[Labs-l] Account process improvements (was: New-user experience on Wikimedia Labs)

Sun Dec 30 10:39:22 UTC 2012

On Sat, Dec 29, 2012 at 11:06 PM, Ori Livneh <ori at wikimedia.org> wrote:

> I'm glad many of these issues are resolved or on their way to getting
> resolved, but I worry that we're missing the bigger usability and security
> issue posed by having so many permission bits:
>
> Not everyone with a Gerrit account has a Labs account; not everyone with a
> Labs account has shell access; not everyone with shell access has access to
> bastion; not everyone with access to bastion has access to Labs instances;
> not everyone with access to Labs instances is a sysadmin; not every
> sysadmin is a netadmin, and not every netadmin gets to have a public IP.
>
> Some of the distinctions above have been identified as bugs and fixed, but
> I wonder if the distinctions could not be collapsed even further, so that
> new Labs users do not experience the process of getting set up with a
> comfortable development instance as a series of "gotchas". There are oodles
> of usability studies online that have reproduced what appears to be a
> universal truth: that hurdles and quirks in a site's on-boarding experience
> will frustrate users and drive them away.
>
>
Here's the current process and permissions:

1. User self-registers an account; this gives:
    - Gerrit access
    - Access to Labs wiki
    - Access to Hadoop?
    Bug 43370: automatically add a shell request at this step
2. A user requests for shell access (this step will be eliminated)
3. A shell request is granted by a wiki admin, this gives:
    - Access to be added to projects
    - Membership in the bastion project
    Without this step there's no way to stop troublesome users from
    getting accounts.
    Bug 43371: allow some non-admins to grant shell access
4. A user requests access to a project, or requests a new project
    If a project is created, that user is given membership, sysadmin
    and netadmin roles
    The current process for requesting access to projects is to ask a
    project owner. It's not easy to determine who a project owner is.
    Bug 43514: Create a request queue for project membership
    Bug 43515: List project sysadmin and netadmin users on
    project page

Outside of those steps there's also the need to upload an ssh key and learn
how to set up ssh properly. There's a usability issue here with needing to
upload the keys in two spots: <
http://code.google.com/p/gerrit/issues/detail?id=1124>.

Something we'll be doing to further simplify processes is to move the
content from wikitech.wikimedia.org into labsconsole's wiki. This
eliminates the creation of one more user account from our dev/ops
infrastructure.

Additionally, as time goes on we tie more web service authentication to
Labs' LDAP. I'd very much like to make labsconsole an OpenID provider so
that services in Labs can use the same authentication source. OpenID as a
provider on labsconsole is blocked by bugs 40068 and 40067.

If there's more ideas to fix the process, feedback is always appreciated.
I'd love some help with dev work in OpenStackManager or Gerrit to fix some
of the process issues, if you or any volunteers are willing to help.

- Ryan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.wikimedia.org/pipermail/labs-l/attachments/20121230/db5a4d30/attachment-0001.html>