User Details
- User Since
- Oct 26 2015, 4:00 PM (464 w, 3 d)
- Roles
- Administrator
- Availability
- Available
- IRC Nick
- Urbanecm
- LDAP User
- Urbanecm
- MediaWiki User
- Martin Urbanec [ Global Accounts ]
Thu, Sep 12
Tue, Sep 10
Adding to @Niharika's list, I think it would be useful to measure the following as well:
Sat, Sep 7
This appears to be somehow duplicate to T334620: Create group for assigning checkuser-temporary-account right. @Dreamy_Jazz @kostajh, should those two tasks be merged?
Fri, Sep 6
Thu, Aug 29
Sat, Aug 24
Aug 18 2024
Aug 14 2024
Per @Aca's request:
Aug 9 2024
Done.
Aug 5 2024
Thanks! We'll review again and let you know :).
Aug 4 2024
Jul 29 2024
Jul 18 2024
FWIW, as I just noted on the Stewards noticeboard, the volume of requests is only higher temporarily. A backlog of about 2 months of data is currently being processed. Personally, I do not think we necessarily need to make any adaptations – as the volume of requests will go down once the backlog clears.
Jul 15 2024
I invited my fellow Stewards to test and comment on the task; there were no objections or similar. Resolving, as further feedback is not expected. If there is some last-time feedback from stewards, please ping me. Looking forward for the deployment!
Jul 14 2024
Jul 11 2024
[urbanecm@stewards1001 /srv/repos/users-db (master|u=)]$ git pull remote: Enumerating objects: 5, done. remote: Counting objects: 100% (5/5), done. remote: Compressing objects: 100% (3/3), done. remote: Total 3 (delta 2), reused 0 (delta 0), pack-reused 0 (from 0) Unpacking objects: 100% (3/3), 1.01 KiB | 259.00 KiB/s, done. From https://gitlab.wikimedia.org/repos/stewards/users * [new branch] P66165 -> origin/P66165 Already up to date. [urbanecm@stewards1001 /srv/repos/users-db (master|u=)]$
Jul 8 2024
Thanks! I pulled the new code that makes use of the new secret, and everything works in the same way as it does on my local:
Thanks! Verified the onboarder still works for GitLab:
Jul 6 2024
@Dzahn Can you help with updating the secret in private Puppet, please? Thanks in advance!
From the repository end of things, I can easily generate repository-specific credentials (both HTTPS push token or a SSH key). After exploring for a bit, it is possible to include HTTPS credentials within a git clone command (something like git clone https://username:password@gitlab.wikimedia.org/repos/stewards/users.git works just fine). It also appears git::clone support overriding the generated remote via the origin parameter. With those two things combined, we should be able to construct the full URL based on the secret from private Puppet, and clone the repository via HTTPS.
Reassigning for help with the Puppet part.
Reassigning to @Dzahn. Once the dry runs are available, happy to take over to review the diffs.
@Dzahn: I populated the users db with checkusers as well, so checkuser-l should now be ready for a dry run as well.
Jul 5 2024
This is now done, via https://gitlab.wikimedia.org/repos/stewards/users/, available at the stewards machine.
Coding-wise, this is now implemented (via @StewardsBot as the bot processing the changes). I set the system to only remove people from the security ACL (never add), as it requires MFA, and checking that would require Phabricator adminship for the bot. Maybe later :).
Hi @Volans, I see the group approval field was checked, but the WMF sponsor one is not checked. Is it possible for me (the group approver) to also act as the sponsor (in my WMF capacity)? Or do I need to secure an additional approval for the request?
Jul 4 2024
Unstalling, as the repo has been created.
@Dzahn: Can you please help with puppetizing the secret for Phabricator as well? Following the Gitlab example, I uploaded https://gerrit.wikimedia.org/r/c/operations/puppet/+/1052185/, and put the secret to stewards1001:/home/urbanecm/phab_secret.txt. Thanks in advance!
Created as @StewardsBot.
Approved.
Jul 3 2024
Thanks!
Jul 1 2024
[urbanecm@stewards1001 /srv/repos/onboarding-system (main|u=)]$ python3 onboarder.py update == Updating gitlab_group INFO:root:Skipping urbanecm, their access level is not managed. INFO:root:Removing urbanecmtest from repos/stewards, no longer authorised == Updating ldap_group == Updating mailman_list [urbanecm@stewards1001 /srv/repos/onboarding-system (main|u=)]$
Jun 29 2024
@Dzahn Thank you! I tried following your instructions in https://gerrit.wikimedia.org/r/c/operations/puppet/+/1050731, looks like it works. Review appreciated (but definitely can wait for Monday :)).
@Dzahn Can you help me with the secrets management here, please? I put the token at stewards1001:/home/urbanecm/gitlab_settings.yaml.
Putting on my radar :).
Jun 27 2024
@SLyngshede-WMF curious to hear what possibilities do we have for automatically granting LDAP access from stewards1001? Would it be helpful if we generated a list of developer accounts somewhere in that machine? Or should we do something similar?
Jun 15 2024
Jun 10 2024
Jun 7 2024
Jun 6 2024
Here are my unstructured notes from playing with Special:IPContributions:
Jun 5 2024
May 24 2024
May 20 2024
Done
May 16 2024
Hi @Sebastian_Berlin-WMSE! FWIW, all people listed in acl*userdisable are able to disable user accounts via https://phab-ban.toolforge.org/. If that would be useful, I can add someone from WMSE (possibly you or Lokal_Profil?) to that group, and then you would be able to disable accounts on your own, without needing a task (you would need a task if you ever need to re-enable an account, but that should be a less common operation).
May 12 2024
This indeed is a site request (more than it is a maint script run), as it involves a config change deployment.
May 11 2024
Patch uploaded, should be deployed sometime next week.
Done. @Pppery, per your request, I ignored all subpages and talk pages. I also deleted the /2024 page before starting the move. Would you mean helping with the rest of the cleanup here, please?
Done.
In progress.
In progress :).
Apr 26 2024
Thanks for the quick fix @taavi!
Apr 23 2024
Problem is now resolved.
Apr 10 2024
An idea that originates from a recent-ish meeting with @Tchanders is introducing a temporary "IP addresses visible" mode, which would ensure all temporary accounts are resolved to an IP, which can be enabled from time to time (for a specific reason). Conceptually, this would be similar to Phabricator's high-security mode, which removes the need to enter a MFA token every time a sensitive action is taken. If this mode exists, it could help with the logging. It would be more similar to T346809 (except it would still be multipage, just not unlimited over time).
Apr 9 2024
Apr 8 2024
[urbanecm@stewards1001 ~]$ cat /etc/steward-onboarder/steward-onboarder.yaml # SPDX-License-Identifier: Apache-2.0 config_paths: roles: /srv/repos/onboarding-system/config/roles.yaml users: /srv/repos/users-db/users.yaml