Closed
Bug 524080
Opened 12 years ago
Closed 11 years ago
Hg/SVN: Informative error for "login denied due to deactivation for inactivity"
Categories
(mozilla.org Graveyard :: Server Operations, task)
mozilla.org Graveyard
Server Operations
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: gerv, Assigned: aravind)
References
Details
(Whiteboard: 02/28/2010)
[This request is for both Hg and SVN; let me know if you need a separate bug split out for SVN.] We want to deactivate unused contributor accounts. Several people have suggested this would be much more palatable if the error message they got when trying to log in was more informative than "login denied". Something like: "Account deactivated due to inactivity. Please file a bug at https://bugzilla.mozilla.org/enter_bug.cgi?product=mozilla.org&component=Server%20Operations%3A%20Account%20Request&bug_severity=major to have it quickly reactivated." (Perhaps you could tinyURL that URL.) This bug requests that the necessary mechanisms to produce such an error be developed for SVN and for Hg. Gerv
Comment 1•12 years ago
|
||
pash could be modified to query LDAP for disabled accounts, I guess.
Assignee: nobody → server-ops
Component: Hg: Customizations → Server Operations
QA Contact: hg.customizations → mrz
Updated•12 years ago
|
Assignee: server-ops → aravind
Assignee | ||
Comment 2•12 years ago
|
||
How do we plan on de-activating accounts? Is someone going to sweep hg/svn/cvs and automate that somehow?
Reporter | ||
Comment 3•12 years ago
|
||
Yes :-) I've done that bit, although my script apparently needs work because it's not quite giving all the right answers yet. I'm sure I'll get it soon. Gerv
Updated•12 years ago
|
Component: Server Operations → Server Operations: Projects
Comment 4•12 years ago
|
||
arzhel/aravind - can you give an approximate ETA for this? This will help set some decisions in bug 524153.
Assignee | ||
Comment 5•12 years ago
|
||
I discussed this with Derek - we need to create a new attribute indicating account status in ldap and backfill existing accounts. We also have to fix the existing login scripts to look at this new attribute and grant/deny access accordingly. Jeremy has to fix devldap to add this new attribute (or reset it for disabled accounts). All this will probably take at least a few days (if that's all we are working on). But looking at my workload, I expect it to take at least a couple of weeks (or more) if I start working on it now.
Reporter | ||
Comment 6•12 years ago
|
||
Aravind: this confuses me; what you write suggests that currently there is no "account deactivation" mechanism. And yet accounts have been deactivated in the past, e.g. in bug 510511. Those people are still in LDAP, because dmoore's original list he sent me included them (by mistake). But they presumably can't log in. So how are those accounts marked as "deactivated"? Or have I misunderstood? Gerv
Assignee | ||
Comment 7•12 years ago
|
||
There is a mechanism to disable accounts, what we want is not to disable accounts. Folks could simply not be checking anything into any source control systems, but be active in other ways. For folks like that (and even in general), we don't want to disable their accounts. We need a way to disable only their subversion/mercurial accounts and leave the rest of their stuff intact. Also, when we do disable their source control access, we need a way to look at some flag that says this account was inactive and hence we disabled source control access - What I laid out above is a way to go about doing that.
Reporter | ||
Comment 8•12 years ago
|
||
OK, I get it now. Thank you :-) I guess I didn't realise that this work was required, otherwise I would have tried to get it scheduled while we were going through the long process of defining the list of accounts :-( Ah well. Gerv
Updated•12 years ago
|
Component: Server Operations: Projects → Server Operations
Whiteboard: 01/15/2010
Assignee | ||
Comment 9•11 years ago
|
||
@Gerv: starting to work on this, and had a question. How do you want to handle the case of someone having multiple scm system accounts (like say in svn and hg) and they happen to be active in one of them, but not the other? I am leaning towards treating them as independent objects and deactivating them independently as well.
Reporter | ||
Comment 10•11 years ago
|
||
Aravind: great to hear :-) Yes, I think the best thing to do is to treat the accounts independently. That's what I've been assuming in creating my lists. Gerv
Reporter | ||
Comment 11•11 years ago
|
||
Aravind: might you be able to give us a progress report? Thanks :-) Gerv
Assignee | ||
Comment 12•11 years ago
|
||
After looking at my options in ldap, I know how I want to implement this. Was going to work on it this week, should be ready in a couple of weeks (so.. shooting for the end of Feb seems reasonable to me).
Reporter | ||
Comment 13•11 years ago
|
||
Thanks :-) Let me know if you need anything from me (requirements, design etc.). Gerv
Whiteboard: 01/15/2010 → 02/28/2010
Assignee | ||
Comment 14•11 years ago
|
||
Okay, the scripts to detect and report inactive accounts are in place. I tested them as best as I could. Note that at this point, none of the accounts are disabled in ldap.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Updated•6 years ago
|
Product: mozilla.org → mozilla.org Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•