openstack: wmfkeystonehooks: project ids rather than names are being used in LDAP group creation
Closed, ResolvedPublicBUG REPORT
Actions

Assigned To

Authored By

	bd808
	Nov 4 2024, 10:27 PM

Description

[21:51]  <physikerwelt> !log wikiqlever start setting up puppet master following https://wikitech.wikimedia.org/wiki/Help:Project_puppetserver
[21:51]  < stashbot> physikerwelt: Unknown project "wikiqlever"

Stashbot uses an LDAP lookup to determine what project names are valid for a !log message in the #wikimedia-cloud IRC channel. This lookup is functionally something like:

$ ldapsearch -xLLL -P 3 -E pr=5000/noprompt -o ldif-wrap=no -b "ou=projects,dc=wikimedia,dc=org" "(objectclass=groupofnames)" cn | grep cn:
cn: testlabs
cn: wikistats
cn: bastion
cn: huggle
cn: sugarcrm
cn: globaleducation
cn: search
cn: deployment-prep
cn: nginx
cn: dumps
cn: maps
cn: varnish
cn: swift
cn: wikidata-dev
cn: packaging
cn: opengrok
cn: analytics
cn: visualeditor
cn: mwreview
cn: signwriting
cn: integration
cn: cvn
cn: conventionextension
cn: glam
cn: account-creation-assistance
cn: utrs
cn: cvresearch
cn: project-proxy
cn: openid
cn: oxygenguide
cn: tools
cn: math
cn: toolsbeta
cn: language
cn: logstash
cn: dwl
cn: netflow
cn: collection-alt-renderer
cn: pubsubhubbub
cn: fastcci
cn: uploadwizard-osm-embedding
cn: megacron
cn: mediawiki-core-team
cn: wikidumpparse
cn: persistence
cn: security-tools
cn: mediawiki-verp
cn: osmit
cn: wildcat
cn: full-text-reference-tool
cn: extdist
cn: quarry
cn: safesandbox
cn: structured-wikiquote
cn: wlmjurytool
cn: fatg
cn: revscoring
cn: video
cn: wikidata-query
cn: ircnotifier
cn: mwoffliner
cn: wikidata-quality
cn: xtools
cn: shiny-r
cn: wikispy
cn: marathon
cn: developer-doc
cn: fundraising
cn: mobile-smoketests
cn: ve-languagetool
cn: rcm
cn: reading-smoketest
cn: reading-web-staging
cn: fa-wp
cn: metamorphosis
cn: jitsi
cn: wikilabels
cn: marathon-eval
cn: k8s-flannel
cn: zulip
cn: popcorn
cn: admin
cn: library-upgrader
cn: mattermost
cn: encryptallthethings
cn: commtech
cn: mdc
cn: mdc-west
cn: mdc-east
cn: twl
cn: salt
cn: mediawiki-vagrant
cn: dashiki
cn: wmve-techteam
cn: ifttt
cn: tool-renewal
cn: discourse
cn: authmanager
cn: paws
cn: mwv-apt
cn: wikitextexp
cn: cuos
cn: petscan
cn: wmflabsdotorg
cn: cyberbot
cn: redirects
cn: codereview
cn: google-api-proxy
cn: matrix
cn: striker
cn: wikidocumentaries
cn: recommendation-api
cn: automation-framework
cn: wikiapiary
cn: etytree
cn: wikispeech
cn: admin-monitoring
cn: wm-bot
cn: incubator
cn: traffic
cn: pluggableauth
cn: suggestbot
cn: webperf
cn: iiab
cn: download
cn: mwstake
cn: aborrero-test
cn: codesearch
cn: wmde-dashboards
cn: wmf-research-tools
cn: wcdo
cn: wikibase-registry
cn: clouddb-services
cn: puppet-diffs
cn: logging
cn: hashtags
cn: cloudinfra
cn: mix-n-match
cn: eventmetrics
cn: k8splay
cn: soweego
cn: videowiki
cn: wikidata-history-query-service
cn: lta-tracker
cn: wikilink
cn: gratitude
cn: sso
cn: huwiki-dev
cn: linkwatcher
cn: wikispore
cn: devtools
cn: centralnotice-staging
cn: ocrtoy
cn: wikisource
cn: videocuttool
cn: entity-detection
cn: cloudvirt-canary
cn: metricsinfra
cn: sre-sandbox
cn: mailman
cn: gitlab-test
cn: wikicommunityhealth
cn: toolhub
cn: wikipathways
cn: maps-experiments
cn: pki
cn: research-collaborations-api
cn: auditlogging
cn: wmcz-stats
cn: spi-tools
cn: commons-corruption-checker
cn: puppet-dev
cn: image-suggestion-api
cn: schematreerecommender
cn: trove
cn: gitlab-runners
cn: masz
cn: wikicite
cn: wikisp
cn: fr-tech-dev
cn: wikiwho
cn: cloudinfra-nfs
cn: mwcli
cn: machine-learning
cn: capacity-exchange
cn: ldap-dev
cn: devportal
cn: qrank
cn: teyora
cn: owidm
cn: wmdeanalytics
cn: wmf-dumps-playground
cn: wmcs-uptime
cn: wikidata-reconciliation
cn: onfire
cn: wlm-it-visual
cn: procbot
cn: terraform
cn: text-to-speech
cn: appservers
cn: service
cn: idm-dev
cn: isa
cn: glams
cn: netops-clab
cn: wikifunctions
cn: glamwikidashboard
cn: baglama2
cn: vuessr
cn: statanalyser
cn: checkuser-beta-wiki
cn: spacemedia
cn: policy-test-project
cn: dump-references-processor
cn: duct
cn: superset
cn: civicrm-prototype
cn: citefix
cn: imagebulk
cn: lutz
cn: media-streaming
cn: wikimania-mautic
cn: tf-infra-test
cn: hoiscript
cn: mariadbtest
cn: canasta2_test
cn: rook-test
cn: copypatrol
cn: catalyst-qte
cn: impactvisualizer
cn: catalyst
cn: foundationmemory
cn: devel-stats
cn: tofu
cn: adiutor
cn: t353829test8
cn: t353829test9
cn: openvas
cn: mdwikioffline
cn: discordbots
cn: ipoidopensearch
cn: pixel
cn: pm20database
cn: o11y
cn: imagehash
cn: bub2
cn: ajapaik
cn: huma
cn: tofuinfratest
cn: c5760e1b213b499e827b4d0ce5bb5e01
cn: 933ad3ff1e264aada56e6bc3ed9e08f3
cn: 236ea332da3c4aa8996fca936b003f5b
cn: 02aa75a939a4435bb021a2ee65cb1a98
cn: 4a205184ed974459a28b1bdc82a5c21e
cn: 5d22447bf1fa4d069e5fb1e5a3b05842
cn: 1439e7954b36469bbaa2f70e514030be
cn: ec6ed2901efe489b89e78717fdd77cbf
cn: b7ee9e1d73e0487b99a429729df2457c
cn: 3210c37636894aaa816e5bd15b8c5a7b
cn: 90d8dc7cee1343c681e1be6c5b5b8dd5
cn: 8267507e9cf34559a1d88a5afea89b1e
cn: a5c2eb47e100483eb72366b085510828
cn: 0a143509d4f34609890123b687ad83e9
cn: ef91dc1f657946749991b75ab1da149d
cn: ad96d355db944851a5188fd09637caf3
cn: 55e26b7c55854c0e93bab46d2e36cb53
cn: 03636f35a02c40e283a1fbd520f49cc4
cn: 9069d715893647f68a0b40364250afd3
cn: d933aa27f4b043e3ac4a48e74b1fc3cb
cn: d74aa1b5f4164681a94f50ae3bcde78c
cn: 11ae765e80c44a87b0f6a017c4f67e6d
cn: 5b9474be37384269a3c4e0e17935184c
cn: adda09a3a2324f72b87a393224e153e7
cn: 058face8034a433fabf44c6875d0df3a
cn: 6b6bf2bd986c4624a6b36946df84083c
cn: 5d49516f6b654174b698231a89e2c726
cn: 19796ee54fc1456dbba584ee14b28956
cn: 027027bbc499497681d0f0f54665e1a1
cn: 5cb266569ea449eab483a694e36b390f
cn: 2a742c809e524afa9dfcd75c1ff2a024
cn: b1551e52e0e944cd985ab8b7e14a2f32
cn: c264f081777148f2814e180ebf293fbb
cn: 2e85e52ba55246a7997bbd34418b2be4
cn: 20b8428bf5b24d64ab2b061cb902dfd6
cn: 46239e210cc74139b2a14e24eae65cd0
cn: ca62429453ad42208757183019844eed
cn: 52215e90fb58434b9ea94e537484b10f
cn: 4f653f2179844c419e24197079bdfc77
cn: 6a5639bc4e164a5189fa08a620d997b5
cn: 4ec11ba5527c4603b1a8bb6c3a40cd4b
cn: 3fd8321ccc834a7da4dd2e512ef50a46
cn: 97a292bf9ec942008cf6b0f3c2f1bab6
cn: 77a8fecba0a4496aa93a1eb6ad235a5c
cn: 5a1cf0eb2c3b47b68a75d12271408cb8
cn: 0913689f9e394b8397d416688e2cd654
cn: bd251a97f9674c0b891e5eea4c2d2dc2
cn: ae2a2be646be4f399b12023e50e95a49
cn: 4f04719ed51541c38f79036038060c01
cn: 2fd1cd9cdd734274917587dab444da41
cn: d80b930799c64f36a9b5ef76e6bd8e43
cn: 6e687213f8a04b31886270380e05d9e3
cn: 864e152ebc814314bd92ee5f1c506cef
cn: 4c442f7764a946f3abfbed69c95ca4ea
cn: 030cc289b722481398226d4f1cd1b912
cn: 63b8ec5483b64908b35c50e12da9e72f
cn: 614deca0832a429487aef57411fd30cb
cn: ecbabda9560b46588b71b70d1d0d9f5c
cn: ecd2d6482d2b4c708c156abb07899346
cn: 5e1875a7763545b890668fe7fb0dbb9b
cn: 53ab378791d7481b911d78028b8d0187
cn: a3d7244ccee540c089da34e039650e0b
cn: c44ed0989e264076bc87561aadb51b3c
cn: 43ebbe54d6a8402a8871b8103b546e87
cn: b0290784283c425eacd98e83db81d4ad
cn: 1eedddd9ec1f43aa8e0acbaa4a5175aa
cn: adbfb42a735f428396c75cee24429962
cn: 681b135bf1534692b5693d66da8158f1
cn: e29215f4847c462daf23b997059e8ffd
cn: c4d429df7b4e45cdbd865a1dd7ca03cc
cn: 1e3190d351e84732a4e6d7eddcda452c
cn: b793d2950d444d209f854f60e259e432
cn: ef9a75759a174a4cafd35a7c3b052026
cn: 4bcc7b077e03456fa26ec6743ddd3a81
cn: 0e8b3ab9b21847e8b51da18aa00f2882
cn: e386a3e6a03d4f34a02146dc6c2cbf6a
cn: 08695a5f93e344379032fca2caf6d2eb
cn: e443dbb55683477dabcf91760d071fbd
cn: bd9292f34bf14e06b562693bdc8d0f64
cn: e1e4c5cc812045f7bf2b65385f234066
cn: bf615ddc1eaa427ebba3f2bd8a170cae
cn: b1b201c6de884d15aed32305499ee4a6
cn: b2cd9fdd314148a992898235cf9b44f1
cn: 188775cb6e0e4a788c0c83ddcc4cfcb5
cn: 7db401e754434c46a85a856f0a46ead8
cn: 6f5dcbfdc64c44ce8472d7d4e82200ba
cn: a6b1ec4e249d46f181a57aeda70e1213
cn: c5260c1a457645c499499b841359450c
cn: ab94c5c876fc41a99d3f8274b54c176d
cn: 8beba0047ded429f8c327d25ebccd56b
cn: 20cfd6f217384e65bce59235f620e1bc
cn: 98ec443c86354e1faa1a6e85537e9212
cn: bf7d5fa286264e68ba2f13cd4c5bb18d
cn: 4e880633880749a380445dff94acee08
cn: 61afe7db91bf48bb87cee67013a743cd
cn: 05d56814982045dca8cd86396ceb86dd
cn: adbec7b4bce3493f94584880cf64e0d4
cn: 12d4caba47ff40e79235c3f8ded22bf3
cn: 188bd2b9141b40b2a47d4d889994f20b
cn: 20a4b3835fd1478f99c4e578620889f3
cn: a90b6817fc4544df9c6ec003180d88b2
cn: e9faacd088f14a3f88e46ad20b001ea6
cn: bfce2ea081eb48c3aeab063c4c5be1c2
cn: f0f02c27e874442596ecf88b1524c076
cn: b9b762d02010496f8aac241040c4b3f6
cn: eff6ad9660b24620aead0334ae93a68e
cn: 17ae8ab72fa04983aafeda118a0d3ccc
cn: 41140a7f2f5d464f919cf69c8964b79f
cn: 6f5188044bd54374b80e8708df936621
cn: 969709922e344168b5b3d5498684e8f3
cn: ca204ee6eff24b3c8b6dfaa3c7258951
cn: 00176f5b660a4903a2badd578a7b71bf
cn: 908050bf9187428c8d6faf281edc8534
cn: bf377b03add241c7821ac845f750e888
cn: 7cd95cae41e145dea0e402d2eedb133e
cn: 344e91d5f33c457385fc7c6ff21b8f93
cn: 28bc17cc83164d5397e596c67fffd5f3
cn: 3e599832de734386817e4dd805633ce0
cn: 7be8f6286b8c4e6590aa129698251008
cn: 5b71448186844ecd85e088db751405a2
cn: c9c4e5c1105e4bbaab0b9f5d5b2de862
cn: f9a7ae2725d54327919a1df61f251d3b
cn: 9b08f6dc50014712859d61d30b552ee4
cn: 0aa8629a16ae4f339c60b32d0daf9c43
cn: 38abd501dbbd4aa188f60ce5d5024de6
cn: 675d02a3344846919fd7fdee700b53a2
cn: ace66a5c1e8543cd9107bf18b7038d2e
cn: 2cfffe31cc2840c0a3771d7ff10796b5
cn: fc1b73046e93406382edc559247cc88a
cn: b20922481c1c4babb63188e1c7f33838
cn: b1a2ae60685b407eb6500fd84cba72e8
cn: 0c783b616da147c5b8760686c18899e7
cn: 070990a00a644599bfb8bc79ef2beb2f
cn: fa4b1b63d82f43bba7c58d298a5e311b
cn: 4260e282297740cebd3d5a110c231322
cn: d6561c38e5854088ae83f29ae76d887c
cn: ffee63a250004fe2a7e03f0f50bee4c6
cn: 77f00243c9bf4a3c8c8ba0002836ee88
cn: cef61053039347b2bd70e69eea258fe8
cn: a48ebd451dd24058b4fb2ff425934b38
cn: f48030f27c61498495f3566bfe60dd64
cn: f88865e2c8ab4e5bab5be6e034be35f5
cn: 842596eedf284fa09ec29dbe97f68873
cn: 4cb87340642246e5b7baa227bb89a401
cn: d35ee2f954c84dcfb4c49e0720709b58
cn: 71e9e74e0a3c491bae0bba31f3c6f4f4
cn: 4d5d5d07160e479ab1e1ca2d770f1a0d
cn: 1566f6f5184e42fba7b2f88b7c5746e7
cn: 2a6881d5f9f2432dac4beba19c1f6916
cn: d54584cafed44570a83c7f4d304b491a
cn: 26ce132cff5548a1bbd40945dfbe48c6
cn: 5c9ca172a1ca4d03947eceb661911239
cn: 207086ed59b84d42ab048d07d9a8c74c
cn: 706d2343a6c147bdbd8262add21cbd9d
cn: c286cfa2754e4a9c804b645d5f4eef3b
cn: 2481fbcd22d44fb7878bc14a40e5499a
cn: 0b2bbbd129e148148bf66c1660132ec5
cn: a6e6b41be3364245be5d34e03b9d4063
cn: 37cdbed019434711a15a437bca9274b4
cn: 0cf92875d3ad4653a722764d0bd05f74
cn: 85d116be4c1e4cb481956142bf7f212c
cn: 0f3f25f93db44ab2baac04064cf0e2f8
cn: 73d55fb70c3644f79c05aa008fdfd4d5
cn: 46c7d09f885e4ec4a197a50cc944de84
cn: e84b6b41c76f4b25ac4c7be7d1fffbc2
cn: 68f73fe3755f4b48ab4a1058a200929d
cn: f4a09355d08449398107739090834212
cn: dbf5ec0d1cc04cb3a050bb925fb2e072
cn: 0f691925c75b4f69ab38ee5e2066761b
cn: 6ef24b376b714891a297335ddb0c0906
cn: ab8f5cf2cc3f4159bd233890974051e5
cn: 9a2e7a704cf14e58b7cb587df048c895
cn: d7dd0caf86f64194bc003ecdd0bd0b3f
cn: 8712b503db3b4df7b2b4f32dac9dc65c
cn: 0ad2a13dfbb542609f8ae6ad5b4bc682
cn: dc580f31a84744b0a4a57f43d7b1d1f4
cn: 57388baaa2064e2d82402d490470003a
cn: 27fd97000a214a07bf28ebecd6d51795
cn: 2eb203a73da948a58c9819f58316be1a
cn: 899d46ff57b949aabc9ac4e0dc7cc42f
cn: a0e358b8f3144492b78fd8204f4347a1
cn: 8ce3a984621a41528c82af996a5a649f
cn: 40538b336c1042abb38d4004847a6cdc
cn: 710aa9fbce664fdf9e194e90972e41dc
cn: bf178f91d0d142d58c1e64d5d199ce08
cn: e96a16992f7241f1b7b34f2b9cc7203c
cn: 14a13a1a50bc46d88c78ddb60b2ab154
cn: b120324e8f404ed291abd587564ac5c7
cn: aeff0dfe22bc472784a7cae081a73dc0
cn: 3028a37c165e4aa8a401435c30a0e648
cn: 17c25b3883204344bc82c59787a0288e
cn: 2f897c48689a4931bbda72257d43513d
cn: 894be548dded4f82a2e2815f90d4ae2e
cn: 3f8efa3aa2884a6d8708a49914535847
cn: 76a212cc5b7247d3a13302720af6b3d8
cn: 3ec0e603f2814872884368b0f33eaeb4
cn: 2fafef2859894f98985db5299dbd91b7
cn: 2dc13161339f4f1da6534661d2372010
cn: 8e3ede7415e64517a32074d4f0cecc8c
cn: a9165aff460e4f7a9010b80922922c01
cn: de53db9aaccb4643bdb3b27ad5cc5e02
cn: 0d3b4dfd96944754b9a93934731de0ed
cn: 6602c816efac42888bfb273b7a05abc2
cn: 195fd380a9d344ec8a359a400a8f0919
cn: e816d52c2e60499cba680cbf50b92539
cn: 69b654786d464521b8d20af296453426
cn: 93c80d5e8a924e82985c044f45df3f3e
cn: f23412f773414d749087f502e1c0b44a
cn: 55f39a9f341445beb6c99e233139fe43
cn: d0e5b01429c44902a0744246e7ed2f4e
cn: 018857e3c7a041a4bdaab00b642dea69
cn: 1b93ad2693dc4a689d7363a3b28aa8f5
cn: 946783bb82374f1eb3f8ab9155c90a04
cn: f132dd17a89d4887b8bec9164493c3a6
cn: 36335bca0e71408d815490e1f414d5f6
cn: 81abe6adc4994397bcace3fc0e83eea5
cn: 9bb11342d8b74532805f3bb8a75cf4a5
cn: 4df0f5ff6a3f430e8bdcadd5698c80eb
cn: fe4fe60c1f2946948755afcb48d703ac
cn: d3a02c1279a14a97872561b81a228ca6
cn: 273f0595ef77483994ba3b57f7934fcd
cn: 8ab427719785447bbe925c9654886e24
cn: 2090ffbf74ee4bbfa96d387055ca69c1
cn: 5a6c81b41d6f4f3bbe7c035bfc8be878
cn: 18a3b2f995004cd9a8d056ee2e61e5cf
cn: a879b327956146939dfb2b3be1ad1865
cn: 7d8e756043e14875aec684ef870e0bda
cn: 38a4c297892e4cc3bdbeb4c57f7cd266
cn: af7dfa2af7b94bfd9ee418f5a6fc6328
cn: a5eff25f2fc74f54a0c8b6040ae80402
cn: 0d2d2a63339f47cfaf2a4b4011202b4c
cn: 36ca26b77aa5469d8652177ef14f77c1
cn: f2ba4b9042324f5aa523e3a9a88036cf
cn: 72076edde54b440189041b78c84accb6
cn: a463e0593e22439bb4c36ab48034341b
cn: e885a7943a68415c8d25f78db9df5aa7
cn: 05baa14334bf469ebb69d4c5b37af604
cn: ab03882c8b834c9eb0b4b68d6531c135
cn: d90e613f1634428b84ed4ce2b49207a0
cn: cc5f197a3a9649d0be01427cb5baff9c
cn: 4cedee6b478142eda46b51da29e93b2c
cn: 74eef349f5f64589a639712167c9f1bb
cn: 747c650e7aa44a03b4466c756e7bc4fc
cn: 3bfee9c3b56b42de834764d38c4abaf2
cn: c0b30085080849c9a96f92381f0fc501
cn: 1ed14537c376484a91e2244114ca10fc
cn: 915c4e7f157042468ed39ed8860ebf6d
cn: 86e05e2d8d8e4551a0d50888b1dcd76e
cn: 218cf82de8814d4986b3244e5a2a8ee7
cn: 2c54504f668048e5ad30a4200c28f6ca
cn: 7209100e0e744a4fbdf447534d4eb825
cn: 416f6db46b87431b87f986d9b19ef9bd
cn: f0b2f9574ac24fb18c88719232bfb686
cn: fc8a6146ccfe4e47988ecd6e4149217b
cn: 08e9414ab0164c158b15214590ce1495
cn: 00cde70dfd924926afe2ec8bbfc9db2b
cn: b42895eb2cfa4f659e58f9533e7371da
cn: 6aec7b0408e34aa886fe1f9bb71ea51a
cn: 9192554c89bb44c5a33aa2e8196131e0
cn: 1ad5937fc9194bfbb7b92c8c5e0b01d8
cn: fbd078c2c7dc49968d985309e5701815
cn: 7999bfe212494291b8010621a05440fa
cn: c488f2b1bf2240e6bf75e26530fce1df
cn: d33ee26e085c40d5bb973b08462175dc
cn: 2bf2a27822254126bc705754d34b37dd
cn: 6dde7f3225fa4fffa9cdac88896eab89
cn: f57a2804cdd847bb8e0ea72233ddb82b
cn: e46b5d6dafae4e959570de0ea6266307
cn: 0d86628001ea4ebb806c1c936a9068b8
cn: b2f39e438a874095a07905a921dc44d9
cn: 8ac930d9a1994aa395500d09f7658076
cn: 0f27304999534a3281b6870230278534
cn: 1f1a32dfc62b4118adfa60169ce57542
cn: 0ecef7faab8b45fd89cd48ab79f7aa3d
cn: 1078aa33c6b94972bdb1ef927e7c7d97
cn: 2709183b18ce45e49a144168685ffc8c
cn: 20a08e2dcc484aa28ce25ea501e0d885
cn: 2c716034d2dd4ae5bdf5a6b54314ec33
cn: 8d5aab67005049d2bd74b95530723b65
cn: 0263a7f7ea6740fe97acbac717c161b2
cn: 07148a245d6f4d36b66b92cd66e1dd73
cn: 3f369502201b4fa3b056b1ec930dfcdd
cn: 44c5cf3722a54976bba16e1e1ecb5edb
cn: 3ab62c19a06b45f980c20cfd59ac0b7f
cn: cade318696d74f9e9ecd5ea145afb2db
cn: 59fbc35c7b78490a9f7f967391e95d8a
cn: e9699bdb0f2a489489bf747efb5b91e5
cn: bf3d46433725408c9b3fc62d7660681f
cn: cafeab7a1e6c4ec7b902581c24ee36ec
cn: a4b03ac235d443159feaeafec24a92dd
cn: c1822154380f4d86adf8146abbe92741
cn: 5238620953c040e7a9effbe47d4e0932

If you scroll through the output above you will see that the cn values look like normal Cloud VPS project names until they suddenly turn into things like cn: c5760e1b213b499e827b4d0ce5bb5e01. This corresponds with the implementation of T274268: Wind down use of project ID and project name equivalency in OpenStack. Using a UUID value for the project ID inside OpenStack is fine, but in places like LDAP it would make more sense to continue to use the haman readable "name" label.

Details

Related Changes in Gerrit:

Subject	Repo	Branch	Lines +/-
openstack: wmfkeystonehooks: create LDAP groups with project name	operations/puppet	production	+21 -16
validatecloudvpsfqdn.py: Only support projects with project_name in fqdn	operations/puppet	production	+6 -8
Update horizon version on eqiad1	operations/puppet	production	+1 -1
Try to clarify the distinction between project name and id	openstack/horizon/wmf-sudo-dashboard	main	+19 -15
puppet_enc: lookup roles using project_id in the url	operations/puppet	production	+8 -3
wmfkeystonehooks: use project name instead of project id for ldap key	operations/puppet	production	+19 -15
Upgrade eqiad1 horizon release	operations/puppet	production	+1 -1
nova vendordata: set fqdn from project_name rather than project_id	operations/puppet	production	+27 -3
Use project name (not tenant_id) for labels and VM fqdn.	openstack/horizon/wmf-puppet-dashboard	main	+6 -6
openstack_project_id.rb: discard trailing newline	operations/puppet	production	+1 -1
validatecloudvpsfqdn.py: Support projects with project_name in fqdn	operations/puppet	production	+11 -3
Add wmcs_project_id custom fact and handling in realm	operations/puppet	production	+19 -0
vendordata.txt: include rudimentary clouds.yaml in initial VM	operations/puppet	production	+13 -0
cloud-vps instance: populate /etc/openstack/project_id	operations/puppet	production	+10 -0
Get openstack project list from keystone	labs/tools/stashbot	master	+6 -1

Related Objects
Search...

		Status	Subtype	Assigned	Task
		Resolved		Andrew	T274268 Wind down use of project ID and project name equivalency in OpenStack
		Resolved	BUG REPORT	Andrew	T379030 openstack: wmfkeystonehooks: project ids rather than names are being used in LDAP group creation

Event Timeline

bd808 created this task.Nov 4 2024, 10:27 PM

Restricted Application added a project: cloud-services-team. · View Herald TranscriptNov 4 2024, 10:27 PM

Restricted Application added a subscriber: Sadads. · View Herald Transcript

https://openstack-browser.toolforge.org/project/5238620953c040e7a9effbe47d4e0932 is the UUID named page for the "wikiqlever" project. Stashbot thinks that @Physikerwelt should have used !log 5238620953c040e7a9effbe47d4e0932 start setting up puppet master following https://wikitech.wikimedia.org/wiki/Help:Project_puppetserver based on the LDAP lookup data. This is really poor user experience (same for the UUID in the openstack-browser URL honestly) that we should figure out how to fix.

bd808 added a subtask: T274268: Wind down use of project ID and project name equivalency in OpenStack.Nov 4 2024, 10:33 PM

fnegri subscribed.Nov 5 2024, 11:52 AM

bd808 mentioned this in T379128: OpenStack project ids rather than names are being used in hiera settings archiving.Nov 5 2024, 11:43 PM

In T379030#10291065, @bd808 wrote:

https://openstack-browser.toolforge.org/project/5238620953c040e7a9effbe47d4e0932 is the UUID named page for the "wikiqlever" project. Stashbot thinks that @Physikerwelt should have used !log 5238620953c040e7a9effbe47d4e0932 start setting up puppet master following https://wikitech.wikimedia.org/wiki/Help:Project_puppetserver based on the LDAP lookup data. This is really poor user experience (same for the UUID in the openstack-browser URL honestly) that we should figure out how to fix.

I tried that with the next log entry, which went https://sal.toolforge.org/__all__ but not at https://wikitech.wikimedia.org/wiki/Nova_Resource:Wikiqlever

It works for elder projects such as math

https://wikitech.wikimedia.org/wiki/Nova_Resource:Math/SAL

fnegri triaged this task as High priority.Nov 11 2024, 11:12 AM

In T379030#10307609, @Physikerwelt wrote:

I tried that with the next log entry, which went https://sal.toolforge.org/__all__

https://sal.toolforge.org/5238620953c040e7a9effbe47d4e0932 is the project specific log collection in the Toolforge backend.

but not at https://wikitech.wikimedia.org/wiki/Nova_Resource:Wikiqlever

Stashbot current does not have any way to figure out that the OpenStack project id 5238620953c040e7a9effbe47d4e0932 is connected with the OpenStack project name Wikiqlever. This is basically the bug.

It works for elder projects such as math

https://wikitech.wikimedia.org/wiki/Nova_Resource:Math/SAL

Correct. Both the OpenStack project id and name are math for that project as it was created prior to the change from T274268: Wind down use of project ID and project name equivalency in OpenStack. The hooks that populate the LDAP directory with information about projects created the https://ldap.toolforge.org/group/project-math entry. For new projects we are now creating LDAP records like https://ldap.toolforge.org/group/project-5238620953c040e7a9effbe47d4e0932 which have no connection at all to the human readable project name in their data.

The stupidest thing I can think of is moving https://wikitech.wikimedia.org/wiki/Nova_Resource:Wikiqlever to https://wikitech.wikimedia.org/wiki/Nova_Resource:5238620953c040e7a9effbe47d4e0932. One can then use displaytitle, etc to make it look nicer. I guess there was a reason for changing from semantic identifiers to identifiers with different desired properties. If we don't enforce uniqueness in project names anymore, it would be hard for the bot the guess the right project.

Ah the SAL subpage page is already at the place where I would have expected it to be https://wikitech.wikimedia.org/wiki/Nova_Resource:5238620953c040e7a9effbe47d4e0932/SAL

I just changed https://wikitech.wikimedia.org/wiki/Nova_Resource:Wikiqlever to include that other page. Maybe we can document that, and is that good enough?

Also in emails, e.g., regarding failed puppet runs

Puppet is having issues on the "puppetmaster.5238620953c040e7a9effbe47d4e0932.eqiad1.wikimedia.cloud (172.16.4.20)" instance in project

5238620953c040e7a9effbe47d4e0932 in Wikimedia Cloud VPS.

the semantic name is not shown, which will most likely cause people who are involved in more than 1 project to ignore it. However, the project name seems still to be unique as it can be used for ssh

Hostname puppetmaster.wikiqlever.eqiad1.wikimedia.cloud

• aborrero added a project: User-aborrero.Nov 13 2024, 12:12 PM

• aborrero moved this task from Backlog to Next on the User-aborrero board.

• aborrero changed the task status from Open to In Progress.Nov 13 2024, 12:30 PM

• aborrero moved this task from Next to Doing on the User-aborrero board.

• aborrero removed a subtask: T274268: Wind down use of project ID and project name equivalency in OpenStack.Nov 13 2024, 1:44 PM

• aborrero added a parent task: T274268: Wind down use of project ID and project name equivalency in OpenStack.

• aborrero mentioned this in T274268: Wind down use of project ID and project name equivalency in OpenStack.

• aborrero renamed this task from OpenStack project ids rather than names are being used in LDAP group creation to openstack: wmfkeystonehooks: project ids rather than names are being used in LDAP group creation.Nov 13 2024, 1:47 PM

Change #1090854 had a related patch set uploaded (by Arturo Borrero Gonzalez; author: Arturo Borrero Gonzalez):

[operations/puppet@production] openstack: wmfkeystonehooks: create LDAP groups with project name

https://gerrit.wikimedia.org/r/1090854

gerritbot added a project: Patch-For-Review.Nov 13 2024, 1:50 PM

First, some context: There isn't actually a change in ldap from one format to another; in all cases ldap is using the canonical ID of the project. It's just that IDs and names have recently diverged.

I agree that the new IDs are essentially human unreadable and shouldn't appear in most user interactions, but I think we should nevertheless continue to use canonical openstack IDs for all backend references to projects -- we've already tripped over this in one big way and I don't like the idea of obfuscating the ID/name distinction further in code. Ideally I'd expect things to use IDs on the backend/internally and then do a last-minute lookup when displaying to the user. I'm pretty sure that ldap representation counts as 'internal' rather than 'UI' even though wmcs staff is used to reading ldap with our bare eyes.

The proposed patch seems hazardous because if we start using names rather than IDs in ldap, that is actually a big change -- even though it feels like it's putting things back the way it was, it's actually changing ldap to store a new kind of thing that nothing that consumes ldap will be expecting.

So, I think the correct way to address this is to move forward towards making (the rest of) our user tools understand about what an ID is vs a name. I'm also not sure that things like stashbot should be looking at ldap at all when they can talk directly to openstack which is the actual source of truth.

In T379030#10318678, @Andrew wrote:

The proposed patch seems hazardous because if we start using names rather than IDs in ldap, that is actually a big change -- even though it feels like it's putting things back the way it was, it's actually changing ldap to store a new kind of thing that nothing that consumes ldap will be expecting.

This fear of using Project Name rather than Project ID feels like a direct contradiction of the IRC conversation I documented in https://phabricator.wikimedia.org/T366679#9993083. Names are just as unique as UUIDs at least for the purpose of interrogating the active projects.

At least two of the things that consume LDAP for OpenStack project data, my Stashbot tool and my brain, are both broken by the current UUID state. I am not coming up with reasons to keep mirroring the Keystone project membership data into LDAP at all if it is going to be obfuscated. I think humans have thought at least a bit about this before because someone decided that we should have DNS records using the Project Name in addition to records using the Project ID. A dual recording in LDAP as well would at least restore the ability for Stashbot and my eyes to read the data there if dropping the UUID group naming is undesirable.

From an non-wmf perspective, the most important aspect is documentation. It only takes 5 seconds to C&P the project id, but it might take several hours to find out that the configuration was changed.

I think my opinion is that I'm happy if openstack internally has uuids for projects ids, which is what upstream does.
Then, everything outside openstack, including our tooling, we can keep using project names. LDAP, stashbot, SAL, DNS, etc they all qualify in this category of being "our tooling".

With this, we may get the best of both words: we retain the native upstream openstack behavior of using uuids, but we leverage the fact that project names are unique, to simplify and make 'developer-friendly' some of our tooling.

I would be happy if the only place where we can see project uuids is deep inside the openstack database.

It's definitely the case that we enforce unique project names in eqiad1. So the only situation I can think of where names would be ambiguous (and IDs unambiguous) is if we ever build our long-awaited second region.

The only other (mild) concern I have is with format of project names, but that's probably imaginary... I imagine that as long as we constrain project name to valid dns domain names that will also restrict it to valid ldap keys? If so, think we can go forward with Arturo's plan although it still strikes me as moderately incorrect :p

taavi removed a project: Striker.Nov 15 2024, 9:25 AM

In T379030#10322740, @Andrew wrote:

It's definitely the case that we enforce unique project names in eqiad1. So the only situation I can think of where names would be ambiguous (and IDs unambiguous) is if we ever build our long-awaited second region.

There are a number of implementation details for that, like who will be enforcing uniqueness of uuids across regions, or how the LDAP backend would be used for different regions.

The simpler examples I can think of are:

different regions have different accounts (and LDAP backend). This is the case with codfw1dev. We basically don't care here if the names/uuids are duplicated.
different regions share the same keystone (and LDAP backend). I guess the same keystone implies same openstack DB, therefore organic uniqueness for names/uuids.

Do you have something else in mind?

The only other (mild) concern I have is with format of project names, but that's probably imaginary... I imagine that as long as we constrain project name to valid dns domain names that will also restrict it to valid ldap keys? If so, think we can go forward with Arturo's plan although it still strikes me as moderately incorrect :p

You definitely have a number of considerations in your radar that I don't. I would feel more confident if you take over the patch https://gerrit.wikimedia.org/r/1090854 and related changes that may be needed.

• aborrero moved this task from Doing to Radar/observer on the User-aborrero board.Nov 15 2024, 9:49 AM

Andrew claimed this task.Nov 18 2024, 2:41 PM

I am not coming up with reasons to keep mirroring the Keystone project membership data into LDAP at all if it is going to be obfuscated.

Up until this week, I would have said that keystone projects are in ldap for pam/sssd and sudo rule management. @bd808 can you tell me more about what kinds of things you use ldap for directly? I think I understand the stashbot case (which can potentially be altered to talk to keystone directly).

Change #1093997 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):

[labs/tools/stashbot@master] Get openstack project list from keystone

https://gerrit.wikimedia.org/r/1093997

In T379030#10344421, @Andrew wrote:

I am not coming up with reasons to keep mirroring the Keystone project membership data into LDAP at all if it is going to be obfuscated.

Up until this week, I would have said that keystone projects are in ldap for pam/sssd and sudo rule management. @bd808 can you tell me more about what kinds of things you use ldap for directly? I think I understand the stashbot case (which can potentially be altered to talk to keystone directly).

https://ldap.toolforge.org/user/bd808 is another consumer.

I personally quite often query the directory when I am looking for information about a particular Developer account:

$ ldap cn=BryanDavis + | grep memberOf:
memberOf: cn=tools.my-first-django-tool,ou=servicegroups,dc=wikimedia,dc=org
memberOf: cn=tools.my-first-flask-tool,ou=servicegroups,dc=wikimedia,dc=org
memberOf: cn=tools.my-first-flask-oauth-tool,ou=servicegroups,dc=wikimedia,dc=org
memberOf: cn=tools.esbackup,ou=servicegroups,dc=wikimedia,dc=org
memberOf: cn=tools.keystone-browser,ou=servicegroups,dc=wikimedia,dc=org
memberOf: cn=tools.bd808-pywikibot,ou=servicegroups,dc=wikimedia,dc=org
memberOf: cn=tools.bash,ou=servicegroups,dc=wikimedia,dc=org
memberOf: cn=tools.mysql-php-session-test,ou=servicegroups,dc=wikimedia,dc=org
memberOf: cn=tools.toolforge,ou=servicegroups,dc=wikimedia,dc=org
memberOf: cn=tools.versions,ou=servicegroups,dc=wikimedia,dc=org
memberOf: cn=tools.tool-db-usage,ou=servicegroups,dc=wikimedia,dc=org
memberOf: cn=tools.static,ou=servicegroups,dc=wikimedia,dc=org
memberOf: cn=tools.phabulous,ou=servicegroups,dc=wikimedia,dc=org
memberOf: cn=tools.csp-report,ou=servicegroups,dc=wikimedia,dc=org
memberOf: cn=tools.phab-ban,ou=servicegroups,dc=wikimedia,dc=org
memberOf: cn=tools.hatjitsu,ou=servicegroups,dc=wikimedia,dc=org
memberOf: cn=tools.docker-registry,ou=servicegroups,dc=wikimedia,dc=org
memberOf: cn=tools.cloudvps,ou=servicegroups,dc=wikimedia,dc=org
memberOf: cn=tools.www,ou=servicegroups,dc=wikimedia,dc=org
memberOf: cn=tools.iw,ou=servicegroups,dc=wikimedia,dc=org
memberOf: cn=tools.bikeshed,ou=servicegroups,dc=wikimedia,dc=org
memberOf: cn=tools.paws-public,ou=servicegroups,dc=wikimedia,dc=org
memberOf: cn=tools.help,ou=servicegroups,dc=wikimedia,dc=org
memberOf: cn=toolsbeta.test4,ou=servicegroups,dc=wikimedia,dc=org
memberOf: cn=tools.wikistream,ou=servicegroups,dc=wikimedia,dc=org
memberOf: cn=tools.xn--dk8hv9g,ou=servicegroups,dc=wikimedia,dc=org
memberOf: cn=tools.toolhub,ou=servicegroups,dc=wikimedia,dc=org
memberOf: cn=tools.doodle,ou=servicegroups,dc=wikimedia,dc=org
memberOf: cn=tools.unicornify,ou=servicegroups,dc=wikimedia,dc=org
memberOf: cn=tools.example,ou=servicegroups,dc=wikimedia,dc=org
memberOf: cn=tools.pygments,ou=servicegroups,dc=wikimedia,dc=org
memberOf: cn=project-download,ou=groups,dc=wikimedia,dc=org
memberOf: cn=project-striker,ou=groups,dc=wikimedia,dc=org
memberOf: cn=tools.jouncebot,ou=servicegroups,dc=wikimedia,dc=org
memberOf: cn=tools.replag,ou=servicegroups,dc=wikimedia,dc=org
memberOf: cn=tools.vpsalertmanager,ou=servicegroups,dc=wikimedia,dc=org
memberOf: cn=tools.toolhub-gadget-demo,ou=servicegroups,dc=wikimedia,dc=org
memberOf: cn=tools.os-deprecation,ou=servicegroups,dc=wikimedia,dc=org
memberOf: cn=tools.toolinfo-scraper,ou=servicegroups,dc=wikimedia,dc=org
memberOf: cn=project-toolhub,ou=groups,dc=wikimedia,dc=org
memberOf: cn=project-devportal,ou=groups,dc=wikimedia,dc=org
memberOf: cn=tools.cdnjs-beta,ou=servicegroups,dc=wikimedia,dc=org
memberOf: cn=tools.officewikibot,ou=servicegroups,dc=wikimedia,dc=org
memberOf: cn=tools.convert,ou=servicegroups,dc=wikimedia,dc=org
memberOf: cn=tools.bridgebot,ou=servicegroups,dc=wikimedia,dc=org
memberOf: cn=tools.bd808-ruby,ou=servicegroups,dc=wikimedia,dc=org
memberOf: cn=tools.toolhub-extension-demo,ou=servicegroups,dc=wikimedia,dc=org
memberOf: cn=tools.admin-beta,ou=servicegroups,dc=wikimedia,dc=org
memberOf: cn=tools.stashbot,ou=servicegroups,dc=wikimedia,dc=org
memberOf: cn=tools.sal,ou=servicegroups,dc=wikimedia,dc=org
memberOf: cn=ciadmin,ou=groups,dc=wikimedia,dc=org
memberOf: cn=tools.sal-test,ou=servicegroups,dc=wikimedia,dc=org
memberOf: cn=tools.docker-ratelimit,ou=servicegroups,dc=wikimedia,dc=org
memberOf: cn=tools.mwdemo,ou=servicegroups,dc=wikimedia,dc=org
memberOf: cn=tools.wp-trending,ou=servicegroups,dc=wikimedia,dc=org
memberOf: cn=tools.python-toolforge,ou=servicegroups,dc=wikimedia,dc=org
memberOf: cn=tools.bd808-buildpack,ou=servicegroups,dc=wikimedia,dc=org
memberOf: cn=tools.k8s-status,ou=servicegroups,dc=wikimedia,dc=org
memberOf: cn=tools.ifttt-dev,ou=servicegroups,dc=wikimedia,dc=org
memberOf: cn=tools.ifttt,ou=servicegroups,dc=wikimedia,dc=org
memberOf: cn=tools.bd808-test2,ou=servicegroups,dc=wikimedia,dc=org
memberOf: cn=tools.extloc,ou=servicegroups,dc=wikimedia,dc=org
memberOf: cn=tools.toolviews,ou=servicegroups,dc=wikimedia,dc=org
memberOf: cn=project-admin,ou=groups,dc=wikimedia,dc=org
memberOf: cn=project-admin-monitoring,ou=groups,dc=wikimedia,dc=org
memberOf: cn=project-clouddb-services,ou=groups,dc=wikimedia,dc=org
memberOf: cn=project-cloudinfra,ou=groups,dc=wikimedia,dc=org
memberOf: cn=project-metricsinfra,ou=groups,dc=wikimedia,dc=org
memberOf: cn=project-paws,ou=groups,dc=wikimedia,dc=org
memberOf: cn=project-project-proxy,ou=groups,dc=wikimedia,dc=org
memberOf: cn=project-quarry,ou=groups,dc=wikimedia,dc=org
memberOf: cn=project-redirects,ou=groups,dc=wikimedia,dc=org
memberOf: cn=project-testlabs,ou=groups,dc=wikimedia,dc=org
memberOf: cn=project-toolsbeta,ou=groups,dc=wikimedia,dc=org
memberOf: cn=project-wmflabsdotorg,ou=groups,dc=wikimedia,dc=org
memberOf: cn=tools.automated-toolforge-tests,ou=servicegroups,dc=wikimedia,dc=org
memberOf: cn=tools.fourohfour,ou=servicegroups,dc=wikimedia,dc=org
memberOf: cn=tools.jobs,ou=servicegroups,dc=wikimedia,dc=org
memberOf: cn=tools.openstack-browser,ou=servicegroups,dc=wikimedia,dc=org
memberOf: cn=tools.openstack-browser-dev,ou=servicegroups,dc=wikimedia,dc=org
memberOf: cn=tools.quarry,ou=servicegroups,dc=wikimedia,dc=org
memberOf: cn=tools.security,ou=servicegroups,dc=wikimedia,dc=org
memberOf: cn=tools.toolschecker,ou=servicegroups,dc=wikimedia,dc=org
memberOf: cn=toolsbeta.fourohfour,ou=servicegroups,dc=wikimedia,dc=org
memberOf: cn=toolsbeta.test3,ou=servicegroups,dc=wikimedia,dc=org
memberOf: cn=tools.iw-beta,ou=servicegroups,dc=wikimedia,dc=org
memberOf: cn=tools.admin,ou=servicegroups,dc=wikimedia,dc=org
memberOf: cn=project-bastion,ou=groups,dc=wikimedia,dc=org
memberOf: cn=wmf,ou=groups,dc=wikimedia,dc=org
memberOf: cn=project-tools,ou=groups,dc=wikimedia,dc=org
memberOf: cn=tools.xn--9s9h,ou=servicegroups,dc=wikimedia,dc=org
memberOf: cn=tools.gitlab-account-approval,ou=servicegroups,dc=wikimedia,dc=org
memberOf: cn=toolsbeta.admin,ou=servicegroups,dc=wikimedia,dc=org
memberOf: cn=tools.wikibugs,ou=servicegroups,dc=wikimedia,dc=org
memberOf: cn=tools.wikibugs-testing,ou=servicegroups,dc=wikimedia,dc=org
memberOf: cn=tools.github-ratelimit,ou=servicegroups,dc=wikimedia,dc=org
memberOf: cn=tools.gitlab-webhooks,ou=servicegroups,dc=wikimedia,dc=org
memberOf: cn=toolsbeta.gitlab-webhooks-beta,ou=servicegroups,dc=wikimedia,dc=org
memberOf: cn=tools.schedule-deployment,ou=servicegroups,dc=wikimedia,dc=org
memberOf: cn=tools.containers,ou=servicegroups,dc=wikimedia,dc=org
memberOf: cn=tools.disabled-tools,ou=servicegroups,dc=wikimedia,dc=org
memberOf: cn=tools.ircservserv,ou=servicegroups,dc=wikimedia,dc=org
memberOf: cn=project-deployment-prep,ou=groups,dc=wikimedia,dc=org
memberOf: cn=project-675d02a3344846919fd7fdee700b53a2,ou=groups,dc=wikimedia,dc=org
memberOf: cn=tools.jenkins-build-stats,ou=servicegroups,dc=wikimedia,dc=org
memberOf: cn=tools.toolforge-standards-committee,ou=servicegroups,dc=wikimedia,dc=org

In theory things that are using the LDAP directory for authentication either directly or indirectly via idp.wikimedia.org can also use the cn=project-*,ou=groups,dc=wikimedia,dc=org groups for authorization. In practice I am not sure that this actually happens, but I also don't really know how to check all IDP consumers.

git grep 'cn=project-' in operations/puppet.git hits on a number of python scripts:

modules/openldap/files/offboard-user.py
modules/profile/files/toolforge/checker/toolschecker.py
modules/profile/files/wmcs/services/maintain_dbusers/maintain_dbusers.py

profile::wmcs::metricsinfra::alertmanager::karma shows that they are also used in /etc/prometheus-configurator/config.d/karma_acls_config.yaml.

I still haven't decided what to do about this.

https://gerrit.wikimedia.org/r/c/labs/tools/stashbot/+/1093997 will resolve the specific stashbot issue but doesn't affect what's stored in ldap.

Right now a VM's fqdn is made out of the project ID at build time, then once the VMs are running that fqdn is broken down to produce the project ID for use on VMs for puppet and also to key into ldap. So if we want human-readable ldap we need to change at least the following things to use project name rather than project id:

ldap groups
fqdns
ldap/sudo integration
everything project-specific that happens in puppet (e.g. hiera lookups)
all the horizon UIs that make things that are used by any of the above (again, hiera, enc, sudo rules)

and we'd also need to retcon or rebuild the VMs and projects that are currently using IDs. That's a total of 13 VMs at the moment.

What I expected to do, before this task existed, was leave IDs as the internal reference and convert IDs to names for user-facing interactions. That's (for example) what the above gerrit patch does for stashbot.

The idea of considering the raw ldap data itself as user-facing is throwing me for a loop. Could we address that issue partially by amending the ldap schema to include the human-readable project name in the cn=project- entries?

In T274268: Wind down use of project ID and project name equivalency in OpenStack, @Bstorm wrote:

This should include trying to make it so that we can still use project names and not have to manually look up ids, hopefully.

I think this the core disagreement/source of friction. The change to use OpenStack native UUIDs for project ids is fine, but not at the same time changing user facing information, including both FQDNs and LDAP groups, to use project names instead of the formerly equivalent project id is causing friction and toil for humans.

In T379030#10553421, @Andrew wrote:

The idea of considering the raw ldap data itself as user-facing is throwing me for a loop. Could we address that issue partially by amending the ldap schema to include the human-readable project name in the cn=project- entries?

I would ask for that inclusion to be making the group names cn=project-{name} rather than cn=project-{id}-{name} or cn=project-{name}-{id} because there is no currently described benefit of showing the id to anyone outside of OpenStack database internals and comprehensive reporting.

The URL structure for https://openstack-browser.toolforge.org/project/675d02a3344846919fd7fdee700b53a2 is a similar mistake that we should correct.

In T379030#10322740, @Andrew wrote:

The only other (mild) concern I have is with format of project names, but that's probably imaginary... I imagine that as long as we constrain project name to valid dns domain names that will also restrict it to valid ldap keys? If so, think we can go forward with Arturo's plan although it still strikes me as moderately incorrect :p

A cn is per schema a DirectoryString. A DirectoryString attribute is "a string of one or more arbitrary characters from the Universal Character Set (UCS)." This functionally means that a cn is a non-empty UTF-8 string. It will hold whatever weirdness you want. And as you imply we currently want these strings to also be valid DNS labels which means they will be 1-63 ASCII characters taken from the set [a-zA-Z0-9-].

AntiCompositeNumber awarded a token.Feb 14 2025, 9:26 PM

Server fqdn is a bit of a puzzle. Right now the fqdn is generated by cloud-init, based on openstack metadata. The openstack metadata provides projct ID but not project name.

So, options are...

write a custom dynamic metadata service to provide the project name. (I have written a dynamic metadata service once before but it was impossible to keep stable so I decomissioned it. Could try again.)
provide openstack credentials to VMs on startup (via static metadata) so that the instance can query openstack and look up its own project name. That should be possible, and the 'observer' creds are already public. Unfortunately the lookup can only happen after cloud-init completes; I'm not if that will break other existing cloud-init setups.
go back to hacking keystone so that project_id==project_name
leave things as they are

#2 is probably the best option here, but it'll be ugly :(

In T379030#10560684, @Andrew wrote:

write a custom dynamic metadata service to provide the project name. (I have written a dynamic metadata service once before but it was impossible to keep stable so I decomissioned it. Could try again.)

https://docs.openstack.org/nova/2024.2/admin/vendordata.html#dynamicjson makes it sound relatively boring to add a microservice that responds with custom metadata, but I have never messed with things at this level of OpenStack internals. Was that "respond to a POST with a JSON blob" what you found practical challenges with before, or is this maybe a different way to inject data into the cloud-init system?

In T379030#10560835, @bd808 wrote:

https://docs.openstack.org/nova/2024.2/admin/vendordata.html#dynamicjson makes it sound relatively boring to add a microservice that responds with custom metadata, but I have never messed with things at this level of OpenStack internals. Was that "respond to a POST with a JSON blob" what you found practical challenges with before, or is this maybe a different way to inject data into the cloud-init system?

Yes, the microservice approach was what I found unreliable. I don't remember the specifics as it was years ago, only that it never worked right and felt extremely jerry-rigged so I dropped it.

There is more background than you might like about extra vendor data vs. cloud-init here https://bugs.launchpad.net/cloud-init/+bug/1841104 and here https://github.com/canonical/cloud-init/issues/5221 -- the summary is that it seems to mostly still not work very well, if at all.

Change #1120683 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):

[operations/puppet@production] vendordata.txt: include rudimentary clouds.yaml in initial VM

https://gerrit.wikimedia.org/r/1120683

Change #1120684 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):

[operations/puppet@production] nova vendordata: set fqdn from project_name rather than project_id

https://gerrit.wikimedia.org/r/1120684

The above two patches implement option #2. They leave /etc/hosts subsequently unmanaged which is a bit fragile but probably OK.

In T379030#10560867, @Andrew wrote:

Yes, the microservice approach was what I found unreliable.

Ack. It does look like there has been some amount of confusion historically between the OpenStack folks and the cloud-init folks on the spec for the data. Thank you for giving me that extra context.

Change #1121344 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):

[operations/puppet@production] validatecloudvpsfqdn.py: Support projects with project_name in fqdn

https://gerrit.wikimedia.org/r/1121344

Change #1121345 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):

[operations/puppet@production] wmfkeystonehooks: use project name instead of project id for ldap key

https://gerrit.wikimedia.org/r/1121345

Change #1121346 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):

[operations/puppet@production] Add wmcs_project_id custom fact and handling in realm

https://gerrit.wikimedia.org/r/1121346

aborrero opened https://gitlab.wikimedia.org/repos/cloud/toolforge/volume-admission/-/merge_requests/24

volumes: mount /etc/openstack/clouds.yaml

aborrero opened https://gitlab.wikimedia.org/repos/cloud/toolforge/lima-kilo/-/merge_requests/228

toolforge: introduce /etc/openstack/clouds.yaml

Change #1121369 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):

[operations/puppet@production] cloud-vps instance: populate /etc/openstack/project_id

https://gerrit.wikimedia.org/r/1121369

Here is the list of VMs currently running with project IDs in the fqdn/puppet cert:

664e04b3-34b7-4b87-9296-bfb1cbb5f872 beta
b2c96f28-03bb-4ff4-ab83-f79cc943d31d qlever1
57d26b02-dcb3-447e-b2eb-ac667852932c puppetmaster
fa6f811e-e18e-4f6c-bbc2-5cdf464bad1d ci-components
5e5c3bad-f1c7-49e5-b846-edaf111af83c ci2
60ffad65-edf9-4edd-b531-cfc030dde6ab k3s-node00
6799679b-ac3f-4e07-8bd4-8c23640a5886 k3s-node01
241f3730-4e8d-48c9-90f7-8c67e271d273 crux-metrics
eb6f591f-69b2-4f16-a7eb-3740b5fd074f db
b54d0173-24e7-426a-97db-7d9ca9489009 queue
c2f528c1-6668-4619-91f9-b6ef53d3d8a3 wikipeoplestats-prod01
6356dbde-37f8-40fa-ae3e-26c5913702be primary-app
01ffdbd4-eb45-45d2-8dc2-6d667d4b456d defectdojo

Change #1121369 merged by Andrew Bogott:

[operations/puppet@production] cloud-vps instance: populate /etc/openstack/project_id

https://gerrit.wikimedia.org/r/1121369

Change #1121423 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):

[operations/puppet@production] validatecloudvpsfqdn.py: Only support projects with project_name in fqdn

https://gerrit.wikimedia.org/r/1121423

Change #1120683 merged by Andrew Bogott:

[operations/puppet@production] vendordata.txt: include rudimentary clouds.yaml in initial VM

https://gerrit.wikimedia.org/r/1120683

Change #1121346 merged by Andrew Bogott:

[operations/puppet@production] Add wmcs_project_id custom fact and handling in realm

https://gerrit.wikimedia.org/r/1121346

Change #1121344 merged by Andrew Bogott:

[operations/puppet@production] validatecloudvpsfqdn.py: Support projects with project_name in fqdn

https://gerrit.wikimedia.org/r/1121344

Change #1121691 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):

[operations/puppet@production] openstack_project_id.rb: discard trailing newline

https://gerrit.wikimedia.org/r/1121691

Change #1121691 merged by Andrew Bogott:

[operations/puppet@production] openstack_project_id.rb: discard trailing newline

https://gerrit.wikimedia.org/r/1121691

Change #1121765 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):

[openstack/horizon/wmf-puppet-dashboard@main] Use project name (not tenant_id) for labels and VM fqdn.

https://gerrit.wikimedia.org/r/1121765

Change #1121765 merged by Andrew Bogott:

[openstack/horizon/wmf-puppet-dashboard@main] Use project name (not tenant_id) for labels and VM fqdn.

https://gerrit.wikimedia.org/r/1121765

Change #1120684 merged by Andrew Bogott:

[operations/puppet@production] nova vendordata: set fqdn from project_name rather than project_id

https://gerrit.wikimedia.org/r/1120684

Change #1121776 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):

[operations/puppet@production] Upgrade eqiad1 horizon release

https://gerrit.wikimedia.org/r/1121776

Change #1121776 merged by Andrew Bogott:

[operations/puppet@production] Upgrade eqiad1 horizon release

https://gerrit.wikimedia.org/r/1121776

Change #1121345 merged by Andrew Bogott:

[operations/puppet@production] wmfkeystonehooks: use project name instead of project id for ldap key

https://gerrit.wikimedia.org/r/1121345

Change #1121777 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):

[operations/puppet@production] puppet_enc: lookup roles using project_id in the url

https://gerrit.wikimedia.org/r/1121777

Change #1121777 merged by Andrew Bogott:

[operations/puppet@production] puppet_enc: lookup roles using project_id in the url

https://gerrit.wikimedia.org/r/1121777

Change #1121778 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):

[openstack/horizon/wmf-sudo-dashboard@main] Try to clarify the distinction between project name and id

https://gerrit.wikimedia.org/r/1121778

Change #1121778 merged by Andrew Bogott:

[openstack/horizon/wmf-sudo-dashboard@main] Try to clarify the distinction between project name and id

https://gerrit.wikimedia.org/r/1121778

Change #1121785 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):

[operations/puppet@production] Update horizon version on eqiad1

https://gerrit.wikimedia.org/r/1121785

I believe this to be resolved now. I adjusted the fqdn of the VMs listed above, and hand-edited ldap to use project names instead of ids anywhere where it was previously using IDs. I need to do a couple of tests for new projects, but here are the notes from what I've done so far:

now:

- VM fqdns are hostname.<project id>.domain

- $wmcs_project is project id, determined from puppet certname

- project name unknown to puppet

- ldap keys are project-<project id>

- puppet enc lookups are based on project id ($wmcs_project) and fqdm


after:

- VM fqdns are hostname.<project name>.domain

https://gerrit.wikimedia.org/r/c/operations/puppet/+/1120684

- $wmcs_project is project name, determined from puppet certname

- ldap keys are project-<project name>

https://gerrit.wikimedia.org/r/c/operations/puppet/+/1121345/3

TODO: hand edit existing ldap entries that are uuid-based

- project_id available (but untrusted) via /etc/openstack/project_id and $wmcs_project_id

https://gerrit.wikimedia.org/r/c/operations/puppet/+/1121369/3

https://gerrit.wikimedia.org/r/c/operations/puppet/+/1121346

- puppet enc lookups are based on project id ($wmcs_project_id) and fqdn

https://gerrit.wikimedia.org/r/c/operations/puppet/+/1121347/3

- update all fqdns in the enc database to replace project IDs with names



TODO: what about existing VMs with uuid ID in fqdn?

- update /var/lib/cloud/instances/873c0e0d-945b-4f68-946d-9102276aaac0/obj.pkl to have manage_etc_hosts false

- sed -i "s/<projectid>/<projectname>/g" /etc/hosts

Change #1121785 merged by Andrew Bogott:

[operations/puppet@production] Update horizon version on eqiad1

https://gerrit.wikimedia.org/r/1121785

Change #1121423 merged by Andrew Bogott:

[operations/puppet@production] validatecloudvpsfqdn.py: Only support projects with project_name in fqdn

https://gerrit.wikimedia.org/r/1121423

Andrew closed this task as Resolved.Feb 25 2025, 12:30 PM

fnegri closed https://gitlab.wikimedia.org/repos/cloud/toolforge/lima-kilo/-/merge_requests/228

toolforge: introduce /etc/openstack/clouds.yaml

bd808 mentioned this in T399667: Support Cloud VPS project references by ID as well as name.Jul 15 2025, 11:44 PM

dcaro closed https://gitlab.wikimedia.org/repos/cloud/toolforge/volume-admission/-/merge_requests/24

volumes: mount /etc/openstack/clouds.yaml