You are browsing a read-only backup copy of Wikitech. The primary site can be found at wikitech.wikimedia.org

MariaDB/grants

From Wikitech-static
Jump to navigation Jump to search

This page provides a basic introduction on grants management in our production. Note that we are in the process of automation of the work so this might change a lot.

Gathering report

Before doing most of grants fixes. You need to collect the current state of grants. To do so. You need to run omg.py in cumin:

sudo python3 omg.py

It takes around an hour but it will provide you with a file (omg.json) on which the rest of scripts can be built.

Analyzing grants

Once you got the report, you can run the script that aggregates them to spot misc grants or grants that shouldn't be there.

Also if you update the file in people1003.eqiad.wmnet (in /home/ladsgroup/public_html/omg/omg.json), https://people.wikimedia.org/~ladsgroup/omg/ would automatically show you the new report.

Changing password of a db user

The general workflow of changing password follows as:

  1. Duplicate all grants everywhere into a new user with the new password.
  2. Make a patch in mediawiki private repo to use the new user and password and deploy it.
  3. Wait until reads fall over to the new user.
    1. For wikiuser, it'll take three minutes while for wikiadmin, it might take days and you probably need to restart maint scripts to pick up the new config.
  4. Drop the user from everywhere that uses it.
  5. Update mentions in puppet to the user (and use the new user)
  6. Deploy new querykiller with the new user.

For step 1 and 4, there are scripts you can use. Check omg repo.