cookbook sre.idm.logout logs out a user fleet-wide using logout.d scripts (the format is described in T283242). The cookbook current supports
We should also support Gerrit, a logout script running on the main Gerrit host could query the username and then logout the user.
| Subject | Repo | Branch | Lines +/- | |
|---|---|---|---|---|
| P:gerrit: Add logoutd script for gerrit | operations/puppet | production | +149 -0 |
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Resolved | jbond | T283242 Cookbook for centralised logouts and session status queries | |||
| Declined | None | T286905 Add logout.d script for Gerrit |
We can disable an account over ssh with gerrit set-account --inactive or via the REST API https://gerrit.wikimedia.org/r/Documentation/rest-api-accounts.html#delete-active . That invalidates the web session and it does render the account inaccessible, @QChris / @dcausse implemented that in Gerrit a couple years ago.
The actions requires the Modify Account capability. So we would need a specific maintenance user defined in LDAP that would be used by the cookbook, we can then add it to a custom group and grant it the capability. Then I guess it is all about issuing a http request and handling the http error code (200: deactivated, 409: already deactivated).
Change 705426 had a related patch set uploaded (by Jbond; author: John Bond):
[operations/puppet@production] P:gerrit: Add logoutd script for gerrit
Adding this functionality goes a little beyond the scope of the logout.d scripts I think. Right now running these scripts is fully idempotent and every logout action really only log outs, while this would actually modify account state.
I think adding this functionality to the offboard-user script is the more logical step? In the default case it only drops NDA-relevant access, and in the default case we don't want to terminate the Gerrit of a user (since they are warmly invited to contribute as part of the community), but there's the "--drop-all" option which is typically used for disabling a rogue user. If we add Gerrit account deactivion there, this seems like the more logical place? And in the future this (and other bits from the offboarding script) would be moved into modules of the IDM portal?
I definitely agree that this goes beyond the current scope however perhaps we should think about expanding the scope. from my PoV the time we will most likely use this script is when we have a potential comprised account e.g. lost laptop. In this scenario we likely want to kill all logout sessions and disable the account. for SSO we would probably do this via ldap (although we could also add it to the script). For things not in SSO i think it makes sense to also disable the account (or have an option to), assuming we can easily re-enable it at a later date with no loss of data and ideally using the same cookbook (with an -re-enable switch)
but there's the "--drop-all" option which is typically used for disabling a rogue user. If we add Gerrit account deactivion there, this seems like the more logical place? And in the future this (and other bits from the offboarding script) would be moved into modules of the IDM portal?
Agree this seems like a good idea regardless of the above
Change 705426 abandoned by Hashar:
[operations/puppet@production] P:gerrit: Add logoutd script for gerrit
Reason:
Users are blocked in Gerrit via wikitech Special:Block which had some recent fixes as part of T307558.
Users are blocked in Gerrit via wikitech Special:Block which had some recent fixes as part of T307558.