Maniphest T120484

Create password-authentication service for use by CentralAuth
Open, MediumPublic
Actions

Assigned To

None

Authored By

	• csteipp
	Dec 5 2015, 12:29 AM

Description

To make the WMF more resilient to compromise, move all password hashes for CentralAuth accounts out of the main centralauth database and into a database only accessible from a single authentication service.

The service will need to handle,

Password authentication
- by implication, it will need to handle new account creation and password resets too
Creating and authenticating temporary / forgotten-password tokens
(possibly) tokens
(possibly) alerting on anomalous request behavior

The service should store password hashes in a format that is no weaker than they are currently stored in CentralAuth.

The service needs high availability (since it will be used for password logins, and possibly token logins)

Anticipated load: https://grafana.wikimedia.org/dashboard/db/authentications (<50 minute)

Related Objects
Search...

Status	Assigned	Task
Open	None	T122375 Segment sensitive data within WMF cluster (tracking)
Duplicate	None	T140813 Protect sensitive user-related information with a UserData / auth / session service
Open	None	T120484 Create password-authentication service for use by CentralAuth
Declined	None	T88811 Develop use-cases & user stories for authnz service

Event Timeline

• csteipp created this task.Dec 5 2015, 12:29 AM

• csteipp raised the priority of this task from to Needs Triage.

• csteipp updated the task description. (Show Details)

• csteipp added projects: MediaWiki-extensions-CentralAuth, MediaWiki-Core-AuthManager, Security-Team.

• csteipp added subscribers: • csteipp, • dpatrick.

Restricted Application added subscribers: StudiesWorld, Aklapper. · View Herald TranscriptDec 5 2015, 12:29 AM

2-factor authentication would be part of this component?

Krenair subscribed.Dec 5 2015, 1:05 AM

Billinghurst unsubscribed.Dec 14 2015, 10:58 AM

• csteipp added a parent task: T122375: Segment sensitive data within WMF cluster (tracking).Dec 23 2015, 10:57 PM

In T120484#1854644, @Billinghurst wrote:

2-factor authentication would be part of this component?

Two-factor authentication secrets should be stored in a more secure segment of the WMF's cluster (like this task is for password hashes), but this task is specifically about moving the password authentication pieces of CentralAuth into a more secure location. So a single sql injection can't be used to get everyone's password hashes.

Implementing 2FA for CentralAuth wikis in general is a separate task (and what the Security Team is doing next quarter instead of this).

• csteipp updated the task description. (Show Details)Dec 23 2015, 11:03 PM

• csteipp set Security to None.

Billinghurst unsubscribed.Dec 24 2015, 7:14 AM

• csteipp updated the task description. (Show Details)Mar 11 2016, 10:21 PM

• csteipp mentioned this in T130700: Create central OATHAuth table for CentralAuth wikis.Mar 23 2016, 5:30 PM

• csteipp moved this task from Incoming to Epics in progress on the Security-Team board.Apr 15 2016, 7:12 PM

Pictures from our initial whiteboarding of the service, and some considerations for building it.

Overview:

(checklist of stuff to do) | (potential phases) | (dataflow) | COTS considerations

Checklist of Stuff to do (these should be made into tickets):

IMG_20160509_135739837.jpg (4×3 px, 3 MB)

COTS comparison
Language choice
Data store decision
Convert hash formats to strong formats

Phases (potential)

IMG_20160509_135736643.jpg (4×3 px, 2 MB)

Phase 1

Password Authentication via REST API
Ex:CentralAuth as initial consumer
TLS (server authenticated)
Swagger spec

Phase 2

MediaWiki Core as a consumer (for non SUL wikis as the WMF, 3rd party users)
OATH secret storage API
mutual TLS authentication

Dataflow diagrams

IMG_20160509_135728382.jpg (3×4 px, 2 MB)

IMG_20160509_135721782.jpg (3×4 px, 2 MB)

COTS Comparison

IMG_20160509_135712838.jpg (4×3 px, 2 MB)

API - simple / REST preferable
Hash and encrypt secrets
Easy operations with WMF expertise
FOSS
Multi-DC cluster, data management tools
Backups and Disaster Recovery
Easy Integration - time to integrate less than time to build
Secure transport (encryption, authentication of server, client authentication would be nice)

• csteipp added a subscriber: • GWicke.May 20 2016, 10:43 PM

Notes from a meeting between @dpatrick, @csteipp , @Pchelolo and myself: https://docs.google.com/document/d/1-sNsDhJl1KCqOX9De5uTwFypnBaNOB_XzKo9Al8l4bI/edit

Action items:

Gabriel: Check what is needed to support legacy password types in node library
- Consider using passport library, especially for later steps
Gabriel: Talk to ops about storage solutions and hardware
- MySQL vs. Cassandra
- 2-3 physical nodes per DC for redundancy and ease of firewalling
All: Coordinate via task, and make final call after getting a better handle on overall effort & timelines.

• csteipp mentioned this in T136350: Move two-factor auth data (TOTP seed) from labswiki database to LDAP.May 26 2016, 10:02 PM

• GWicke added projects: Services-next, Services.May 26 2016, 11:07 PM

faidon subscribed.May 31 2016, 4:15 PM

• mobrovac subscribed.Jun 3 2016, 5:21 PM

• GWicke mentioned this in T137272: Create BagOStuff subclass for HTTP.Jun 8 2016, 4:08 PM

• GWicke mentioned this in T140813: Protect sensitive user-related information with a UserData / auth / session service.Jul 19 2016, 7:54 PM

• GWicke added a parent task: T140813: Protect sensitive user-related information with a UserData / auth / session service.

Here's a PR with a rough prototype of the API schema: https://github.com/wikimedia/authoid/pull/1

• RobLa-WMF subscribed.Jul 26 2016, 9:12 PM

@Pchelolo also set up a demo of the draft API spec at https://auth-service.wmflabs.org/wikimedia.org/v1/?doc.

bd808 mentioned this in T144712: Check for 2FA protection and enforce validation of 2FA tokens.Sep 5 2016, 5:35 AM

Tokens (user.user_token / globaluser.gu_auth_token) would probably also need to be moved as they are password-equivalent login methods. (see also T50698) Since we are also using them for session invalidation and a service would be too slow for that, that functionality probably needs to be split.

See T140813#2644463 for some considerations about password reset.

• GWicke edited projects, added Services (next); removed Services.Oct 12 2016, 3:59 PM

• GWicke triaged this task as Medium priority.Oct 12 2016, 6:01 PM

• GWicke edited projects, added Services (blocked); removed Services (next), Services-next.

• GWicke added a subtask: T88811: Develop use-cases & user stories for authnz service.Oct 12 2016, 7:58 PM

• GWicke merged a task: T84962: Authn and authz as a service.Oct 12 2016, 9:00 PM

• GWicke added subscribers: • demon, bd808, Parent5446.

Tgr mentioned this in T149003: TemporaryPasswordPrimaryAuthenticationProvider does not work with non-DB-based passwords.Oct 25 2016, 12:37 AM

tstarling added a project: MediaWiki-Platform-Team-Archived.Mar 29 2017, 5:16 AM

tstarling moved this task from Inbox to Blocked on the MediaWiki-Platform-Team-Archived board.Apr 20 2017, 5:25 AM

Tgr mentioned this in T183420: Authentication data should not be available through the normal DB abstraction layer.Dec 20 2017, 9:23 PM

CCicalese_WMF moved this task from Blocked to Watching on the MediaWiki-Platform-Team-Archived board.Jan 9 2018, 2:52 AM