Wikimedia Labs/Authentication improvement project

Current account creation process

 * 1) User self-registers an account; this gives:
 * 2) * Gerrit access
 * 3) * Access to Labs wiki
 * 4) * Access to Hadoop?
 * Bug 43370: automatically add a shell request at this step
 * 1) A user requests for shell access (this step will be eliminated)
 * 2) A shell request is granted by a wiki admin, this gives:
 * 3) * Access to be added to projects
 * 4) * Membership in the bastion project
 * Without this step there's no way to stop troublesome users from getting accounts.
 * Bug 43371: allow some non-admins to grant shell access
 * 1) A user requests access to a project, or requests a new project
 * If a project is created, that user is given membership, sysadmin and netadmin roles
 * The current process for requesting access to projects is to ask a project owner. It's not easy to determine who a project owner is.
 * Bug 43514: Create a request queue for project membership
 * Bug 43515: List project sysadmin and netadmin users on project page

SSH key management
Outside of needing to get an account and access, there's also the need to upload an ssh key and learn how to set up ssh properly. There's a usability issue here with needing to upload the keys in two spots: gerrit upstream bug 1124.

Access responsiveness
Though everything is automated from an access point of view on the instances, some of these automated processes take longer than they should, or break occasionally. We can make these faster, more responsive and can monitor for broken processes:


 * Bug 43526: invalidate the nscd group cache for all instances in a project when a user is added or removed
 * Bug 43502: Need nagios alert for failures in authorized_keys creation script
 * Bug 43309: Add nagios check to ensure global nfs shares are shared properly from labstore1-4

Merge wikitech and labsconsole
Something we'll be doing to further simplify processes is to move the content from wikitech.wikimedia.org into labsconsole's wiki. This eliminates the creation of one more user account from our dev/ops infrastructure.

OpenID as a provider
As time goes on we want to tie more web service authentication to Labs' LDAP. It would be ideal to make labsconsole an OpenID provider so that services in Labs can use the same authentication source. OpenID as a provider on labsconsole is blocked by bugs 40068 and 40067.