Hi all,
I have a MediaWiki instance running on WMCloud:
https://annotation.wmcloud.org/
Is there some recipe or instruction available somewhere on how to manage it?
More specifically, about a week ago, spammers discovered it. I would like to use WSOAuth and PluggableAuth or something similar in order to allow only logins by users with a Wikimedia account, and only allow edits by logged in users.
On a shorter notice, as a stop gap, I would like to disallow account creation by non-logged-in users and edits by non-logged in user, so I can at least stop new spam creation and clean up the existing one.
I am very confused by Puppet, have a rough idea what Vagrant is, and think I have a stable understanding of MediaWiki maintenance. Any help or pointers would be much appreciated.
Thank you! Denny
Hi Denny,
Have you seen https://www.mediawiki.org/wiki/Manual:Combating_spam or https://www.mediawiki.org/wiki/Manual:User_rights? You might be able to do something like `$wgGroupPermissions['*']['edit'] = false; $wgGroupPermissions['*']['createaccount'] = false;`
On Wed, 21 Apr 2021 at 18:59, Denny Vrandečić dvrandecic@wikimedia.org wrote:
Hi all,
I have a MediaWiki instance running on WMCloud:
https://annotation.wmcloud.org/
Is there some recipe or instruction available somewhere on how to manage it?
More specifically, about a week ago, spammers discovered it. I would like to use WSOAuth and PluggableAuth or something similar in order to allow only logins by users with a Wikimedia account, and only allow edits by logged in users.
On a shorter notice, as a stop gap, I would like to disallow account creation by non-logged-in users and edits by non-logged in user, so I can at least stop new spam creation and clean up the existing one.
I am very confused by Puppet, have a rough idea what Vagrant is, and think I have a stable understanding of MediaWiki maintenance. Any help or pointers would be much appreciated.
Thank you! Denny
Wikimedia Cloud Services mailing list Cloud@lists.wikimedia.org (formerly labs-l@lists.wikimedia.org) https://lists.wikimedia.org/mailman/listinfo/cloud
Hi Alex,
thank you! Yes, you are absolutely right, that's what I would like to try - but what I don't understand is where and how do I edit the LocalSettings for a MediaWiki instance provisioned on WMCloud via Vagrant?
Thanks, Denny
On Wed, Apr 21, 2021 at 11:59 AM Alex Monk krenair@gmail.com wrote:
Hi Denny,
Have you seen https://www.mediawiki.org/wiki/Manual:Combating_spam or https://www.mediawiki.org/wiki/Manual:User_rights? You might be able to do something like `$wgGroupPermissions['*']['edit'] = false; $wgGroupPermissions['*']['createaccount'] = false;`
On Wed, 21 Apr 2021 at 18:59, Denny Vrandečić dvrandecic@wikimedia.org wrote:
Hi all,
I have a MediaWiki instance running on WMCloud:
https://annotation.wmcloud.org/
Is there some recipe or instruction available somewhere on how to manage it?
More specifically, about a week ago, spammers discovered it. I would like to use WSOAuth and PluggableAuth or something similar in order to allow only logins by users with a Wikimedia account, and only allow edits by logged in users.
On a shorter notice, as a stop gap, I would like to disallow account creation by non-logged-in users and edits by non-logged in user, so I can at least stop new spam creation and clean up the existing one.
I am very confused by Puppet, have a rough idea what Vagrant is, and think I have a stable understanding of MediaWiki maintenance. Any help or pointers would be much appreciated.
Thank you! Denny
Wikimedia Cloud Services mailing list Cloud@lists.wikimedia.org (formerly labs-l@lists.wikimedia.org) https://lists.wikimedia.org/mailman/listinfo/cloud
Wikimedia Cloud Services mailing list Cloud@lists.wikimedia.org (formerly labs-l@lists.wikimedia.org) https://lists.wikimedia.org/mailman/listinfo/cloud
On Wed, Apr 21, 2021 at 1:05 PM Denny Vrandečić dvrandecic@wikimedia.org wrote:
Hi Alex,
thank you! Yes, you are absolutely right, that's what I would like to try - but what I don't understand is where and how do I edit the LocalSettings for a MediaWiki instance provisioned on WMCloud via Vagrant?
https://www.mediawiki.org/wiki/MediaWiki-Vagrant#MediaWiki_settings
MediaWiki-Vagrant also has role::lockdown for the lockdown use case: https://github.com/wikimedia/mediawiki-vagrant/blob/master/puppet/modules/ro...
Gergo may be able to tell you how he has setup https://wikispore.wmflabs.org/wiki/Main_Page with OAuth for account registration. I have a hunch that is also possible by adding the correct mw-vagrant role and settings.
Bryan
Thank you so much, Bryan!
So I followed
https://wikitech.wikimedia.org/wiki/Help:Puppet
(which describes a slightly different UX than what I see, in particular, there is nothing to browse but just an edit window) to add
role::lockdown
to my Puppet file. But that seems to have no effect on the Annotation wiki.
Here are my puppet role files:
https://gerrit.wikimedia.org/r/plugins/gitiles/cloud/instance-puppet/+/maste...
and, trying to repeat it on the instance, here:
https://gerrit.wikimedia.org/r/plugins/gitiles/cloud/instance-puppet/+/maste...
But my Wiki hasn't changed.
Is there an additional step required after editing the role file in Horizon? When using vagrant, I would need to provision that - but the Help:Puppet page above doesn't mention anything like that.
Thanks for your help! Denny
On Wed, Apr 21, 2021 at 12:09 PM Bryan Davis bd808@wikimedia.org wrote:
On Wed, Apr 21, 2021 at 1:05 PM Denny Vrandečić dvrandecic@wikimedia.org wrote:
Hi Alex,
thank you! Yes, you are absolutely right, that's what I would like to
try - but what I don't understand is where and how do I edit the LocalSettings for a MediaWiki instance provisioned on WMCloud via Vagrant?
https://www.mediawiki.org/wiki/MediaWiki-Vagrant#MediaWiki_settings
MediaWiki-Vagrant also has role::lockdown for the lockdown use case:
https://github.com/wikimedia/mediawiki-vagrant/blob/master/puppet/modules/ro...
Gergo may be able to tell you how he has setup https://wikispore.wmflabs.org/wiki/Main_Page with OAuth for account registration. I have a hunch that is also possible by adding the correct mw-vagrant role and settings.
Bryan
Bryan Davis Technical Engagement Wikimedia Foundation Principal Software Engineer Boise, ID USA [[m:User:BDavis_(WMF)]] irc: bd808
Wikimedia Cloud Services mailing list Cloud@lists.wikimedia.org (formerly labs-l@lists.wikimedia.org) https://lists.wikimedia.org/mailman/listinfo/cloud
I logged in to the instance, and ran puppet agent --test --verbose, and I get the following error message:
*Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: Could not find class role::lockdown for annotate-wiki.annotation.eqiad1.wikimedia.cloud on node annotate-wiki.annotation.eqiad1.wikimedia.cloud*
I also used codesearch to search for any other use of lockdown in the Puppet files, I am probably addressing the role wrong, but I couldn't find any other example of usage besides mine (and that's wrong)
On Wed, Apr 21, 2021 at 4:53 PM Denny Vrandečić dvrandecic@wikimedia.org wrote:
Thank you so much, Bryan!
So I followed
https://wikitech.wikimedia.org/wiki/Help:Puppet
(which describes a slightly different UX than what I see, in particular, there is nothing to browse but just an edit window) to add
role::lockdown
to my Puppet file. But that seems to have no effect on the Annotation wiki.
Here are my puppet role files:
https://gerrit.wikimedia.org/r/plugins/gitiles/cloud/instance-puppet/+/maste...
and, trying to repeat it on the instance, here:
https://gerrit.wikimedia.org/r/plugins/gitiles/cloud/instance-puppet/+/maste...
But my Wiki hasn't changed.
Is there an additional step required after editing the role file in Horizon? When using vagrant, I would need to provision that - but the Help:Puppet page above doesn't mention anything like that.
Thanks for your help! Denny
On Wed, Apr 21, 2021 at 12:09 PM Bryan Davis bd808@wikimedia.org wrote:
On Wed, Apr 21, 2021 at 1:05 PM Denny Vrandečić dvrandecic@wikimedia.org wrote:
Hi Alex,
thank you! Yes, you are absolutely right, that's what I would like to
try - but what I don't understand is where and how do I edit the LocalSettings for a MediaWiki instance provisioned on WMCloud via Vagrant?
https://www.mediawiki.org/wiki/MediaWiki-Vagrant#MediaWiki_settings
MediaWiki-Vagrant also has role::lockdown for the lockdown use case:
https://github.com/wikimedia/mediawiki-vagrant/blob/master/puppet/modules/ro...
Gergo may be able to tell you how he has setup https://wikispore.wmflabs.org/wiki/Main_Page with OAuth for account registration. I have a hunch that is also possible by adding the correct mw-vagrant role and settings.
Bryan
Bryan Davis Technical Engagement Wikimedia Foundation Principal Software Engineer Boise, ID USA [[m:User:BDavis_(WMF)]] irc: bd808
Wikimedia Cloud Services mailing list Cloud@lists.wikimedia.org (formerly labs-l@lists.wikimedia.org) https://lists.wikimedia.org/mailman/listinfo/cloud
Thanks for your patience. So I couldn't figure out how to do it from Horizons, so I ssh'ed to the instance and
vagrant roles enable lockdown vagrant provision
and that seemed to have worked.
I don't know if that is the right way to do it, but hey, that's where I am.
Now I can go and delete the Spammers, and then I can try to figure out how to do the whole OAuth thing. Step-by-step.
Apologies for my frequent emails.
Thank you, Denny
On Wed, Apr 21, 2021 at 5:10 PM Denny Vrandečić dvrandecic@wikimedia.org wrote:
I logged in to the instance, and ran puppet agent --test --verbose, and I get the following error message:
*Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: Could not find class role::lockdown for annotate-wiki.annotation.eqiad1.wikimedia.cloud on node annotate-wiki.annotation.eqiad1.wikimedia.cloud*
I also used codesearch to search for any other use of lockdown in the Puppet files, I am probably addressing the role wrong, but I couldn't find any other example of usage besides mine (and that's wrong)
On Wed, Apr 21, 2021 at 4:53 PM Denny Vrandečić dvrandecic@wikimedia.org wrote:
Thank you so much, Bryan!
So I followed
https://wikitech.wikimedia.org/wiki/Help:Puppet
(which describes a slightly different UX than what I see, in particular, there is nothing to browse but just an edit window) to add
role::lockdown
to my Puppet file. But that seems to have no effect on the Annotation wiki.
Here are my puppet role files:
https://gerrit.wikimedia.org/r/plugins/gitiles/cloud/instance-puppet/+/maste...
and, trying to repeat it on the instance, here:
https://gerrit.wikimedia.org/r/plugins/gitiles/cloud/instance-puppet/+/maste...
But my Wiki hasn't changed.
Is there an additional step required after editing the role file in Horizon? When using vagrant, I would need to provision that - but the Help:Puppet page above doesn't mention anything like that.
Thanks for your help! Denny
On Wed, Apr 21, 2021 at 12:09 PM Bryan Davis bd808@wikimedia.org wrote:
On Wed, Apr 21, 2021 at 1:05 PM Denny Vrandečić dvrandecic@wikimedia.org wrote:
Hi Alex,
thank you! Yes, you are absolutely right, that's what I would like to
try - but what I don't understand is where and how do I edit the LocalSettings for a MediaWiki instance provisioned on WMCloud via Vagrant?
https://www.mediawiki.org/wiki/MediaWiki-Vagrant#MediaWiki_settings
MediaWiki-Vagrant also has role::lockdown for the lockdown use case:
https://github.com/wikimedia/mediawiki-vagrant/blob/master/puppet/modules/ro...
Gergo may be able to tell you how he has setup https://wikispore.wmflabs.org/wiki/Main_Page with OAuth for account registration. I have a hunch that is also possible by adding the correct mw-vagrant role and settings.
Bryan
Bryan Davis Technical Engagement Wikimedia Foundation Principal Software Engineer Boise, ID USA [[m:User:BDavis_(WMF)]] irc: bd808
Wikimedia Cloud Services mailing list Cloud@lists.wikimedia.org (formerly labs-l@lists.wikimedia.org) https://lists.wikimedia.org/mailman/listinfo/cloud
On Wed, Apr 21, 2021 at 6:53 PM Denny Vrandečić dvrandecic@wikimedia.org wrote:
Thanks for your patience. So I couldn't figure out how to do it from Horizons, so I ssh'ed to the instance and
vagrant roles enable lockdown vagrant provision
and that seemed to have worked.
This is the way. :)
I don't know if that is the right way to do it, but hey, that's where I am.
MediaWiki-Vagrant uses Puppet to manage software and configuration for the virtual machine (or LXC container) that it provisions. That Puppet is a different source tree and execution environment than the Puppet which is used to manage the software and configuration on the Cloud VPS instance itself. The user interface in Horizon manages configuration for the 'system' level Puppet process on the Cloud VPS instance. `vagrant roles` and `vagrant config` manage configuration for the 'guest' level Puppet process that is executed by `vagrant up` and `vagrant provision`.
Bryan
Hi Denny,
As a spam defence for Wikimania, we disallowed local account generation, and just leverage WMF's SULs, similarly did the same for wikidata-test to great effect. The one thing that we did was to change the login link to point to somewhere they could create an account. [1] Great success, though not 100% effective against manual spammers, or those that trawl.
If allowable, I would also suggest that you leverage the other global settings like title and spam blacklist, and global abusefilter.
[1] https://wikimania.wikimedia.org/w/index.php?title=Special:UserLogin&retu...
-- Billinghurst
------ Original Message ------ From: "Denny Vrandečić" dvrandecic@wikimedia.org To: "Cloud" cloud@lists.wikimedia.org Sent: 22/04/2021 3:59:12 AM Subject: [Cloud] Help with a MediaWiki instance on WMCloud - spammers
Hi all,
I have a MediaWiki instance running on WMCloud:
https://annotation.wmcloud.org/
Is there some recipe or instruction available somewhere on how to manage it?
More specifically, about a week ago, spammers discovered it. I would like to use WSOAuth and PluggableAuth or something similar in order to allow only logins by users with a Wikimedia account, and only allow edits by logged in users.
On a shorter notice, as a stop gap, I would like to disallow account creation by non-logged-in users and edits by non-logged in user, so I can at least stop new spam creation and clean up the existing one.
I am very confused by Puppet, have a rough idea what Vagrant is, and think I have a stable understanding of MediaWiki maintenance. Any help or pointers would be much appreciated.
Thank you! Denny
I would love to do the same! Can you point me to your configuration?
On Wed, Apr 21, 2021 at 9:03 PM billinghurst billinghurstwiki@gmail.com wrote:
Hi Denny,
As a spam defence for Wikimania, we disallowed local account generation, and just leverage WMF's SULs, similarly did the same for wikidata-test to great effect. The one thing that we did was to change the login link to point to somewhere they could create an account. [1] Great success, though not 100% effective against manual spammers, or those that trawl.
If allowable, I would also suggest that you leverage the other global settings like title and spam blacklist, and global abusefilter.
[1] https://wikimania.wikimedia.org/w/index.php?title=Special:UserLogin&retu...
-- Billinghurst
------ Original Message ------ From: "Denny Vrandečić" dvrandecic@wikimedia.org To: "Cloud" cloud@lists.wikimedia.org Sent: 22/04/2021 3:59:12 AM Subject: [Cloud] Help with a MediaWiki instance on WMCloud - spammers
Hi all,
I have a MediaWiki instance running on WMCloud:
https://annotation.wmcloud.org/
Is there some recipe or instruction available somewhere on how to manage it?
More specifically, about a week ago, spammers discovered it. I would like to use WSOAuth and PluggableAuth or something similar in order to allow only logins by users with a Wikimedia account, and only allow edits by logged in users.
On a shorter notice, as a stop gap, I would like to disallow account creation by non-logged-in users and edits by non-logged in user, so I can at least stop new spam creation and clean up the existing one.
I am very confused by Puppet, have a rough idea what Vagrant is, and think I have a stable understanding of MediaWiki maintenance. Any help or pointers would be much appreciated.
Thank you! Denny
https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient Virus-free. www.avast.com https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient <#m_4220196042592130791_DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2> _______________________________________________ Wikimedia Cloud Services mailing list Cloud@lists.wikimedia.org (formerly labs-l@lists.wikimedia.org) https://lists.wikimedia.org/mailman/listinfo/cloud
The Wikimania wiki is part of the production cluster so gets privileged access to the production CentralAuth database. I'm not sure if the prod wikis can act as an identity provider for other sites to consume
On Thu, 22 Apr 2021 at 19:27, Denny Vrandečić dvrandecic@wikimedia.org wrote:
I would love to do the same! Can you point me to your configuration?
On Wed, Apr 21, 2021 at 9:03 PM billinghurst billinghurstwiki@gmail.com wrote:
Hi Denny,
As a spam defence for Wikimania, we disallowed local account generation, and just leverage WMF's SULs, similarly did the same for wikidata-test to great effect. The one thing that we did was to change the login link to point to somewhere they could create an account. [1] Great success, though not 100% effective against manual spammers, or those that trawl.
If allowable, I would also suggest that you leverage the other global settings like title and spam blacklist, and global abusefilter.
[1] https://wikimania.wikimedia.org/w/index.php?title=Special:UserLogin&retu...
-- Billinghurst
------ Original Message ------ From: "Denny Vrandečić" dvrandecic@wikimedia.org To: "Cloud" cloud@lists.wikimedia.org Sent: 22/04/2021 3:59:12 AM Subject: [Cloud] Help with a MediaWiki instance on WMCloud - spammers
Hi all,
I have a MediaWiki instance running on WMCloud:
https://annotation.wmcloud.org/
Is there some recipe or instruction available somewhere on how to manage it?
More specifically, about a week ago, spammers discovered it. I would like to use WSOAuth and PluggableAuth or something similar in order to allow only logins by users with a Wikimedia account, and only allow edits by logged in users.
On a shorter notice, as a stop gap, I would like to disallow account creation by non-logged-in users and edits by non-logged in user, so I can at least stop new spam creation and clean up the existing one.
I am very confused by Puppet, have a rough idea what Vagrant is, and think I have a stable understanding of MediaWiki maintenance. Any help or pointers would be much appreciated.
Thank you! Denny
https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient Virus-free. www.avast.com https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient <#m_7700066831509385624_m_4220196042592130791_DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2> _______________________________________________ Wikimedia Cloud Services mailing list Cloud@lists.wikimedia.org (formerly labs-l@lists.wikimedia.org) https://lists.wikimedia.org/mailman/listinfo/cloud
Wikimedia Cloud Services mailing list Cloud@lists.wikimedia.org (formerly labs-l@lists.wikimedia.org) https://lists.wikimedia.org/mailman/listinfo/cloud
On Thu, Apr 22, 2021 at 3:46 PM Alex Monk krenair@gmail.com wrote:
The Wikimania wiki is part of the production cluster so gets privileged access to the production CentralAuth database. I'm not sure if the prod wikis can act as an identity provider for other sites to consume
On Thu, 22 Apr 2021 at 19:27, Denny Vrandečić dvrandecic@wikimedia.org wrote:
I would love to do the same! Can you point me to your configuration?
On Wed, Apr 21, 2021 at 9:03 PM billinghurst billinghurstwiki@gmail.com wrote:
Hi Denny,
As a spam defence for Wikimania, we disallowed local account generation, and just leverage WMF's SULs, similarly did the same for wikidata-test to great effect. The one thing that we did was to change the login link to point to somewhere they could create an account. [1] Great success, though not 100% effective against manual spammers, or those that trawl.
I believe that the `wsoauth` role in MediaWiki-Vagrant can do what Denny is looking for. That role provisions https://www.mediawiki.org/wiki/Extension:WSOAuth and configures it to use a shared OAuth grant which works for local testing at a "http://dev.wiki.local.wmftest.net" host (https://meta.wikimedia.org/wiki/Special:OAuthManageConsumers/20c96d141c4ac5bea4fadd6824f6ebda). Beyond using `vagrant roles enable wsoauth`, a Cloud VPS hosted MediaWiki-Vagrant wiki would need to apply for a new OAuth grant that contains the callback URL of the hosted wiki (<https://<something>.wmcloud.org/...>) and then add the OAuth key and secret values for the new grant to the local MediaWiki-Vagrant's hiera configuration. This might look something like:
$ vagrant role enable wsoauth $ vagrant hiera role::wsoauth::oauth_key "the key for the new grant" $ vagrant hiera role::wsoauth::oauth_secret "the secret for the new grant" $ vagrant provision
Bryan
Hi Bryan,
thank you for your patient explanations! They are very appreciated. Thank you also for approving my request for an OAuth application!
I still get an error message "Unable to initiate communication with OAuth provider", and I am trying different things, but so far a bit out of ideas.
The relevant log lines seem to be this, but I don't see anything useful here:
[session] SessionBackend "6s7gpol141hugu9g6q7m7ddi2r0vi51o" data dirty due to dirty(): PluggableAuthPrimaryAuthenticationProvider->continuePrimaryAuthentication/MediaWiki\Auth\AuthManager->removeAuthenticationSessionData/MediaWiki\Session\Session->setSecret/MediaWiki\Session\Session->set/MediaWiki\Session\SessionBackend->dirty
[authentication] Login failed in primary authentication by PluggableAuthPrimaryAuthenticationProvider
[session] SessionBackend "6s7gpol141hugu9g6q7m7ddi2r0vi51o" data dirty due to dirty(): AuthManagerSpecialPage->handleFormSubmit/AuthManagerSpecialPage->performAuthenticationStep/MediaWiki\Auth\AuthManager->continueAuthentication/MediaWiki\Session\Session->remove/MediaWiki\Session\SessionBackend->dirty
[session] SessionBackend "6s7gpol141hugu9g6q7m7ddi2r0vi51o" save: dataDirty=1 metaDirty=0 forcePersist=0
[authevents] Login attempt
My guess is that somewhere one of the URLs for callbacks are wrong, I'll try that next, but in case I am barking up the wrong tree, I would appreciate hints! Thanks,
Denny
On Fri, Apr 23, 2021 at 9:03 AM Bryan Davis bd808@wikimedia.org wrote:
On Thu, Apr 22, 2021 at 3:46 PM Alex Monk krenair@gmail.com wrote:
The Wikimania wiki is part of the production cluster so gets privileged
access to the production CentralAuth database. I'm not sure if the prod wikis can act as an identity provider for other sites to consume
On Thu, 22 Apr 2021 at 19:27, Denny Vrandečić dvrandecic@wikimedia.org
wrote:
I would love to do the same! Can you point me to your configuration?
On Wed, Apr 21, 2021 at 9:03 PM billinghurst <
billinghurstwiki@gmail.com> wrote:
Hi Denny,
As a spam defence for Wikimania, we disallowed local account
generation, and just leverage WMF's SULs, similarly did the same for wikidata-test to great effect. The one thing that we did was to change the login link to point to somewhere they could create an account. [1] Great success, though not 100% effective against manual spammers, or those that trawl.
I believe that the `wsoauth` role in MediaWiki-Vagrant can do what Denny is looking for. That role provisions https://www.mediawiki.org/wiki/Extension:WSOAuth and configures it to use a shared OAuth grant which works for local testing at a "http://dev.wiki.local.wmftest.net" host (< https://meta.wikimedia.org/wiki/Special:OAuthManageConsumers/20c96d141c4ac5b...
).
Beyond using `vagrant roles enable wsoauth`, a Cloud VPS hosted MediaWiki-Vagrant wiki would need to apply for a new OAuth grant that contains the callback URL of the hosted wiki (<https://<something>.wmcloud.org/...>) and then add the OAuth key and secret values for the new grant to the local MediaWiki-Vagrant's hiera configuration. This might look something like:
$ vagrant role enable wsoauth $ vagrant hiera role::wsoauth::oauth_key "the key for the new grant" $ vagrant hiera role::wsoauth::oauth_secret "the secret for the new grant" $ vagrant provision
Bryan
Bryan Davis Technical Engagement Wikimedia Foundation Principal Software Engineer Boise, ID USA [[m:User:BDavis_(WMF)]] irc: bd808
Wikimedia Cloud Services mailing list Cloud@lists.wikimedia.org (formerly labs-l@lists.wikimedia.org) https://lists.wikimedia.org/mailman/listinfo/cloud
The settings in 10-WSOAuth.php end as follows:
$wgOAuthAuthProvider = "mediawiki";
$wgOAuthClientId = "[token]";
$wgOAuthClientSecret = "[secret]";
$wgOAuthRedirectUri = " http://annotation.wmcloud.org/w/index.php?title=Special:PluggableAuthLogin";
$wgOAuthUri = "https://meta.wikimedia.org/w/index.php?title=Special:OAuth";
and the OAuth settings on meta are as follows:
OAuth "callback URL" https://annotation.wmcloud.org/w/index.php?title=Special:PluggableAuthLoginA... consumer to specify a callback in requests and use "callback" URL above as a required prefix.NoApplicable grantsUser identity verification only, no ability to read pages or act on a user's behalf. I can see that meta states the callback URL with https and the settings without. Changing it in the settings doesn't seem to make a difference. I don't know if I can change it on Meta, or if I need to make a new application, but it doesn't look like the right solution anyway.
A bit unsure. Thanks! Denny
On Fri, Apr 23, 2021 at 2:50 PM Denny Vrandečić dvrandecic@wikimedia.org wrote:
Hi Bryan,
thank you for your patient explanations! They are very appreciated. Thank you also for approving my request for an OAuth application!
I still get an error message "Unable to initiate communication with OAuth provider", and I am trying different things, but so far a bit out of ideas.
The relevant log lines seem to be this, but I don't see anything useful here:
[session] SessionBackend "6s7gpol141hugu9g6q7m7ddi2r0vi51o" data dirty due to dirty(): PluggableAuthPrimaryAuthenticationProvider->continuePrimaryAuthentication/MediaWiki\Auth\AuthManager->removeAuthenticationSessionData/MediaWiki\Session\Session->setSecret/MediaWiki\Session\Session->set/MediaWiki\Session\SessionBackend->dirty
[authentication] Login failed in primary authentication by PluggableAuthPrimaryAuthenticationProvider
[session] SessionBackend "6s7gpol141hugu9g6q7m7ddi2r0vi51o" data dirty due to dirty(): AuthManagerSpecialPage->handleFormSubmit/AuthManagerSpecialPage->performAuthenticationStep/MediaWiki\Auth\AuthManager->continueAuthentication/MediaWiki\Session\Session->remove/MediaWiki\Session\SessionBackend->dirty
[session] SessionBackend "6s7gpol141hugu9g6q7m7ddi2r0vi51o" save: dataDirty=1 metaDirty=0 forcePersist=0
[authevents] Login attempt
My guess is that somewhere one of the URLs for callbacks are wrong, I'll try that next, but in case I am barking up the wrong tree, I would appreciate hints! Thanks,
Denny
On Fri, Apr 23, 2021 at 9:03 AM Bryan Davis bd808@wikimedia.org wrote:
On Thu, Apr 22, 2021 at 3:46 PM Alex Monk krenair@gmail.com wrote:
The Wikimania wiki is part of the production cluster so gets privileged
access to the production CentralAuth database. I'm not sure if the prod wikis can act as an identity provider for other sites to consume
On Thu, 22 Apr 2021 at 19:27, Denny Vrandečić dvrandecic@wikimedia.org
wrote:
I would love to do the same! Can you point me to your configuration?
On Wed, Apr 21, 2021 at 9:03 PM billinghurst <
billinghurstwiki@gmail.com> wrote:
Hi Denny,
As a spam defence for Wikimania, we disallowed local account
generation, and just leverage WMF's SULs, similarly did the same for wikidata-test to great effect. The one thing that we did was to change the login link to point to somewhere they could create an account. [1] Great success, though not 100% effective against manual spammers, or those that trawl.
I believe that the `wsoauth` role in MediaWiki-Vagrant can do what Denny is looking for. That role provisions https://www.mediawiki.org/wiki/Extension:WSOAuth and configures it to use a shared OAuth grant which works for local testing at a "http://dev.wiki.local.wmftest.net" host (< https://meta.wikimedia.org/wiki/Special:OAuthManageConsumers/20c96d141c4ac5b...
).
Beyond using `vagrant roles enable wsoauth`, a Cloud VPS hosted MediaWiki-Vagrant wiki would need to apply for a new OAuth grant that contains the callback URL of the hosted wiki (<https://<something>.wmcloud.org/...>) and then add the OAuth key and secret values for the new grant to the local MediaWiki-Vagrant's hiera configuration. This might look something like:
$ vagrant role enable wsoauth $ vagrant hiera role::wsoauth::oauth_key "the key for the new grant" $ vagrant hiera role::wsoauth::oauth_secret "the secret for the new grant" $ vagrant provision
Bryan
Bryan Davis Technical Engagement Wikimedia Foundation Principal Software Engineer Boise, ID USA [[m:User:BDavis_(WMF)]] irc: bd808
Wikimedia Cloud Services mailing list Cloud@lists.wikimedia.org (formerly labs-l@lists.wikimedia.org) https://lists.wikimedia.org/mailman/listinfo/cloud
On Fri, Apr 23, 2021 at 4:07 PM Denny Vrandečić dvrandecic@wikimedia.org wrote:
The settings in 10-WSOAuth.php end as follows:
$wgOAuthAuthProvider = "mediawiki";
$wgOAuthClientId = "[token]";
$wgOAuthClientSecret = "[secret]";
$wgOAuthRedirectUri = "http://annotation.wmcloud.org/w/index.php?title=Special:PluggableAuthLogin";
$wgOAuthUri = "https://meta.wikimedia.org/w/index.php?title=Special:OAuth";
and the OAuth settings on meta are as follows:
OAuth "callback URL"https://annotation.wmcloud.org/w/index.php?title=Special:PluggableAuthLoginA... consumer to specify a callback in requests and use "callback" URL above as a required prefix.NoApplicable grantsUser identity verification only, no ability to read pages or act on a user's behalf. I can see that meta states the callback URL with https and the settings without. Changing it in the settings doesn't seem to make a difference. I don't know if I can change it on Meta, or if I need to make a new application, but it doesn't look like the right solution anyway.
Your `$wgOAuthRedirectUri` should use the https protocol, but I don't think this is you root problem. https://annotation.wmcloud.org/w/index.php?title=Special:PluggableAuthLogin says "No such special page" and https://annotation.wmcloud.org/wiki/Special:Version shows no extensions at all installed. Did you maybe miss the step of running `vagrant provision` after you setup the roles and hiera config?
Bryan
Oh, sorry, I had it deprovisioned over the weekend, as it wouldn't allow for any logging in. It is enabled again.
On Sun, Apr 25, 2021 at 8:19 AM Bryan Davis bd808@wikimedia.org wrote:
On Fri, Apr 23, 2021 at 4:07 PM Denny Vrandečić dvrandecic@wikimedia.org wrote:
The settings in 10-WSOAuth.php end as follows:
$wgOAuthAuthProvider = "mediawiki";
$wgOAuthClientId = "[token]";
$wgOAuthClientSecret = "[secret]";
$wgOAuthRedirectUri = "
http://annotation.wmcloud.org/w/index.php?title=Special:PluggableAuthLogin ";
$wgOAuthUri = "
https://meta.wikimedia.org/w/index.php?title=Special:OAuth";
and the OAuth settings on meta are as follows:
OAuth "callback URL"
https://annotation.wmcloud.org/w/index.php?title=Special:PluggableAuthLoginA... consumer to specify a callback in requests and use "callback" URL above as a required prefix.NoApplicable grantsUser identity verification only, no ability to read pages or act on a user's behalf.
I can see that meta states the callback URL with https and the settings
without. Changing it in the settings doesn't seem to make a difference. I don't know if I can change it on Meta, or if I need to make a new application, but it doesn't look like the right solution anyway.
Your `$wgOAuthRedirectUri` should use the https protocol, but I don't think this is you root problem. https://annotation.wmcloud.org/w/index.php?title=Special:PluggableAuthLogin says "No such special page" and https://annotation.wmcloud.org/wiki/Special:Version shows no extensions at all installed. Did you maybe miss the step of running `vagrant provision` after you setup the roles and hiera config?
Bryan
Bryan Davis Technical Engagement Wikimedia Foundation Principal Software Engineer Boise, ID USA [[m:User:BDavis_(WMF)]] irc: bd808
Wikimedia Cloud Services mailing list Cloud@lists.wikimedia.org (formerly labs-l@lists.wikimedia.org) https://lists.wikimedia.org/mailman/listinfo/cloud