Page MenuHomePhabricator
Create Task
Maniphest T423687

Extract permission management from CentralAuthUser
Closed, ResolvedPublic
Actions

Description

Currently, the CentralAuthUser class stores information about the global groups that the user is member of, as well as data about the groups itself, i.e. what permissions they give and what wikisets they are active on. The latter is an additional responsibility, which should be extracted to a separate class, e.g. GlobalPermissionManager (or integrate into GlobalGroupLookup, but maybe not if the class will also check disabled groups).

The current setup makes it so that changes into a global group configuration (e.g., rights or wikiset) require invalidating caches for all users who are members of the changed group. Even though it's not that bad on itself (the largest global groups on Wikimedia are 1.5k and 3k members), that's still something that could be avoided.

Instead, we could have a separate service which is responsible for resolving rights for a global group, with its own cache that would be reused for all users (as group-rights mapping is universal). Such a separate service would make it also easier to implement the disabled global groups (in a separate task).

Acceptance criteria

  • CentralAuthUser is still responsible for listing global groups the user is member of.
  • Resolving groups into rights is done in a separate class.
  • There's no longer need to invalidate cache for all members of a global group if the group's properties (rights, wikiset) change.

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
S:GlobalGroupPermissions: invalidate user cache only on group renamemediawiki/extensions/CentralAuthmaster+6 -6
Use GlobalPermissionManager for resolving global user rightsmediawiki/extensions/CentralAuthmaster+47 -60
Add cache layer to GlobalGroupManagermediawiki/extensions/CentralAuthmaster+127 -5
Add GlobalPermissionManager servicemediawiki/extensions/CentralAuthmaster+259 -0
Customize query in gerrit

Related Objects
Search...

Event Timeline

mszwarc created this task.Apr 17 2026, 10:27 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 17 2026, 10:27 AM
mszwarc added a parent task: T423686: Add support for disabled global groups.Apr 17 2026, 10:27 AM
mszwarc moved this task from Backlog to Ready on the Product Safety and Integrity (Sprint Tulip (Apr 13 - May 1)) board.
Dreamy_Jazz awarded a token.Apr 17 2026, 10:28 AM
mszwarc moved this task from Ready to In progress on the Product Safety and Integrity (Sprint Tulip (Apr 13 - May 1)) board.Apr 20 2026, 8:05 AM
mszwarc created subtask T423855: Move permission management from SpecialGlobalGroupPermissions into GlobalGroupLookup.Apr 20 2026, 10:55 AM
gerritbot added a comment.Apr 24 2026, 11:22 AM

Change #1277074 had a related patch set uploaded (by Mszwarc; author: Mszwarc):

[mediawiki/extensions/CentralAuth@master] Add cache layer to GlobalGroupManager

https://gerrit.wikimedia.org/r/1277074

gerritbot added a project: Patch-For-Review.Apr 24 2026, 11:22 AM
gerritbot added a comment.Apr 24 2026, 1:05 PM

Change #1277093 had a related patch set uploaded (by Mszwarc; author: Mszwarc):

[mediawiki/extensions/CentralAuth@master] Add GlobalPermissionManager service

https://gerrit.wikimedia.org/r/1277093

gerritbot added a comment.Apr 27 2026, 1:31 AM

Change #1277074 merged by jenkins-bot:

[mediawiki/extensions/CentralAuth@master] Add cache layer to GlobalGroupManager

https://gerrit.wikimedia.org/r/1277074

gerritbot added a comment.Apr 27 2026, 1:31 AM

Change #1277093 merged by jenkins-bot:

[mediawiki/extensions/CentralAuth@master] Add GlobalPermissionManager service

https://gerrit.wikimedia.org/r/1277093

ReleaseTaggerBot added a project: MW-1.46-notes (1.46.0-wmf.26; 2026-04-28).Apr 27 2026, 2:00 AM
Maintenance_bot removed a project: Patch-For-Review.Apr 27 2026, 2:30 AM
mszwarc closed this task as Resolved.Apr 27 2026, 10:17 AM
mszwarc reopened this task as In Progress.
mszwarc updated the task description. (Show Details)
mszwarc updated the task description. (Show Details)
mszwarc closed subtask T423855: Move permission management from SpecialGlobalGroupPermissions into GlobalGroupLookup as Resolved.
gerritbot added a comment.Apr 27 2026, 10:53 AM

Change #1277468 had a related patch set uploaded (by Mszwarc; author: Mszwarc):

[mediawiki/extensions/CentralAuth@master] Use GlobalPermissionManager for resolving global user rights

https://gerrit.wikimedia.org/r/1277468

gerritbot added a project: Patch-For-Review.Apr 27 2026, 10:53 AM

Change #1277469 had a related patch set uploaded (by Mszwarc; author: Mszwarc):

[mediawiki/extensions/CentralAuth@master] S:GlobalGroupPermissions invalidate user cache only on group rename

https://gerrit.wikimedia.org/r/1277469

mszwarc moved this task from In progress to Needs review on the Product Safety and Integrity (Sprint Tulip (Apr 13 - May 1)) board.Apr 27 2026, 10:56 AM
gerritbot added a comment.Apr 27 2026, 1:01 PM

Change #1277468 merged by jenkins-bot:

[mediawiki/extensions/CentralAuth@master] Use GlobalPermissionManager for resolving global user rights

https://gerrit.wikimedia.org/r/1277468

gerritbot added a comment.Apr 27 2026, 1:01 PM

Change #1277469 merged by jenkins-bot:

[mediawiki/extensions/CentralAuth@master] S:GlobalGroupPermissions: invalidate user cache only on group rename

https://gerrit.wikimedia.org/r/1277469

Maintenance_bot removed a project: Patch-For-Review.Apr 27 2026, 1:33 PM
mszwarc closed this task as Resolved.Apr 28 2026, 9:52 AM
mszwarc moved this task from Needs review to Done on the Product Safety and Integrity (Sprint Tulip (Apr 13 - May 1)) board.
mszwarc updated the task description. (Show Details)
kostajh mentioned this in T424935: CentralAuth: Locked accounts can keep editing after lock is made.Apr 30 2026, 10:43 AM
kostajh mentioned this in T424936: Login is intermittently not persisting cross-wiki.Apr 30 2026, 11:47 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits