Wikimedia Labs/Authentication improvement project

1. User self-registers an account; this gives:
   • Gerrit access
   • Access to Labs wiki
   • Access to integration.wikimedia.org
   • Access to Hadoop?

   Bug 46175: Have a short link to the signup page

   Bug 46179: Allow a challenge stage during authentication

   ^^ Only display token field to users using two-factor authentication

2. A shell request is granted by a wiki admin, this gives:
   • Access to be added to projects
     • Bug 44172: Drop shell membership requirement for adding users to projects; continue requiring for netadmin or sysadmin access
   • Membership in the bastion project

   Without this step there's no way to stop troublesome users from getting accounts.

   Bugs 44166, 44167, 44173: Rather than just giving bastion access, shell should give access to any projects listed as "Open-to-all projects"

3. A user requests access to a project, or requests a new project

   If a project is created, that user is given membership, sysadmin and netadmin roles

   The current process for requesting access to projects is to ask a project owner. It's not easy to determine who a project owner is.

   Bug 43514: Create a request queue for project membership

   Bug 44171: Combine queues with actions. For instance, add the ability to give shell to users from the shell request queue page, or add the ability for admins to create projects from the project creation queue page.

Outside of needing to get an account and access, there's also the need to upload an ssh key and learn how to set up ssh properly. There's a usability issue here with needing to upload the keys in two spots: gerrit upstream bug 1124.

Though everything is automated from an access point of view on the instances, some of these automated processes take longer than they should, or break occasionally. We can make these faster, more responsive and can monitor for broken processes:

• Bug 43526: invalidate the nscd group cache for all instances in a project when a user is added or removed
• Bug 43502: Need nagios alert for failures in authorized_keys creation script
• Bug 43309: Add nagios check to ensure global nfs shares are shared properly from labstore1-4

It's currently impossible to rename users. Some users would like to switch their usernames and we allow it.

• Bug 45008: Add support for RenameUser hooks in LDAPAuthentication
• Bug 40061: Make it possible to rename users in Gerrit

Bugs 9604, 47067, 46258, 44821 : As time goes on we want to tie more web service authentication to Labs' LDAP. It would be ideal to make labsconsole an OpenID provider so that services in Labs can use the same authentication source.

It would be ideal to be able to log into Wikitech with SUL. There's a number of engineering challenges for this:

1. login.wikimedia.org needs to provide OpenID
2. Keystone needs to support OAuth
3. MediaWiki needs to support OAuth as a client
4. OpenStackManager would need to link wikitech accounts with keystone accounts transparently using OAuth
5. Two Factor Authentication (OATHAuth) would need to be displayed on a challenge screen after OpenID authentication, or when a required interface is accessed
6. Wikitech would need to drop the use of LdapAuthentication for authentication, while still using it as a library for creating accounts, managing projects, service groups, etc..