User Details
- User Since
- Oct 26 2015, 4:00 PM (456 w, 4 d)
- Roles
- Administrator
- Availability
- Busy Busy until Jul 28.
- IRC Nick
- Urbanecm
- LDAP User
- Urbanecm
- MediaWiki User
- Martin Urbanec [ Global Accounts ]
Thu, Jul 18
FWIW, as I just noted on the Stewards noticeboard, the volume of requests is only higher temporarily. A backlog of about 2 months of data is currently being processed. Personally, I do not think we necessarily need to make any adaptations – as the volume of requests will go down once the backlog clears.
Mon, Jul 15
I invited my fellow Stewards to test and comment on the task; there were no objections or similar. Resolving, as further feedback is not expected. If there is some last-time feedback from stewards, please ping me. Looking forward for the deployment!
Sun, Jul 14
Thu, Jul 11
[urbanecm@stewards1001 /srv/repos/users-db (master|u=)]$ git pull remote: Enumerating objects: 5, done. remote: Counting objects: 100% (5/5), done. remote: Compressing objects: 100% (3/3), done. remote: Total 3 (delta 2), reused 0 (delta 0), pack-reused 0 (from 0) Unpacking objects: 100% (3/3), 1.01 KiB | 259.00 KiB/s, done. From https://gitlab.wikimedia.org/repos/stewards/users * [new branch] P66165 -> origin/P66165 Already up to date. [urbanecm@stewards1001 /srv/repos/users-db (master|u=)]$
Mon, Jul 8
Thanks! I pulled the new code that makes use of the new secret, and everything works in the same way as it does on my local:
Thanks! Verified the onboarder still works for GitLab:
Sat, Jul 6
@Dzahn Can you help with updating the secret in private Puppet, please? Thanks in advance!
From the repository end of things, I can easily generate repository-specific credentials (both HTTPS push token or a SSH key). After exploring for a bit, it is possible to include HTTPS credentials within a git clone command (something like git clone https://username:password@gitlab.wikimedia.org/repos/stewards/users.git works just fine). It also appears git::clone support overriding the generated remote via the origin parameter. With those two things combined, we should be able to construct the full URL based on the secret from private Puppet, and clone the repository via HTTPS.
Reassigning for help with the Puppet part.
Reassigning to @Dzahn. Once the dry runs are available, happy to take over to review the diffs.
@Dzahn: I populated the users db with checkusers as well, so checkuser-l should now be ready for a dry run as well.
Fri, Jul 5
This is now done, via https://gitlab.wikimedia.org/repos/stewards/users/, available at the stewards machine.
Coding-wise, this is now implemented (via @StewardsBot as the bot processing the changes). I set the system to only remove people from the security ACL (never add), as it requires MFA, and checking that would require Phabricator adminship for the bot. Maybe later :).
Hi @Volans, I see the group approval field was checked, but the WMF sponsor one is not checked. Is it possible for me (the group approver) to also act as the sponsor (in my WMF capacity)? Or do I need to secure an additional approval for the request?
Thu, Jul 4
Unstalling, as the repo has been created.
@Dzahn: Can you please help with puppetizing the secret for Phabricator as well? Following the Gitlab example, I uploaded https://gerrit.wikimedia.org/r/c/operations/puppet/+/1052185/, and put the secret to stewards1001:/home/urbanecm/phab_secret.txt. Thanks in advance!
Created as @StewardsBot.
Approved.
Wed, Jul 3
Thanks!
Mon, Jul 1
[urbanecm@stewards1001 /srv/repos/onboarding-system (main|u=)]$ python3 onboarder.py update == Updating gitlab_group INFO:root:Skipping urbanecm, their access level is not managed. INFO:root:Removing urbanecmtest from repos/stewards, no longer authorised == Updating ldap_group == Updating mailman_list [urbanecm@stewards1001 /srv/repos/onboarding-system (main|u=)]$
Sat, Jun 29
@Dzahn Thank you! I tried following your instructions in https://gerrit.wikimedia.org/r/c/operations/puppet/+/1050731, looks like it works. Review appreciated (but definitely can wait for Monday :)).
@Dzahn Can you help me with the secrets management here, please? I put the token at stewards1001:/home/urbanecm/gitlab_settings.yaml.
Putting on my radar :).
Thu, Jun 27
@SLyngshede-WMF curious to hear what possibilities do we have for automatically granting LDAP access from stewards1001? Would it be helpful if we generated a list of developer accounts somewhere in that machine? Or should we do something similar?
Jun 15 2024
Jun 10 2024
Jun 7 2024
Jun 6 2024
Here are my unstructured notes from playing with Special:IPContributions:
Jun 5 2024
May 24 2024
May 20 2024
Done
May 16 2024
Hi @Sebastian_Berlin-WMSE! FWIW, all people listed in acl*userdisable are able to disable user accounts via https://phab-ban.toolforge.org/. If that would be useful, I can add someone from WMSE (possibly you or Lokal_Profil?) to that group, and then you would be able to disable accounts on your own, without needing a task (you would need a task if you ever need to re-enable an account, but that should be a less common operation).
May 12 2024
This indeed is a site request (more than it is a maint script run), as it involves a config change deployment.
May 11 2024
Patch uploaded, should be deployed sometime next week.
Done. @Pppery, per your request, I ignored all subpages and talk pages. I also deleted the /2024 page before starting the move. Would you mean helping with the rest of the cleanup here, please?
Done.
In progress.
In progress :).
Apr 26 2024
Thanks for the quick fix @taavi!
Apr 23 2024
Problem is now resolved.
Apr 10 2024
An idea that originates from a recent-ish meeting with @Tchanders is introducing a temporary "IP addresses visible" mode, which would ensure all temporary accounts are resolved to an IP, which can be enabled from time to time (for a specific reason). Conceptually, this would be similar to Phabricator's high-security mode, which removes the need to enter a MFA token every time a sensitive action is taken. If this mode exists, it could help with the logging. It would be more similar to T346809 (except it would still be multipage, just not unlimited over time).
Apr 9 2024
Apr 8 2024
[urbanecm@stewards1001 ~]$ cat /etc/steward-onboarder/steward-onboarder.yaml # SPDX-License-Identifier: Apache-2.0 config_paths: roles: /srv/repos/onboarding-system/config/roles.yaml users: /srv/repos/users-db/users.yaml
Apr 6 2024
Apr 3 2024
Apr 2 2024
We also need to move the list of users from ~urbanecm/config/users.yaml to a better location. Filled T361547 to track that. Also, we should create a more reasonable export path than somewhere in my home. Maybe /srv/exports?
Hi @Dzahn, do you have any thoughts on this, please?
Apr 1 2024
That sounds perfect to me @Dzahn! Thanks for the suggestion.
Mar 26 2024
Mar 23 2024
This was actually done AFAICS. Closing.
Move is in progress.
Mar 21 2024
Mar 18 2024
Should be done now. Sorry it took so long, and thank you for your patience.