jenkins-bot has submitted this change and it was merged. Change subject: Add CentralAuth role ......................................................................
Add CentralAuth role This role installs the CentralAuth and AntiSpoof extensions and creates two additional wikis: login.wiki.local.wmftest.net is the login wiki and centralauthtest.wiki.local.wmftest.net is configured to show that logins work automatically across the wiki farm. Co-author: Bryan Davis <[email protected]> Bug: 52306 Change-Id: Ide7acba8cd6a223d38cb26b766a6d9482905c5fa --- M puppet/manifests/roles/antispam.pp A puppet/manifests/roles/antispoof.pp A puppet/manifests/roles/centralauth.pp M puppet/modules/multiwiki/templates/LoadWgConf.php.erb M puppet/modules/multiwiki/templates/dbConf.php.erb 5 files changed, 135 insertions(+), 5 deletions(-) Approvals: Ori.livneh: Looks good to me, approved jenkins-bot: Verified diff --git a/puppet/manifests/roles/antispam.pp b/puppet/manifests/roles/antispam.pp index 17b8953..338691f 100644 --- a/puppet/manifests/roles/antispam.pp +++ b/puppet/manifests/roles/antispam.pp @@ -2,14 +2,10 @@ # Installs and sets up AntiSpoof, AbuseFilter, and the SpamBlacklist extensions class role::antispam { include role::mediawiki - - mediawiki::extension { 'AntiSpoof': - needs_update => true, - } + include role::antispoof mediawiki::extension { 'AbuseFilter': needs_update => true, - require => Mediawiki::Extension['AntiSpoof'], settings => [ '$wgGroupPermissions["sysop"]["abusefilter-modify"] = true', '$wgGroupPermissions["*"]["abusefilter-log-detail"] = true', diff --git a/puppet/manifests/roles/antispoof.pp b/puppet/manifests/roles/antispoof.pp new file mode 100644 index 0000000..dd3e447 --- /dev/null +++ b/puppet/manifests/roles/antispoof.pp @@ -0,0 +1,17 @@ +# == Class: role::antispoof +# Installs and sets up the AntiSpoof extension +class role::antispoof { + include role::mediawiki + + mediawiki::extension { 'AntiSpoof': + needs_update => true, + } + + exec { 'populate spoofuser': + command => "php ${::role::mediawiki::dir}/extensions/AntiSpoof/maintenance/batchAntiSpoof.php", + refreshonly => true, + user => 'www-data', + require => Mediawiki::Extension['AntiSpoof'], + subscribe => Exec['update database'], + } +} diff --git a/puppet/manifests/roles/centralauth.pp b/puppet/manifests/roles/centralauth.pp new file mode 100644 index 0000000..82dadde --- /dev/null +++ b/puppet/manifests/roles/centralauth.pp @@ -0,0 +1,115 @@ +# == Class: role::centralauth +# This role installs the CentralAuth extension and creates two additional +# wikis. login.wiki.local.wmftest.net is the login wiki and +# centralauthtest.wiki.local.wmftest.net is configured to show that logins +# work automatically across the wiki farm. +# +class role::centralauth { + require ::role::mediawiki + include ::role::antispoof + include ::mysql + + $shared_db = 'centralauth' + $loginwiki = 'login' + $ca_common_settings = { + wgCentralAuthDatabase => $shared_db, + wgCentralAuthCookies => true, + wgCentralAuthCreateOnView => true, + wgCentralAuthLoginWiki => "${loginwiki}wiki", + wgCentralAuthSilentLogin => true, + wgCentralAuthUseOldAutoLogin => false, + wgCentralAuthAutoMigrate => true, + wgCentralAuthAutoNew => true, + wgSharedDB => $shared_db, + wgSharedTables => [ 'objectcache' ], + } + $ca_auth_settings = [ + '$wgGroupPermissions["sysop"]["centralauth-lock"] = true;', + '$wgGroupPermissions["bureaucrat"]["centralauth-oversight"] = true;', + '$wgGroupPermissions["bureaucrat"]["centralauth-unmerge"] = true;', + '$wgGroupPermissions["bureaucrat"]["centralauth-globalrename"] = true;', + ] + + mediawiki::extension { 'CentralAuth': + needs_update => true, + settings => $ca_common_settings, + } + + mediawiki::settings { 'CentralAuthPermissions': + values => $ca_auth_settings, + } + + mysql::db { $shared_db: + ensure => present, + } + + mysql::sql { 'Create shared objectcache': + sql => "CREATE TABLE ${shared_db}.objectcache LIKE ${::role::mysql::db_name}.objectcache;", + unless => "SELECT COUNT(*) FROM INFORMATION_SCHEMA.TABLES WHERE table_schema = '${shared_db}' AND table_name = 'objectcache';", + require => Mysql::Db[$shared_db], + } + + mysql::sql { 'Create CentralAuth tables': + sql => "USE ${shared_db}; SOURCE ${::role::mediawiki::dir}/extensions/CentralAuth/central-auth.sql;", + unless => "SELECT COUNT(*) FROM INFORMATION_SCHEMA.TABLES WHERE table_schema = '${shared_db}' AND table_name = 'globalnames';", + require => [ + Mysql::Db[$shared_db], + Mediawiki::Extension['CentralAuth'] + ], + } + + mysql::sql { 'Create CentralAuth spoofuser table': + sql => "USE ${shared_db}; SOURCE ${::role::mediawiki::dir}/extensions/CentralAuth/AntiSpoof/patch-antispoof-global.mysql.sql;", + unless => "SELECT COUNT(*) FROM INFORMATION_SCHEMA.TABLES WHERE table_schema = '${shared_db}' AND table_name = 'spoofuser';", + require => [ + Mysql::Db[$shared_db], + Mediawiki::Extension['CentralAuth'] + ], + } + + exec { 'Migrate Admin user to CentralAuth': + command => "php ${::role::mediawiki::dir}/extensions/CentralAuth/maintenance/migrateAccount.php --username Admin", + refreshonly => true, + user => 'www-data', + subscribe => Mysql::Sql['Create CentralAuth tables'], + require => [ + Multiwiki::Wiki[$loginwiki], + Multiwiki::Wiki['centralauthtest'], + ], + } + + multiwiki::wiki{ $loginwiki: } + multiwiki::wiki{ 'centralauthtest': } + + role::centralauth::setup_multiwiki { [$loginwiki, 'centralauthtest']: } +} + +# == Define: ::role::centralauth::setup_multiwiki +# Configure a multiwiki instance for CentralAuth. +# +define role::centralauth::setup_multiwiki { + $wiki = $title + $wikidb = "${wiki}wiki" + + # Add CentralAuth + multiwiki::extension { "${wiki}:CentralAuth": + needs_update => true, + settings => $::role::centralauth::ca_common_settings, + } + multiwiki::settings { "${wiki}:CentralAuthPermissions": + values => $::role::centralauth::ca_auth_settings, + } + + # Add AntiSpoof + multiwiki::extension { "${wiki}:AntiSpoof": + needs_update => true, + } + + exec { "populate ${wiki} spoofuser": + command => "mwscript extensions/AntiSpoof/maintenance/batchAntiSpoof.php --wiki ${wikidb}", + refreshonly => true, + user => 'www-data', + require => Multiwiki::Extension["${wiki}:AntiSpoof"], + subscribe => Exec["update ${wikidb} database"], + } +} diff --git a/puppet/modules/multiwiki/templates/LoadWgConf.php.erb b/puppet/modules/multiwiki/templates/LoadWgConf.php.erb index 0f173ed..664d319 100644 --- a/puppet/modules/multiwiki/templates/LoadWgConf.php.erb +++ b/puppet/modules/multiwiki/templates/LoadWgConf.php.erb @@ -1,6 +1,7 @@ <?php // This file is managed by Puppet. +$wgCentralAuthAutoLoginWikis = array( 'devwiki'=>'wiki' ); $wgLocalDatabases[] = 'wiki'; foreach ( glob( __DIR__ . '/*/dbConf.php' ) as $file) { include_once $file; diff --git a/puppet/modules/multiwiki/templates/dbConf.php.erb b/puppet/modules/multiwiki/templates/dbConf.php.erb index aeed9fa..cb3ce4d 100644 --- a/puppet/modules/multiwiki/templates/dbConf.php.erb +++ b/puppet/modules/multiwiki/templates/dbConf.php.erb @@ -2,3 +2,4 @@ // This file is managed by Puppet. $wgLocalDatabases[] = '<%= @wikidb %>'; +$wgCentralAuthAutoLoginWikis['<%= @wikidb %>']='<%= @wikidb %>'; -- To view, visit https://gerrit.wikimedia.org/r/133757 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: Ide7acba8cd6a223d38cb26b766a6d9482905c5fa Gerrit-PatchSet: 9 Gerrit-Project: mediawiki/vagrant Gerrit-Branch: master Gerrit-Owner: BryanDavis <[email protected]> Gerrit-Reviewer: Alex Monk <[email protected]> Gerrit-Reviewer: BryanDavis <[email protected]> Gerrit-Reviewer: CSteipp <[email protected]> Gerrit-Reviewer: Legoktm <[email protected]> Gerrit-Reviewer: MaxSem <[email protected]> Gerrit-Reviewer: Ori.livneh <[email protected]> Gerrit-Reviewer: Parent5446 <[email protected]> Gerrit-Reviewer: Reedy <[email protected]> Gerrit-Reviewer: jenkins-bot <> _______________________________________________ MediaWiki-commits mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
