Check the permissions on the swift containers for the new private wikis
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	Zabe
	Jun 18 2024, 12:13 AM

Description

Per https://wikitech.wikimedia.org/wiki/Add_a_wiki#IMPORTANT:_For_Private_Wikis before enabling local uploads for a private wiki, we need to check the permissions on the swift containers for the new wiki - see https://wikitech.wikimedia.org/wiki/Swift/How_To#Checking_/_Fixing_container_ACLs_for_private_wikis for details.

Could someone do this for the sysop_plwiki, arbcom_itwiki and u4cwiki wikis?

Related Objects
Search...

Status	Assigned	Task
Resolved	Zabe	T361041 Create wikipedia-pl-sysop.wikimedia.org (was: sysop-pl.wikipedia.org)
Resolved	Zabe	T363825 Create private wikipedia_it_arbcom wiki
Resolved	Zabe	T366649 Create an 'Universal Code of Conduct Coordinating Committee (U4C)' private wiki
Resolved	Ladsgroup	T367839 Check the permissions on the swift containers for the new private wikis

Event Timeline

Zabe created this task.Jun 18 2024, 12:13 AM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 18 2024, 12:13 AM

Zabe added parent tasks: T361041: Create wikipedia-pl-sysop.wikimedia.org (was: sysop-pl.wikipedia.org), T363825: Create private wikipedia_it_arbcom wiki, T366649: Create an 'Universal Code of Conduct Coordinating Committee (U4C)' private wiki.Jun 18 2024, 12:14 AM

Have the swift containers been generated for these wikis? I can't find any obviously-matching ones.

...further to @Ladsgroup's comment elsewhere, if the intention is that these wikis all have local upload disabled, then that is the correct state and you're good to go. Probably the docs should be updated to reflect this :)

AramilFeraxa subscribed.Jun 19 2024, 4:22 PM

In T367839#9902539, @MatthewVernon wrote:

Have the swift containers been generated for these wikis? I can't find any obviously-matching ones.

According to https://wikitech.wikimedia.org/wiki/Add_a_wiki#Swift the containers should automatically be created on creation. I do not have the required access to check whether that worked.

In T367839#9902606, @MatthewVernon wrote:

...further to @Ladsgroup's comment elsewhere, if the intention is that these wikis all have local upload disabled, then that is the correct state and you're good to go. Probably the docs should be updated to reflect this :)

Superpes15 confirmed that they would like to get local uploads enabled for u4cwiki and arbcom_itwiki (T366649#9908085; T363825#9908084). So this task should be done for at least those two.

For sysop_plwiki it was at least mentioned that some folks do think it would be usefull. So doing this task for that wiki aswell in order to keep the posibility open sound like a good idea to me.

I can confirm that we (plwiki_sysops) also want to get local uploads enabled

Somehow setZoneAccess was not called or failed during wiki creation. I couldn't find any containers for sysop-pl but after I ran this in mwmaint, they showed up:

ladsgroup@mwmaint1002:~$ mwscript extensions/WikimediaMaintenance/filebackend/setZoneAccess.php --wiki=sysop_plwiki --private --backend local-multiwrite
Making sure mwstore://local-multiwrite/local-public exists...making 'mwstore://local-multiwrite/local-public' private...done.
Making sure mwstore://local-multiwrite/local-thumb exists...making 'mwstore://local-multiwrite/local-thumb' private...done.
Making sure mwstore://local-multiwrite/local-transcoded exists...making 'mwstore://local-multiwrite/local-transcoded' private...done.
Making sure mwstore://local-multiwrite/local-temp exists...making 'mwstore://local-multiwrite/local-temp' private...done.
Making sure mwstore://local-multiwrite/local-deleted exists...making 'mwstore://local-multiwrite/local-deleted' private...done.
Making sure mwstore://local-multiwrite/timeline-render exists...making 'mwstore://local-multiwrite/timeline-render' private...done.

Then:

root@ms-fe1009:~# swift list | grep sysop
wikipedia-sysop-pl-local-deleted
wikipedia-sysop-pl-local-public
wikipedia-sysop-pl-local-temp
wikipedia-sysop-pl-local-thumb
wikipedia-sysop-pl-local-transcoded
wikipedia-sysop-pl-timeline-render

And they are now private:

root@ms-fe1009:~# for i in $(swift list | grep wikipedia-sysop-pl) 
   do echo "$i:" 
   swift stat "$i" | grep "ACL"
done
wikipedia-sysop-pl-local-deleted:
              Read ACL: mw:thumbor-private,mw:media
             Write ACL: mw:thumbor-private,mw:media
wikipedia-sysop-pl-local-public:
              Read ACL: mw:thumbor-private,mw:media
             Write ACL: mw:thumbor-private,mw:media
wikipedia-sysop-pl-local-temp:
              Read ACL: mw:thumbor-private,mw:media
             Write ACL: mw:thumbor-private,mw:media
wikipedia-sysop-pl-local-thumb:
              Read ACL: mw:thumbor-private,mw:media
             Write ACL: mw:thumbor-private,mw:media
wikipedia-sysop-pl-local-transcoded:
              Read ACL: mw:thumbor-private,mw:media
             Write ACL: mw:thumbor-private,mw:media
wikipedia-sysop-pl-timeline-render:
              Read ACL: mw:thumbor-private,mw:media
             Write ACL: mw:thumbor-private,mw:media

Compare it with Polish Wikipedia's container:

root@ms-fe1009:~# for i in $(swift list | grep wikipedia-pl) ;    do echo "$i:" ;    swift stat "$i" | grep "ACL"; done
wikipedia-pl-local-deleted:
              Read ACL: mw:thumbor-private,mw:media
             Write ACL: mw:thumbor-private,mw:media
wikipedia-pl-local-public:
              Read ACL: mw:thumbor,mw:media,.r:*
             Write ACL: mw:thumbor,mw:media
wikipedia-pl-local-temp:
              Read ACL: mw:thumbor-private,mw:media
             Write ACL: mw:thumbor-private,mw:media
wikipedia-pl-local-thumb:
              Read ACL: mw:thumbor,mw:media,.r:*
             Write ACL: mw:thumbor,mw:media
wikipedia-pl-local-transcoded:
              Read ACL: mw:thumbor,mw:media,.r:*
             Write ACL: mw:thumbor,mw:media
wikipedia-pl-timeline-render:
              Read ACL: mw:thumbor,mw:media,.r:*
             Write ACL: mw:thumbor,mw:media

I assume creating containers have been broken for ages, just the fact that new content wikis by default don't get file upload enabled caused this to go unnoticed. It's just that someone needs to run setZoneAccess.php afterwards (I honestly support removing it from addWiki.php and make it explicit checklist item similar to what is happening to search indexes). anyway. Let me run it for other wikis.

Before run:

root@ms-fe1009:~# swift list | grep u4c
root@ms-fe1009:~#

After run:

root@ms-fe1009:~# swift list | grep u4c
wikipedia-u4c-local-deleted
wikipedia-u4c-local-public
wikipedia-u4c-local-temp
wikipedia-u4c-local-thumb
wikipedia-u4c-local-transcoded
wikipedia-u4c-timeline-render

And they are private:

root@ms-fe1009:~# for i in $(swift list | grep wikipedia-u4c) ;    do echo "$i:" ;    swift stat "$i" | grep "ACL"; done
wikipedia-u4c-local-deleted:
              Read ACL: mw:thumbor-private,mw:media
             Write ACL: mw:thumbor-private,mw:media
wikipedia-u4c-local-public:
              Read ACL: mw:thumbor-private,mw:media
             Write ACL: mw:thumbor-private,mw:media
wikipedia-u4c-local-temp:
              Read ACL: mw:thumbor-private,mw:media
             Write ACL: mw:thumbor-private,mw:media
wikipedia-u4c-local-thumb:
              Read ACL: mw:thumbor-private,mw:media
             Write ACL: mw:thumbor-private,mw:media
wikipedia-u4c-local-transcoded:
              Read ACL: mw:thumbor-private,mw:media
             Write ACL: mw:thumbor-private,mw:media
wikipedia-u4c-timeline-render:
              Read ACL: mw:thumbor-private,mw:media
             Write ACL: mw:thumbor-private,mw:media

Done for itwiki arbcom too:

root@ms-fe1009:~# for i in $(swift list | grep wikipedia-arbcom-it) ;    do echo "$i:" ;    swift stat "$i" | grep "ACL"; done
wikipedia-arbcom-it-local-deleted:
              Read ACL: mw:thumbor-private,mw:media
             Write ACL: mw:thumbor-private,mw:media
wikipedia-arbcom-it-local-public:
              Read ACL: mw:thumbor-private,mw:media
             Write ACL: mw:thumbor-private,mw:media
wikipedia-arbcom-it-local-temp:
              Read ACL: mw:thumbor-private,mw:media
             Write ACL: mw:thumbor-private,mw:media
wikipedia-arbcom-it-local-thumb:
              Read ACL: mw:thumbor-private,mw:media
             Write ACL: mw:thumbor-private,mw:media
wikipedia-arbcom-it-local-transcoded:
              Read ACL: mw:thumbor-private,mw:media
             Write ACL: mw:thumbor-private,mw:media
wikipedia-arbcom-it-timeline-render:
              Read ACL: mw:thumbor-private,mw:media
             Write ACL: mw:thumbor-private,mw:media

Ladsgroup closed this task as Resolved.Jun 20 2024, 6:24 PM

Ladsgroup claimed this task.

Check the permissions on the swift containers for the new private wikisClosed, ResolvedPublicActions

Description

Related ObjectsSearch...

Event Timeline

Check the permissions on the swift containers for the new private wikis
Closed, ResolvedPublic
Actions

Related Objects
Search...