Page MenuHomePhabricator

Set up Gerrit project owner group for MediaWiki core + WMF-deployed extensions
Closed, ResolvedPublic

Description

Author: sumanah

Description:
https://gerrit.wikimedia.org/r/#admin,group,11 should contain all the people who will have the power to merge commits into the master branch of MediaWiki core, and into the master branch for each of our ~100 WMF-deployed MediaWiki extensions.

Right now we shall limit this to people who can deploy. The list is at https://gerrit.wikimedia.org/r/gitweb?p=operations/puppet.git;a=blob;f=manifests/admins.pp;h=2080ad4588963dc512543978936ac5367c8d1efd;hb=HEAD -- do a manual (Control-F) search for the lists under "admins::mortals" + "admins::roots".

Possible people to add include: Timo, Trevor Parscal.

The reason for gating this (right now) to those who have cluster access: these will be the people who fix it when something is screwed up.

Inactivity is a reasonable reason for removing people from this list, so if someone hasn't contributed in the last two months, feel free to remove them from this Gerrit project owner group as well.

I'll soon be publishing the decision procedure for removing people from this list and adding people to it, but for now this is our starter group.


Version: unspecified
Severity: normal

Details

Reference
bz35148

Event Timeline

bzimport raised the priority of this task from to High.Nov 22 2014, 12:13 AM
bzimport added projects: Gerrit, platformeng.
bzimport set Reference to bz35148.
bzimport added a subscriber: Unknown Object (MLST).

sumanah wrote:

Assigning to Ryan Lane, to please take care of before March 21st.

I don't think this needs to be assigned to me, does it?

The mediawiki gerrit project contains mediawiki/core and all mediawiki extension repository.

A group named mediawiki is allowed to do anything including:

  • push : pushing a commit straight to the repository, bypassing code review entirely
  • pushing merge commit : send a branch merge, bypassing code review entirely
  • push annotated tag : mark a commit, for example for release purposes

That groups currently include the member of LDAP groups 'ops' and 'wmf'. In addition, we have added volunteer Platonides who is one of the core mediawiki hacker.

We probably want to refine the matrix rights. Bypassing code-review (push & 'pushing merge commit' rights) should be privileges to only a very restricted group of people (ops / platform engineering).

We need a LDAP group to hold volunteers with MediaWiki review rights.

Following a discussion with Ryan, there is no point in adding volunteers or specific people in a new LDAP group. Since that group will only be used in Gerrit, we can just add them as exception in Gerrit interface.

Removing Ryan from assignment.

We need to work on the access rights next week.

sumanah wrote:

We need to do this access rights work this week, so we have time to test

  • us adding people to this Gerrit project owner group, and verifying with three or four guinea pigs that they can merge code into the branch
  • us changing people's permissions
  • us removing people from groups and ensuring they can no longer merge code in

by Tuesday the 20th, so we can pull the switch on the 21st.

sumanah wrote:

Populating the groups:

The "mediawiki" Gerrit project owner group includes individuals as well as the LDAP-driven groups "wmf" https://gerrit.wikimedia.org/r/#admin,group,6 and "ops" https://gerrit.wikimedia.org/r/#admin,group,7 . I can add volunteers to the "mediawiki" Gerrit project owners list ("group") via the Gerrit user interface (click on "admin", click on "groups", and click on "mediawiki" and scroll down). I can add WMF developers ("wmf") via shell access on formey, by adding individuals to the wmf LDAP group. I cannot add individuals to the WMF operations ("ops") LDAP group; what is the procedure for ops people to get added to and removed from that LDAP group?

sumanah wrote:

People get added to the ops group by the Wikimedia Foundation operations team, and sometimes they are removed for inactivity or because they do not need it anymore. The list of "ops" LDAP group members will continue to live in "admins::roots" at https://gerrit.wikimedia.org/r/gitweb?p=operations/puppet.git;a=blob;f=manifests/admins.pp;h=2080ad4588963dc512543978936ac5367c8d1efd;hb=HEAD .

Not all Wikimedia Foundation software engineers will have merge powers for MediaWiki core, so instead of reusing the "wmf" LDAP group, we will use a new Gerrit group to contain WMFers who should have merge powers, or simply add them directly to the "mediawiki" Gerrit project owner group.

sumanah wrote:

I've now added nearly all the people who have cluster access to the relevant Gerrit project group. Just a few remain, mostly because they don't have Gerrit accounts yet.

Removing 'wmf' from the 'mediawiki' group probably makes it clearer as to who is allowed to merge.

I guess we can close this bug now :-)

This seems fixed. Permissions have been sorted (specifically, the harmful Push was removed), and all permissions are correct on mediawiki/* (assigned to 'mediawiki' and 'Project Owners').

This inherits to all extensions. We can add extra reviewer+merger folks on an extension-by-extension basis as needed (just add them to "Owner" on a given extension's refs/*)