Wikimedia Labs/Authentication improvement project
This page is obsolete. It is being retained for archival purposes. It may document extensions or features that are obsolete and/or no longer supported. Do not rely on the information here being up-to-date. This page covered some plans in 2012/2013. |
Current account creation process
[edit]- User self-registers an account; this gives:
- Gerrit access
- Access to Labs wiki
- Access to integration.wikimedia.org
- Access to Hadoop?
- A shell request is granted by a wiki admin, this gives:
- Access to be added to projects
- Bug 44172: Drop shell membership requirement for adding users to projects; continue requiring for netadmin or sysadmin access
- Membership in the bastion project
- Access to be added to projects
- A user requests access to a project, or requests a new project
- If a project is created, that user is given membership, sysadmin and netadmin roles
- The current process for requesting access to projects is to ask a project owner. It's not easy to determine who a project owner is.
- Bug 43514: Create a request queue for project membership
- Bug 44171: Combine queues with actions. For instance, add the ability to give shell to users from the shell request queue page, or add the ability for admins to create projects from the project creation queue page.
SSH key management
[edit]Outside of needing to get an account and access, there's also the need to upload an ssh key and learn how to set up ssh properly. There's a usability issue here with needing to upload the keys in two spots: gerrit upstream bug 1124.
Access responsiveness
[edit]Though everything is automated from an access point of view on the instances, some of these automated processes take longer than they should, or break occasionally. We can make these faster, more responsive and can monitor for broken processes:
- Bug 43526: invalidate the nscd group cache for all instances in a project when a user is added or removed
- Bug 43502: Need nagios alert for failures in authorized_keys creation script
- Bug 43309: Add nagios check to ensure global nfs shares are shared properly from labstore1-4
User renaming
[edit]It's currently impossible to rename users. Some users would like to switch their usernames and we allow it.
- Bug 45008: Add support for RenameUser hooks in LDAPAuthentication
- Bug 40061: Make it possible to rename users in Gerrit
OpenID as a provider
[edit]Bugs 9604, 47067, 46258, 44821Ā : As time goes on we want to tie more web service authentication to Labs' LDAP. It would be ideal to make labsconsole an OpenID provider so that services in Labs can use the same authentication source.
OpenID as a consumer of SUL
[edit]It would be ideal to be able to log into Wikitech with SUL. There's a number of engineering challenges for this:
- login.wikimedia.org needs to provide OpenID
- Keystone needs to support OAuth
- MediaWiki needs to support OAuth as a client
- OpenStackManager would need to link wikitech accounts with keystone accounts transparently using OAuth
- Two Factor Authentication (OATHAuth) would need to be displayed on a challenge screen after OpenID authentication, or when a required interface is accessed
- Wikitech would need to drop the use of LdapAuthentication for authentication, while still using it as a library for creating accounts, managing projects, service groups, etc..