Hello, Am Dienstag, 31. Januar 2017, 15:22:21 CET schrieb Christoph Wickert:
AFAIK Christian packaged everything we need to update MediaWiki to 1.27 and successfully runs the new version on his laptop already. What prevents us from updating? Do we already have a test machine in our infrastructure where interested wiki editors could play around?
Looks like you missed the Heroes meeting on Jan 8 ;-) - and reminds me that Theo promised to send meeting minutes ;-) I hope you have some time to read a longish mail ;-) We have a working test setup at en.test.opensuse.org [1]. It's basically working and completely setup with salt (except uploaded files and database content). However, it still misses some things, for example - authentification via Access Manager. Right now, you can use Special:PasswordReset to mail you a password and have to login at Special:login. The "usual" pretty login form doesn't work yet. The funny detail is that MediaWiki changed its authentification code completely, so we can a) rewrite our auth extension from scratch or b) switch to OpenID. - search - also a big change, from Lucene to ElasticSearch. Sarah will help me with this in the next days. - memcached (for storing session data) I looked into OpenID [2] today, and it started in some funny[tm] ways. First, I found out that removing the public IP from the test wiki VM (it's behind HAProxy now) broke the default route, with the result that our OpenID provider URL https://www.opensuse.org/openid/user/ can't be reached by the OpenID extension. Then I found out that outgoing requests are firewalled (allowed now, thanks Theo!) with the same result. Another funny lesson I learned is that the OpenID extension needs access to /dev/urandom, which was prevented by the PHP open_basedir setting. On the positive side, I learned that open_basedir allows to add the complete filename, so I didn't need to allow all of /dev/. After these challenges, the OpenID integration finally worked. However, after login I end up with a form [3] that allows to choose an username, which can be - an existing user (this will fail because our accounts don't have a password in the MediaWiki database) - the realname ("Christian Boltz"), also not what we want - an ugly auto-generated name like "OpenIDUser2") - any user-chosen name These options make sense for OpenID in general (if you allow logging in with various providers, it's a good idea to allow users to choose their username), but it doesn't make sense in our setup which only allows openSUSE accounts. It's possible to disable some of these via config options, but unfortunately there doesn't seem to be a way to enforce the username used in the Access Manager login in the OpenID extension :-( Also, I don't know how to restrict OpenID login to users who have verified their mail address. But hey, we learned that even spammers come with verified mail addresses nowadays, so maybe we shouldn't care too much about this detail ;-) Especially the option to choose a username that differs from the openSUSE login is a no-go, so I'm afraid we'll have to drop the idea of using OpenID to handle the login. (Nevertheless, the "wasted" time was worth it because I learned some things about OpenID.) Writing something on top of the PluggableAuth extension [4] might be an alternative. On a first look it looks promising and quite easy - I hope for less than 50 lines of custom code ;-) and can probably say more after actually testing this extension and writing the needed code. Needless to say that all these "little" things are probably bigger and more time consuming than they might look ;-) Besides that, a side goal is to do everything with Salt. This is of course a good idea and very nice on the long term, but on the short term it causes quite some delays [5] until we have everything in place. Packaging MediaWiki and the extensions [6] also took some time, but much less that learning salt ;-) If you are interested in more technical details: the packages are in OBS (home:cboltz:infra) and some openSUSE-specific files (like the openSUSE skin) are on github.com/cboltz/wiki Regards, Christian Boltz [1] I noticed that the *.opensuse.org SSL certificate doesn't match en.test.opensuse.org because of the additional dot, so maybe we'll change the domain name once more ;-) (probably to en-test.o.o) to avoid certificate warnings in the browser [2] https://www.mediawiki.org/wiki/Extension:OpenID [3] http://paste.opensuse.org/11130068 [4] https://www.mediawiki.org/wiki/Extension:PluggableAuth [5] I'm new to Salt, so it took some time to get started. Also, the usual thing happened - mysql-formula exploded when I touched it ;-) At the moment, I'm using mysql-formula with my fixes on top, and wait for an answer to my bugreports. [6] Packaging become funny[tm] if an extension needs to be installed via composer... --
Verschlüsselt auf diese Mailingliste? Das solltest Du mal kurz begründen. Vielleicht 'ne Gegenmaßnahme gegen die Datensammelwut von NSA und Co. Der Adressat kanns lesen und sonst weiß keiner, was drinsteht und wer gemeint ist. ;-) [> Johannes Diestelmann und Rolf Muth in opensuse-de]
-- To unsubscribe, e-mail: heroes+unsubscribe@opensuse.org To contact the owner, e-mail: heroes+owner@opensuse.org