Page MenuHomePhabricator
Create Task
Maniphest T388662

Disable BarryTheBrowserTestBot LDAP account
Closed, ResolvedPublic
Actions

Description

Username (cn): BarryTheBrowserTestBot
uid: barrybrowsertestbot (without the)

The account was used for a bot/script maintained by @Jdlrobson-WMF . It last commented in 2018 according to the Gerrit search commentby:BarryTheBrowserTestBot.

Since the bot was not flagged as such in Gerrit (by adding it to the Service Users group), it is suggested as a reviewer when I enter 'jdlr'.

Since the account is no more used. It should be disabled. I imagine that is done in Bitu https://idm.wikimedia.org/ but I don't seem to have the necessary privileges and I could not find how to file a request. Hence this task for LDAP-Access-Requests :)

Related Objects

Event Timeline

hashar created this task.Mar 12 2025, 12:52 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 12 2025, 12:52 PM
hashar updated the task description. (Show Details)Mar 12 2025, 12:59 PM
Aklapper added a comment.Mar 12 2025, 1:01 PM

FYI it's also disabled in Phab: https://phabricator.wikimedia.org/p/BarryTheBrowserTestBot/

Maintenance_bot added a project: SRE.Mar 12 2025, 1:29 PM
Jdlrobson awarded a token.Mar 12 2025, 2:35 PM
ssingh subscribed.Mar 17 2025, 2:23 PM

The user does not seem to be part of https://ldap.toolforge.org/user/barrybrowsertestbot of any sensitive groups. For disabling an account and on checking internally with SRE, there is no formal process currently in place. T335478 a bit about this but until there is, there isn't much to do here.

If you disagree, please let me know but otherwise I will make this as resolved since the account is already disabled in Phabricator.

Aklapper renamed this task from Disable BarryTheBrowserTestBot account to Disable BarryTheBrowserTestBot LDAP account.Mar 18 2025, 7:32 AM
Scott_French closed this task as Declined.Mar 24 2025, 7:06 PM
Scott_French subscribed.

As proposed by @ssingh in T388662#10641905, I'm going to move this to Declined in favor of an automatic solution in T335478, particularly given that the account in question has no sensitive access.

hashar reopened this task as Open.Mar 26 2025, 3:08 PM

For disabling an account and on checking internally with SRE, there is no formal process currently in place.

I know the IDM can block a user, it is stated in the first sentence: account disabling for Wikimedia Developer accounts and there is a documentation to disable it https://wikitech.wikimedia.org/wiki/IDM#Disabling_an_account

Since I do not have extra privileges in the IDM, I can not disable the account myself, hence why I have filed this task. I filed it against #ldap-access-request cause eventually Gerrit only knows about LDAP, but if there is a better tag to ask IDM admins, it should be added.

The big question is who knows about IDM and who has the privileges?

Pppery subscribed.EditedMar 26 2025, 3:17 PM

Anyone in the list of people at https://github.com/wikimedia/operations-puppet/blob/a8e90bc9358f3c0d53c567ae3ba62903a1b400f7/modules/idm/templates/idm-django-settings.erb#L388 or https://ldap.toolforge.org/group/bitu-account-managers can do this/

bd808 changed the task status from Open to In Progress.Mar 26 2025, 3:54 PM
bd808 claimed this task.
bd808 added a project: Bitu.
Restricted Application added projects: User-bd808, Infrastructure-Foundations. · View Herald TranscriptMar 26 2025, 3:54 PM
bd808 added a comment.Mar 26 2025, 4:02 PM
In T388662#10641905, @ssingh wrote:

For disabling an account and on checking internally with SRE, there is no formal process currently in place.

Developer account blocking is functionality in Bitu (T359820: Developer Account Blocking: Migrate the one-stop Developer (un)Blocking from Wikitech to Bitu). This workflow was handled via account blocking on Wikitech until the October 2024 changes to Wikitech that detached it from the Developer account LDAP directory.

As @Pppery points out https://ldap.toolforge.org/group/bitu-account-managers is the list of folks who currently are able to use the blocking/unblocking features in Bitu.

bd808 closed this task as Resolved.Mar 26 2025, 4:27 PM

https://idm.wikimedia.org/wikimedia/block/barrybrowsertestbot/log

Screenshot 2025-03-26 at 10.24.20.png (1×1 px, 246 KB)

hashar added a comment.Mar 26 2025, 5:05 PM

Thank you @bd808 for the details and for the screenshot of the blocking logs!

hashar updated the task description. (Show Details)May 14 2025, 7:13 AM
hashar added a comment.Oct 3 2025, 6:39 AM

As part of this task I found out that the logic to ban an account in Gerrit was not migrated from the wikitech-l MediaWiki hook to Bitu. Blocks were ineffective. I went to implement support for blocking users in Gerrit by porting the PHP code to Python. This was done via T390070

Although I have verified the behavior with a test account, I forgot I did all that work for the purpose of properly blocking BarryTheBrowserTestBot which remained active.

Stashbot added a comment.Oct 3 2025, 6:42 AM

Mentioned in SAL (#wikimedia-releng) [2025-10-03T06:42:11Z] <hashar> gerrit set-account BarryTheBrowserTestBot --inactive # T388662 T390070

hashar added a comment.Oct 3 2025, 6:43 AM

I can confirm the BarryTheBrowserTestBot account is now inactive in Gerrit. From the All-Users.git database:

$ git show
commit 94c67416a2c1adc8bde631e6c9e72701915e424f (HEAD -> users/53/2653, origin/users/53/2653)
Author: [BOT] Gerrit Code Review <gerrit@wikimedia.org>
Date:   Fri Oct 3 06:39:58 2025 +0000

    Deactivate Account via API

diff --git a/account.config b/account.config
index 9f1487eba0..5b93ec3ea2 100644
--- a/account.config
+++ b/account.config
@@ -1,3 +1,4 @@
 [account]
        fullName = BarryTheBrowserTestBot
        preferredEmail = jdlrobson+barry@gmail.com
+       active = false

Thank you for the report @Jdlrobson-WMF !

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits