - 18)).Oct 28 2024, 11:05 AM
kostajh moved this task from Priority Backlog to Needs QA on the Trust and Safety Product Sprint (Sprint Accordion October 28 - November 15) board.
kostajh moved this task from In progress to Done / QA on the Temporary accounts (Blockers to minor pilot wiki deployment) board.Oct 28 2024, 4:35 PM
dom_walden moved this task from Needs QA to Done on the Trust and Safety Product Sprint (Sprint Accordion October 28 - November 15) board.Nov 1 2024, 1:56 PM
dom_walden subscribed.

On testwiki:

  • sysop has abusefilter-access-protected-vars but does not have abusefilter-protected-vars-log
  • checkuser has abusefilter-protected-vars-log but does not have abusefilter-access-protected-vars
codenamenoreste subscribed.Nov 9 2024, 12:28 AM
1AmNobody24 added a comment.Nov 10 2024, 7:21 AM

@STran WP:EFN#Protected filters might be of interest to you.

kostajh closed this task as Resolved.Nov 18 2024, 11:16 AM
In T369610#10307134, @1AmNobody24 wrote:

@STran WP:EFN#Protected filters might be of interest to you.

Thanks for the ping, @1AmNobody24. There is some follow-up to items mentioned in that thread in T377765: Do not allow protecting abuse filters if PII variables are not used, along with a few other tasks mentioned in T377765.

Johannnes89 mentioned this in T381722: Add abusefilter-access-protected-vars to frwiki EFM and remove it for sysops.Dec 8 2024, 1:24 PM
Jake_Park added a subscriber: Superzerocool.Wed, Nov 12, 4:33 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits