[01:33:18] 10GitLab (Auth & Access), 10Release-Engineering-Team (Done by Wed 24 Nov 🔥), 10User-brennen, 10cloud-services-team (Kanban): Create top level 'cloud' group on Gitlab - https://phabricator.wikimedia.org/T293741 (10brennen) 05Resolved→03In progress > What about us who have advanced access on WMCS but don... [01:39:44] 10GitLab (Auth & Access), 10Release-Engineering-Team (Done by Wed 24 Nov 🔥), 10User-brennen, 10cloud-services-team (Kanban): Create top level 'cloud' group on Gitlab - https://phabricator.wikimedia.org/T293741 (10brennen) p:05Triage→03Medium [01:40:07] 10GitLab (Administration, Settings & Policy), 10Release-Engineering-Team (Done by Wed 24 Nov 🔥), 10User-brennen: GitLab should not display ads for paid versions - https://phabricator.wikimedia.org/T295453 (10brennen) p:05Triage→03Medium [01:40:21] brennen: just curious, how often do I need to visit gitlab to keep my session alive? The frequency of 2fa prompts is a bit annoying. [01:40:53] bd808: you're most likely getting them because we did an upgrade earlier this week, unless you've logged in since then. [01:41:41] otherwise pretty sure it's the max permitted by idp.wikimedia.org (assuming "remember me" box is checked). [01:42:56] for clarity: sessions get dropped on restart. i'm not sure if we can a) store them somehow longer than that, or b) maybe do 0-downtime upgrades at least some of the time, but we should probably look into it. i know re-authing is annoying. [01:45:25] Gerrit sessions don't survive a restart either, but there's no 2fa there either. It's not a problem local to this project though for sure. [01:46:37] I honestly don't know what the duration at idp is, but I do feel that I auth to it every time I go to look at gitlab. But that is certainly not every day and probably less than once a week so far. [02:45:43] 10GitLab (Auth & Access), 10Release-Engineering-Team (Priority Backlog 📥): Create a top level wmde group on Gitlab - https://phabricator.wikimedia.org/T291388 (10brennen) 05In progress→03Resolved @Addshore I've added you as an owner of `people/wmde`, which as @thcipriani mentioned grants access to `repos/w... [06:00:13] since some gitlab groups now require 2fa, would it be possible to make it be aware of idp.wikimedia.org-level 2fa (yubikey) and not require a separate totp code on the gitlab side? [07:03:34] additionally, are there plans to sync group membership from puppet's admin module or ldap? [09:26:02] 10GitLab (Auth & Access), 10Release-Engineering-Team (Done by Wed 24 Nov 🔥), 10User-brennen, 10cloud-services-team (Kanban): Create top level 'cloud' group on Gitlab - https://phabricator.wikimedia.org/T293741 (10aborrero) Thanks! I tried creating a subgroup: https://gitlab.wikimedia.org/repos/cloud/tool... [17:42:24] majavah: i *think* it would be possible to do 2fa at the idp level, but i'm not sure whether it would be possible to mandate it, or mandate it for only some groups. (our goal was to mandate it for people with access to sensitive things, but not necessarily for volunteers signing in for the first time or casual passers-by.) [17:43:49] re: syncing group membership, there are plans to sync people/wmf, people/wmde, and yet-to-be-created groups for nda and sre, i think. a small set of things. we have discussed with john bond and others, it's on the to-do list. [17:44:34] one note - gitlab does support u2f, so if you have a yubikey, the 2fa becomes somewhat less painful. [17:45:26] (a yubikey and browser support, but it seems to work just fine in at least firefox and chrome these days.) [18:44:33] 10GitLab (Auth & Access), 10Release-Engineering-Team (Done by Wed 24 Nov 🔥), 10User-brennen, 10cloud-services-team (Kanban): Create top level 'cloud' group on Gitlab - https://phabricator.wikimedia.org/T293741 (10brennen) > Or is there some kind of inheritance from the parent group? One thing that's non-o... [18:56:29] 10GitLab (Auth & Access), 10Release-Engineering-Team (Done by Wed 24 Nov 🔥), 10User-brennen, 10cloud-services-team (Kanban): Create top level 'cloud' group on Gitlab - https://phabricator.wikimedia.org/T293741 (10brennen) (Added `people/volunteer-group-cloud-admin` as maintainers in the meanwhile.) [20:12:53] brennen: ok! I was wondering if we could sync the various levels of admin access on wmcs services from keystone/ldap to gitlab automatically [20:15:28] my answer to that is a resounding "maybe". :) [20:32:53] Where I can request groups? [20:33:42] Deus: file a ticket in https://phabricator.wikimedia.org/project/view/5554/ [20:33:57] K, thanks majavah! [20:45:46] 10GitLab (Auth & Access): Create subgroup for 'wikisp' - https://phabricator.wikimedia.org/T296110 (10Galahad)