Create dashboard to track key authentication metrics before, during and after AuthManager rollout
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	bd808
	Mar 5 2015, 9:48 PM

Description

The AuthManager project will be changing various implementation aspects of the user login and account creation flow. It will be very important to ensure that these changes are not causing regressions in the normal rate of successful logins and account creations across the Wikimedia projects.

Metrics to track:

Successful logins via Special:UserLogin
Successful logins via API action=login
Failed logins via Special:UserLogin
Failed logins via API action=login
Account creations via Special:Userlogin/signup
Account creations via API action=createaccount

Dashboard at https://grafana.wikimedia.org/#/dashboard/db/authentication-metrics

Details

Subject	Repo	Branch	Lines +/-
Enable authmetrics logging everywhere	operations/mediawiki-config	master	+1 -2
Log human-readable login status	mediawiki/core	master	+20 -2
Enable authmetrics logging on group0 wikis	operations/mediawiki-config	master	+1 -0
Add configuration for authmetrics logging	operations/mediawiki-config	master	+17 -0
Count log events in the authmanager channel	mediawiki/extensions/WikimediaEvents	master	+86 -0
Track key authentication metrics	mediawiki/core	master	+30 -1
Log event on captcha display/success/failure.	mediawiki/extensions/ConfirmEdit	master	+29 -2
Log auth-related wfTrack events to statsd	mediawiki/extensions/WikimediaEvents	master	+28 -0
Fire event on captcha display/success/failure.	mediawiki/extensions/ConfirmEdit	master	+22 -2
Track key authentication metrics	mediawiki/core	master	+25 -1
[WIP] Handler to count log events with a 'track-topic' key	mediawiki/core	master	+40 -0

Related Objects
Search...

Status	Subtype	Assigned	Task
Resolved		• Deskana	T75616 Tracking: API/backend issues blocking Wikipedia app development
Resolved		Anomie	T32788 Allow triggering of user password reset email via the API
Open		None	T90925 General authentication improvements for MediaWiki
Resolved		Anomie	T48179 Allow a challenge stage during authentication
Open		None	T5709 Refactoring to make external authentication and identity systems easier
Resolved		Tgr	T43201 UserLoadFromSession considered evil
Resolved		Anomie	T67493 Session is started by EditAction (problem for extensions using UserLoadFromSession hook)
Open	Feature	None	T55156 Provide option to force a login session to end within a certain time
Open		None	T89459 Modernize MediaWiki authentication system (AuthManager)
Resolved		Tgr	T91701 Create dashboard to track key authentication metrics before, during and after AuthManager rollout
Resolved		bd808	T108091 Configure beta cluster to use labmon1001.eqiad.wmnet as statsd server
Resolved		Tgr	T108386 Kill MediaWiki.authmanager.login.*.failure.<number> statsd buckets
Open		None	T108414 Load API request count and latency data from Hadoop to a dashboard
Resolved		ArielGlenn	T108417 stat1002 access for tgr

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes

bd808 raised the priority of this task from to Medium.Mar 5 2015, 9:48 PM

bd808 added projects: MediaWiki-Core-AuthManager, MediaWiki-Core-Team, Analytics.

bd808 added subscribers: Anomie, • csteipp, Legoktm and 2 others.

Adding captchas would be good:

Captcha presentation
Captcha solve
Captcha fail

We already log the last two, just not the first, iirc.

bd808 edited projects, added Reading-Infrastructure-Team-Old (Don't use); removed MediaWiki-Core-Team.Mar 24 2015, 11:18 PM

bd808 set Security to None.

@bd808

How are you planning on tracking this data? server side event logging? Other? I am asking as you probably want to have this instrumented and have a baseline before you start changing the user login.

• Nuria added subscribers: • kevinator, Milimetric.Mar 25 2015, 12:41 AM

@Nuria I think these will all be server side events, and yes we will want the logging in place before we start rolling out updates to the existing workflows to get a baseline measurement. Hopefully the team can get started on adding any missing instrumentation very early in Q4. Luckily @Tgr will be joining us; he has past experience with getting things instrumented properly that will come in very handy.

@bd808 Excellent, sounds that we are set here. One last comment: let's make sure that when we are thinking of reporting stats we report "relative" measures, like "the rate of failed logins versus successful logins" ( <failed logins> /<successful logins>) . Rates should not be subjected to fluctuation if we change sampling rates or we get a spike of login users due to some enwiki wide event for example.

bd808 moved this task from Backlog to Ready on the Reading-Infrastructure-Team-Old (Don't use) board.Mar 26 2015, 11:15 PM

Tgr claimed this task.Apr 3 2015, 7:50 PM

Tgr moved this task from Ready to In Dev/Progress on the Reading-Infrastructure-Team-Old (Don't use) board.Apr 3 2015, 7:55 PM

After a longish discussion on irc @ori suggested that the most direct path to instrumenting the code for these events is to use hooks and the WikimediaEvents extension. See https://github.com/wikimedia/mediawiki-extensions-WikimediaEvents/blob/master/WikimediaEventsHooks.php#L50-104 as an example.

bd808 mentioned this in T95356: Add event tracking queue to MediaWiki core for loose coupling with EventLogging or other interested consumers.Apr 7 2015, 9:59 PM

Successful logins via Special:UserLogin - LoginAuthenticateAudit hook (there is also UserLoginComplete but it overcounts a bit as it includes visting the login page through a returnto link while logged in)
Successful logins via API action=login () - as above
Failed logins via Special:UserLogin - LoginAuthenticateAudit hook is called for failed password authentication, but not in a number of other cases (e.g. wrong token, failed captcha)
Failed logins via API action=login - as above
Account creations via Special:Userlogin/signup - AddNewAccount hook for success, nothing for failure
Account creations via API action=createaccount - AddNewAccount hook for success, AddNewAccountApiResult for both
Captcha presentation (I'll assume this is only about login/registration captchas) - this is itself done in hooks so as far as I can see there is no way for another hook to spy on it
Captcha solve - as above
Captcha fail - as above

So it seems there are no hooks for a number of cases. Given the already messy state of MediaWiki hooks (cf. Requests for comment/Inventory hooks, assess need), I would rather not pile on any more. Probably better to do this on top of T95356.

Change 205864 had a related patch set uploaded (by Gergő Tisza):
Track key authentication metrics

https://gerrit.wikimedia.org/r/205864

Change 205865 had a related patch set uploaded (by Gergő Tisza):
Fire event on captcha display/success/failure.

https://gerrit.wikimedia.org/r/205865

Change 205869 had a related patch set uploaded (by Gergő Tisza):
Log auth-related wfTrack events to statsd

https://gerrit.wikimedia.org/r/205869

Tgr moved this task from In Dev/Progress to Needs Review/Feedback on the Reading-Infrastructure-Team-Old (Don't use) board.Apr 22 2015, 3:52 PM

Milimetric added a project: Analytics-Kanban.Apr 23 2015, 3:19 PM

• kevinator removed a project: Analytics-Kanban.May 4 2015, 5:30 PM

bd808 mentioned this in T102079: Metrics about the use of the Wikimedia web APIs.Jul 8 2015, 2:54 PM

• Tnegrin subscribed.Jul 18 2015, 4:20 PM

Do the proposed metrics help in finding out whether people are being successfully logged in on all wikis, or have to login separately many times?

We're still dealing with the fallout from SUL2, I must say I dread the next iteration. :(

Nemo_bis mentioned this in T89459: Modernize MediaWiki authentication system (AuthManager).Jul 18 2015, 6:13 PM

In T91701#1462303, @Nemo_bis wrote:

Do the proposed metrics help in finding out whether people are being successfully logged in on all wikis, or have to login separately many times?

The metrics we are concerned with are primarily about authentication attempts and their outcome (success/failure) as described in T91701#1212974. This would be indirectly related to CentralAuth but not directly attempting to measure if the SUL loginwiki interactions are successful in setting cross wiki cookies or not. The AuthStack replacement of AuthPlugin is a general MediaWiki feature change and not directly a CentralAuth or SUL related project.

This would be indirectly related to CentralAuth but not directly attempting to measure if the SUL loginwiki interactions are successful in setting cross wiki cookies or not.

Ok, but why and what's the expected meaning of those numbers? For instance, if autologin fails I'm forced to login manually and "Successful logins via Special:UserLogin" goes up, but that's a bad thing (wasted user time, frustrated users).

I can't identify a single metric among the proposed ones which would make us able to tell "ok, things are going well", other than utter catastrophes where an enormous amount of manual logins fail.

In T91701#1462482, @Nemo_bis wrote:

I can't identify a single metric among the proposed ones which would make us able to tell "ok, things are going well", other than utter catastrophes where an enormous amount of manual logins fail.

It doesn't have to be enormous, just significantly larger than the current rate of failures.

If things are going well, none of the metrics should change, given that this is not a user-facing change.

In T91701#1462303, @Nemo_bis wrote:

Do the proposed metrics help in finding out whether people are being successfully logged in on all wikis, or have to login separately many times?

Not as far as I can see. Maybe we should count loginwiki events and other wiki events under different keys.

Change 226666 had a related patch set uploaded (by Gergő Tisza):
[WIP] Handler to count log events with a 'track-topic' key

https://gerrit.wikimedia.org/r/226666

Change 226666 abandoned by Gergő Tisza:
[WIP] Handler to count log events with a 'track-topic' key

Reason:
In hindsight this is rather pointless - there is no advantage to adding a magic key to a log context over just calling stats->increment at the same place, and this cannot easily cover nontrivial key generation the way https://gerrit.wikimedia.org/r/#/c/205869/3/WikimediaEventsHooks.php does.

https://gerrit.wikimedia.org/r/226666

Change 226951 had a related patch set uploaded (by Gergő Tisza):
Log event on captcha display/success/failure.

https://gerrit.wikimedia.org/r/226951

Change 226955 had a related patch set uploaded (by Gergő Tisza):
Track key authentication metrics

https://gerrit.wikimedia.org/r/226955

Change 226956 had a related patch set uploaded (by Gergő Tisza):
Count log events in the authmanager channel

https://gerrit.wikimedia.org/r/226956

In T91701#1481860, @gerritbot wrote:

Change 226951 had a related patch set uploaded (by Gergő Tisza):
Log event on captcha display/success/failure.

https://gerrit.wikimedia.org/r/226951

What's the advantage over captcha.log?

In T91701#1481984, @Nemo_bis wrote:

What's the advantage over captcha.log?

Don't know, I'm not familiar with that one. The idea here is to pipe the log channel into statsd (instead of a file) so we can see changes in volume.

Change 205864 abandoned by Gergő Tisza:
Track key authentication metrics

Reason:
wfTrack has been abandoned

https://gerrit.wikimedia.org/r/205864

Change 205865 abandoned by Gergő Tisza:
Fire event on captcha display/success/failure.

Reason:
wfTrack has been abandoned

https://gerrit.wikimedia.org/r/205865

Change 205869 abandoned by Gergő Tisza:
Log auth-related wfTrack events to statsd

Reason:
wfTrack has been abandoned

https://gerrit.wikimedia.org/r/205869

Change 226955 merged by jenkins-bot:
Track key authentication metrics

https://gerrit.wikimedia.org/r/226955

Change 226951 merged by jenkins-bot:
Log event on captcha display/success/failure.

https://gerrit.wikimedia.org/r/226951

• Forrestbot added projects: WMF-deploy-2015-08-04_(1.26wmf17), MW-1.26-release.Jul 28 2015, 11:00 PM

Change 227630 had a related patch set uploaded (by Gergő Tisza):
Add configuration for authmetrics logging

https://gerrit.wikimedia.org/r/227630

Nemo_bis unsubscribed.Jul 29 2015, 9:04 AM

bd808 mentioned this in rMWe7020fdb22f3: Track key authentication metrics.Jul 30 2015, 10:14 PM

Tgr mentioned this in rMEXT853ee8e40aa5: Updated mediawiki/extensions Project: mediawiki/extensions/ConfirmEdit….Jul 30 2015, 10:16 PM

bd808 mentioned this in rECOEf8362450bb5e: Log event on captcha display/success/failure..Jul 30 2015, 10:17 PM

Change 226956 merged by jenkins-bot:
Count log events in the authmanager channel

https://gerrit.wikimedia.org/r/226956

bd808 mentioned this in rEWMV7b8d602e8e90: Count log events in the authmanager channel.Aug 3 2015, 9:24 PM

Tgr mentioned this in rMEXTc90d4f52bc39: Updated mediawiki/extensions Project: mediawiki/extensions/WikimediaEvents….Aug 3 2015, 9:24 PM

Change 227630 merged by jenkins-bot:
Add configuration for authmetrics logging

https://gerrit.wikimedia.org/r/227630

Tgr mentioned this in rOMWCdff8d66ebd59: Add configuration for authmetrics logging.Aug 4 2015, 3:16 PM

bd808 added a subtask: T108091: Configure beta cluster to use labmon1001.eqiad.wmnet as statsd server.Aug 5 2015, 7:42 PM

Tgr closed subtask T108091: Configure beta cluster to use labmon1001.eqiad.wmnet as statsd server as Resolved.Aug 6 2015, 2:01 AM

Change 229618 had a related patch set uploaded (by Gergő Tisza):
Enable authmetrics logging on group0 wikis

https://gerrit.wikimedia.org/r/229618

Change 229618 merged by jenkins-bot:
Enable authmetrics logging on group0 wikis

https://gerrit.wikimedia.org/r/229618

ori mentioned this in rOMWCcc0637d71143: Enable authmetrics logging on group0 wikis.Aug 6 2015, 11:16 PM

https://grafana.wikimedia.org/#/dashboard/db/authentication-metrics

Change 230034 had a related patch set uploaded (by Gergő Tisza):
Log human-readable login status

https://gerrit.wikimedia.org/r/230034

Change 230034 merged by jenkins-bot:
Log human-readable login status

https://gerrit.wikimedia.org/r/230034

bd808 mentioned this in rMW3fe06d774c56: Log human-readable login status.Aug 7 2015, 3:48 PM

• Forrestbot added a project: WMF-deploy-2015-08-11_(1.26wmf18).Aug 7 2015, 4:00 PM

Tgr added a subtask: T108414: Load API request count and latency data from Hadoop to a dashboard.Aug 8 2015, 12:42 AM

ori closed subtask T108386: Kill MediaWiki.authmanager.login.*.failure.<number> statsd buckets as Resolved.Aug 26 2015, 4:37 AM

bd808 moved this task from Backlog to AuthManager Backlog on the MediaWiki-Core-AuthManager board.Aug 26 2015, 5:36 PM

bd808 moved this task from AuthManager Backlog to AuthManager Needs Review on the MediaWiki-Core-AuthManager board.Aug 28 2015, 5:23 PM

Is there an estimate on when this will be setup for all wikis?

Uh, as soon as I don't forget about it... thanks for reminding :)

Change 238978 had a related patch set uploaded (by Gergő Tisza):
Enable authmetrics logging everywhere

https://gerrit.wikimedia.org/r/238978

Change 238978 merged by jenkins-bot:
Enable authmetrics logging everywhere

https://gerrit.wikimedia.org/r/238978

Tgr mentioned this in rOMWCef74f7a447d7: Enable authmetrics logging everywhere.Sep 17 2015, 11:39 PM

Now deployed everywhere. (The error ratio board is broken due to grafana #2484.)

Thanks Gergo!

Some interesting observations, completely unrelated to the task at hand:

there about 100x more captcha displays than captcha submit attempts (whether successful or not). Spambots? (They are almost all via web though.)
the ratio of successful and failed captcha attempts is about 1:1. That's rather poor. (Although again failures might be inflated by spambots.)
about 30% of logins result in a "user does not exist" error. That is surprisingly high.
API account creations have a huge failure ratio (about 10:1 - that's very high even when taking into account that it involves two "artificial" failures, for token and captcha); most of it seems attributable to session failures.

In T91701#1652055, @Tgr wrote:

Now deployed everywhere. (The error ratio board is broken due to grafana #2484.)

@Tgr should we make a task to track getting Grafana updated (bug is supposedly fixed upstream) and then close this task as done?

That would be cool although a big change (T108546#1627937). But I can probably just transclude the metrics to get two long and unreadable but correct ones. This task was left open for maybe adding latency to the dashboard, which depends on the api.log task and is probably saner to track separately.

In T91701#1695829, @Tgr wrote:

That would be cool although a big change (T108546#1627937). But I can probably just transclude the metrics to get two long and unreadable but correct ones. This task was left open for maybe adding latency to the dashboard, which depends on the api.log task and is probably saner to track separately.

I made a backport of the upstream patch to our pre-2.x version: P2144

@ori said he would do the needful to apply it to our Grafana.

The task for upgrading to Grafana 2 is T104738.

In T91701#1697467, @bd808 wrote:

I made a backport of the upstream patch to our pre-2.x version: P2144

@ori said he would do the needful to apply it to our Grafana.

The patch is applied and it has fixed the error rates panel of the dashboard:

Screen Shot 2015-10-02 at 17.28.35.png (256×331 px, 26 KB)

You may have to force reload to get the updated javascript if you have had grafana open since before the patch was applied and/or Varnish expired the js from its cache.

Is there anything left to do here?

Tgr closed this task as Resolved.Oct 27 2015, 11:49 PM

Beta version: http://grafana.wmflabs.org/dashboard/db/authentication-metrics (graphs are fragile, reloading a couple times helps)

After deploying the extensions updates (but not core SessionManager), no visible change:

Although "no visible change" seems to mean zero success rate. But manual account creation is rare on beta, so maybe that's legit?

Tgr mentioned this in T125184: Add account autocreation stats to the authmanager dashboard.Feb 11 2016, 12:53 AM

Anomie mentioned this in T246471: Login authevents should include the username.Mar 16 2020, 2:24 PM

Aklapper removed subscribers: • kevinator, Anomie.Oct 16 2020, 5:42 PM

	F2654654: Screen Shot 2015-10-02 at 17.28.35.png
	Oct 2 2015, 11:30 PM

	F3219944: authmanager-beta.png
	Jan 12 2016, 3:26 AM

Create dashboard to track key authentication metrics before, during and after AuthManager rolloutClosed, ResolvedPublicActions

Description

Details

Related ObjectsSearch...

Event Timeline

Create dashboard to track key authentication metrics before, during and after AuthManager rollout
Closed, ResolvedPublic
Actions

Related Objects
Search...