Created new grant at https://meta.wikimedia.org/wiki/Special:OAuthListConsumers/view/b79c42dc7b90712aaeb8541efb587c88.

Put secrets in mwmaint2002.codfw.wmnet:/home/bd808/striker-sul-oauth-secrets.txt so that @taavi can transfer them to profile::wmcs::striker::docker::instances_secret_env in the private repo.

'The authorization headers in your request are for a user that does not exist here' -- The StrikerBot account on Wikitech needs to be attached to the SUL StrikerBot account I think.

In T376190#10193335, @bd808 wrote:

'The authorization headers in your request are for a user that does not exist here' -- The StrikerBot account on Wikitech needs to be attached to the SUL StrikerBot account I think.

Done via https://wikitech.wikimedia.org/wiki/Special:MergeAccount

mwclient.errors.APIError: ('permissiondenied', "You don't have permission to check OATH status.", None) happening now because I foolishly thought that would not be a hard error. I could hack the grant in the database, but it is probably a better idea to turn off OATH (TOTP 2FA) checking in Striker.

In T376190#10193414, @bd808 wrote:

mwclient.errors.APIError: ('permissiondenied', "You don't have permission to check OATH status.", None) happening now because I foolishly thought that would not be a hard error. I could hack the grant in the database, but it is probably a better idea to turn off OATH (TOTP 2FA) checking in Striker.

I hacked the grant in the database, but the API is still claiming that StrikerBot does not have the rights needed. I will try toggling the user right off and on again at Wikitech to see if that shakes loose some cached data somewhere.

In T376190#10193432, @bd808 wrote:

I hacked the grant in the database, but the API is still claiming that StrikerBot does not have the rights needed. I will try toggling the user right off and on again at Wikitech to see if that shakes loose some cached data somewhere.

Still getting mwclient.errors.APIError: ('permissiondenied', "You don't have permission to check OATH status.", None). I'm going to step away to eat lunch and maybe things will look different when I return either because a cache entry has expired somewhere or because my newly refueled brain will see the problem more clearly.

In T376190#10193438, @bd808 wrote:

Still getting mwclient.errors.APIError: ('permissiondenied', "You don't have permission to check OATH status.", None). I'm going to step away to eat lunch and maybe things will look different when I return either because a cache entry has expired somewhere or because my newly refueled brain will see the problem more clearly.

Still no joy. I think that ripping out the OATH check on the Striker side is probably the best thing to work on next.

Change #1077091 had a related patch set uploaded (by BryanDavis; author: Bryan Davis):

[labs/striker@master] auth: Disable OATH (2FA) checking

https://gerrit.wikimedia.org/r/1077091

Change #1077091 merged by jenkins-bot:

[labs/striker@master] auth: Disable OATH (2FA) checking

https://gerrit.wikimedia.org/r/1077091

Change #1077095 had a related patch set uploaded (by BryanDavis; author: Bryan Davis):

[operations/puppet@production] hieradata: Bump striker-tools to 2024-10-01-204613-production

https://gerrit.wikimedia.org/r/1077095

Change #1077095 merged by Ladsgroup:

[operations/puppet@production] hieradata: Bump striker-tools to 2024-10-01-204613-production

https://gerrit.wikimedia.org/r/1077095

Change #1077444 had a related patch set uploaded (by Majavah; author: Majavah):

[labs/striker@master] auth: Properly remove OATHAuth support

https://gerrit.wikimedia.org/r/1077444

Change #1077444 merged by jenkins-bot:

[labs/striker@master] auth: Properly remove 2FA support

https://gerrit.wikimedia.org/r/1077444