wikitech self-auth: Allow wikitech to use its own internal authentication
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	jijiki
	Aug 1 2024, 10:52 AM

Description

Before connecting wikitech to CentralAuth, there will be a limited period of time where Wikitech will authenticate its own users, ie its database. Wikitech Users will have to reset their password, as we have no way of migrating the ldap passwords to wikitech.

Requirements:

T359820: Developer Account Blocking: Migrate the one-stop Developer (un)Blocking from Wikitech to Bitu
T359551: Replace wikitech as source of two-factor auth protection for developer accounts
T359590: Use IDP for authentication in Horizon
T359554: Use IDP for authentication in Striker
Wikitech is completely separated from Bitu
ldap module has been removed

Between this step and T161859, Wikimedia Developers will have three accounts:

their Developer Account which is stored in LDAP and accessed/modified via CAS and Bitu
their temporary Wikitech internal account, stored in Wikitech's own database
their SUL account

After T161859, Wikimedia Developers will have 2 accounts: SUL and LDAP.

Open questions:

Shall we disable user creation during wikitech self-auth?
How long do we estimate it will take to go from self-auth to CentralAuth?

Deadline: September 16th 2024, as has been communicated to users.

How?
In theory, with the ldap module not being present, wikitech will fallback to self-auth

Details

Other Assignee: jijiki

Related Objects
Search...

Status	Assigned	Task
Open	None	T375217 Complete upgrading WMCS bare metal hosts from Bullseye to Bookworm
Open	None	T376277 Reimage eqiad cloudweb hosts to bookworm
Open	None	T189531 All Wikimedia developer services should use single sign-on
In Progress	None	T161859 Make Wikitech an SUL wiki
In Progress	None	T290536 Serve production traffic via Kubernetes
In Progress	jijiki	T292707 ☂ Migrate Wikitech to Kubernetes
Resolved	taavi	T375950 fold contentadmin group to sysop in Wikitech
Resolved	Ladsgroup	T371588 wikitech self-auth: Allow wikitech to use its own internal authentication
Resolved	jijiki	T371592 LdapAuthentication: Disable extension from Wikitech
Resolved	SLyngshede-WMF	T359820 Developer Account Blocking: Migrate the one-stop Developer (un)Blocking from Wikitech to Bitu
Resolved	SLyngshede-WMF	T376991 Publically available log of blocked/unblocked accounts.
Open	SLyngshede-WMF	T380704 Block/unblock account feature request

Event Timeline

jijiki created this task.Aug 1 2024, 10:52 AM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 1 2024, 10:52 AM

jijiki added a parent task: T292707: ☂ Migrate Wikitech to Kubernetes.Aug 1 2024, 10:53 AM

jijiki renamed this task from Allow wikitech to use its own internal authentication - wikitech self-auth to wikitech self-auth: Allow wikitech to use its own internal authentication.Aug 1 2024, 11:12 AM

jijiki triaged this task as High priority.

jijiki updated the task description. (Show Details)

jijiki added a project: serviceops.Aug 1 2024, 11:29 AM

jijiki added a subscriber: akosiaris.

jijiki assigned this task to Ladsgroup.Aug 1 2024, 1:37 PM

jijiki updated Other Assignee, added: jijiki.

• bd808 updated the task description. (Show Details)Aug 13 2024, 8:09 PM

• bd808 mentioned this in T371592: LdapAuthentication: Disable extension from Wikitech.Aug 21 2024, 6:17 PM

• bd808 added a parent task: T375950: fold contentadmin group to sysop in Wikitech.Sep 30 2024, 4:10 PM

jijiki closed subtask T371592: LdapAuthentication: Disable extension from Wikitech as Resolved.Oct 1 2024, 12:43 PM