Page MenuHomePhabricator

Make metawiki the central OAuth wiki
Closed, ResolvedPublic

Description

We originally planned to use meta as the central wiki for OAuth. Before we do this, we need to make sure:

  • All of the help pages are copied across
  • OAuth admin user rights are assigned to appropriate users - what's the process for this on meta?

We probably also need to make sure we have solid policies established for app management (approvals, revocation, etc.) and who is an admins.

Once that is in place, we can copy the database across. Since we track user's centralauth id's, no user id translations will need to happen.


Version: master
Severity: normal

Details

Reference
bz57336

Event Timeline

bzimport raised the priority of this task from to Unbreak Now!.
bzimport set Reference to bz57336.
bzimport added a subscriber: Unknown Object (MLST).
csteipp created this task.Nov 21 2013, 12:41 AM

If we copy it accross, then the logging table entries will need to be copied over to. These have local user_text and user_id fields. They would need to be replaced with the correct local values...

How many apps are on mw.org? Maybe they can just be recreated on metawiki?

(In reply to comment #0)

  • OAuth admin user rights are assigned to appropriate users - what's the process for this on meta?

For our initial deployment of the minimum viable product (i.e. today's deployment) we can use the existing structure we've got of staff doing it. For the long term, that's not viable. But, having a system in place to address these questions should be our focus for the next deployment. Control of this needs to be in the hands of the community.

If you can switch it over to it working on Meta instead of MediaWiki before today's deployment, then you can do that. If you can't, then let's keep it on MediaWiki and shift over to Meta later. If we can't do an automated migration, pinging people to resubmit their authorisation requests shouldn't be the worst thing in the world to have to do.

I'd say we can just give this to the stewards. But that's the easy part. The hard part is the social structure for who should get grants. Because this is somewhat distributed (each individual project can have its own grants) a structure like we have for advanced permissions should work. That is, we can give the actual power to the stewards, and let each individual project come up with some social structure to handle when the stewards should flip the switch. Projects that are too small to have that structure in place can have it handled by the stewards.

I decided to stick with mw.o for today, and we'll look at doing this switch sometime on or after Dec 2 (next open deployment date).

<Aaron|home> so that would make mw.org the central wiki
<csteipp> Aaron|home: Yeah, I think I'd rather do that in another window later.
<Aaron|home> so any extra consumers after now will also get nuked? I guess you could do that
<csteipp> I was planning to copy over any consumers, keeping the id, key, secret, but make them all pending. And then approve them with a comment like "See approval [[X]]" pointing to the mw.o log.
<csteipp> Authorizations I would just copy over as is
<Aaron|home> so they won't have any propose log entries?
<csteipp> Correct
<Aaron|home> there are 2 of them right?
<csteipp> 2 approved last I checked...
<csteipp> let me look though
<Aaron|home> http://www.mediawiki.org/wiki/Special:OAuthListConsumers
<Aaron|home> a few more
<Aaron|home> though only 2 interesting ones
<Aaron|home> I guess the logs could be copied over with a little script too

  • Aaron|home adds that to his TODO file

We need to migrate this to Meta in order to put it in a place that makes sense for the stewards. Setting priority accordingly.

(In reply to Dan Garry from comment #4)

We need to migrate this to Meta in order to put it in a place that makes
sense for the stewards. Setting priority accordingly.

Dan: Who is going to work on this? Any timeframe?

(In reply to Andre Klapper from comment #5)

(In reply to Dan Garry from comment #4)
> We need to migrate this to Meta in order to put it in a place that makes
> sense for the stewards. Setting priority accordingly.

Dan: Who is going to work on this? Any timeframe?

I'm unsure on both fronts, honestly. We currently have little (read: no) engineering resourcing towards OAuth specifically.

It would be good to finalize our DB schema before we move it over, so we don't have to do db updates to meta after the move. Added some potential blockers to that.

I think the Stewards have all been ok with taking ownership, and the process in general.

Otherwise, Aaron and I just need to work out the checklist for the transfer, and try a couple dry runs.

Change 121131 had a related patch set uploaded by CSteipp:
Add maintenance script to copy db tables

https://gerrit.wikimedia.org/r/121131

Change 122867 had a related patch set uploaded by CSteipp:
Move OAuth logs to another wiki

https://gerrit.wikimedia.org/r/122867

Change 121131 merged by jenkins-bot:
Add maintenance script to copy db tables

https://gerrit.wikimedia.org/r/121131

Change 122867 merged by jenkins-bot:
Move OAuth logs to another wiki

https://gerrit.wikimedia.org/r/122867

All patches merged, resetting bug report status.

This ticket has been highest priority for four months now. Does this still reflect reality, and if so, who is supposed to continue working on this and when?

I think it's highest in that it's the project I work on if I have time. The reality is nobody is directly assigned to work on OAuth right now, so it's really just me in my spare time.

So it's nice to keep it at the top of the priority list until it gets completed, but I'm not sure what kind of timeframe we have for it.

Sitic added a subscriber: Sitic.Nov 24 2014, 11:30 AM
TTO lowered the priority of this task from Unbreak Now! to High.Apr 18 2015, 1:11 AM
TTO added a subscriber: TTO.

Maybe this was "highest" priority in Bugzilla, but it isn't really "Unbreak Now!", is it?

Tgr added a subscriber: Tgr.Jun 23 2015, 12:04 AM

Is this still top priority? If so, what exactly is needed to get it done?

mw.org has now 250 consumers and 16000 acceptances, so at least for acceptances we would need some sort of batching. Apart from that, just testing and actually doing the migration?

Yep, test the scripts again, then announce a date and run them.

Before SUL finalization, we weren't sure what to do if we had an acceptance on mw.org, but the meta account was owned by another user... all that fun stuff.

Change 222709 had a related patch set uploaded (by Gergő Tisza):
Small improvements to migration script

https://gerrit.wikimedia.org/r/222709

Tgr added a comment.Jul 3 2015, 9:53 PM

Tested locally, works fine. Since the OAuth tables don't exist at Meta, I don't think there is much point in testing - just do the migration and drop the table if it does not look good. Log migration errors could be more messy; what's a good test for that? Migrate to aawiki?

Should we start a discussion with stewards about handover, what features they are missing etc, or is that a later step that's independent of the migration?

Change 222709 merged by jenkins-bot:
Small improvements to migration script

https://gerrit.wikimedia.org/r/222709

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 24 2015, 8:36 AM
Qgil added a subscriber: Qgil.Jul 31 2015, 10:37 PM
Jay8g added a subscriber: Jay8g.Sep 4 2015, 2:00 AM
Tgr closed this task as Resolved.
Tgr claimed this task.

Migrated some time ago.

He7d3r added a comment.Jan 6 2016, 9:19 PM

@Tgr: Just for curiosity: can I check that by going to some Special page, or making some api call, or only looking at some line in the config files used for WMF wikis?

Tgr added a comment.Jan 6 2016, 9:50 PM

You can see it in the config files (the patch is in T108648). Not sure about the other two; you can check whether the consumer management special pages work, but that would not tell you which wiki is the right one, just whether the current one is it.

@Tgr: Just for curiosity: can I check that by going to some Special page, or making some api call, or only looking at some line in the config files used for WMF wikis?

Only the central wiki has Special:OAuthConsumerRegistration defined, so you can check for that. Otherwise as Tgr said, you can look at the config.

He7d3r added a comment.Jan 7 2016, 5:04 PM

Thank you both!