Page MenuHomePhabricator
Create Task
Maniphest T101915

Move private wikis to a dedicated cluster
Closed, DeclinedPublic
Actions

Description

In talking through ways we could make extracting sensitive data from the cluster harder for an attacker, segmenting the data for private wikis seemed like a potential project.

The rough idea would be,

  • Move private wikis to a dedicated group of app servers, those app servers can hold a different set of db/cache credentials
  • Point private wikis at their own redis/memcache servers
  • Move private wikis to a new database cluster
  • Limit network connections to caching / db servers to the set of dedicated app servers

Joe thought the varnish setup to direct private wikis to their own app servers wouldn't be too difficult. @Springle, do you know roughly how much work setting up a new db cluster would be, if we decided to do this?

Related Objects
Search...

StatusSubtypeAssignedTask
 OpenNoneT122375 Segment sensitive data within WMF cluster (tracking)
 DeclinedNoneT101915 Move private wikis to a dedicated cluster

Event Timeline

csteipp created this task.Jun 10 2015, 12:13 AM
csteipp raised the priority of this task from to Low.
csteipp updated the task description. (Show Details)
csteipp added a project: Security-Other.
csteipp added subscribers: csteipp, Springle.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 10 2015, 12:13 AM
Springle added a comment.Jun 10 2015, 12:22 AM

This would need a bit of downtime to migrate data, but in the order of hours, not days. Not especially difficult, and would slightly simplify the sanitarium/labs setup (though most of the complexity there is not the private wikis, which are easy to blanket-filter). +1

revi subscribed.Jun 10 2015, 8:21 AM
Krenair subscribed.Oct 27 2015, 2:20 PM

Would they be getting different code and deployer access too?

csteipp added a comment.Oct 27 2015, 5:01 PM
In T101915#1757274, @Krenair wrote:

Would they be getting different code and deployer access too?

Yes

Krenair added a comment.Oct 27 2015, 5:03 PM

So they'd also not be getting security patches at the same time as everything else

And you'd be breaking the ability to set some user rights on private wikis

And probably other things

Legoktm added a project: WMF-General-or-Unknown.Oct 27 2015, 5:03 PM
Legoktm set Security to None.
Legoktm subscribed.
Glaisher subscribed.Oct 27 2015, 5:08 PM
csteipp added a comment.Oct 27 2015, 6:07 PM

I haven't planned out the separation yet-- this was mostly a Task that I want to get to in Q3 or Q4 of this year.

I should have said, "it depends". It depends somewhat on how we design the whole thing, and if we have a decent secret management system in the cluster by the time we do this work.

If everything is as it currently is, then it would be best to deploy these wikis as separate deployers, or only have a subset of the deployers have access to the DB password to access the backend DB. Or we can put the secrets on the subset of machines that can access the separate DB cluster (preferably have access audited too), and let code deployments flow as normal, but those machines will have a different DB config.

csteipp added a comment.Oct 27 2015, 6:08 PM

But in general, deployers shouldn't have access to the data inside those wikis. And probably shouldn't be able to deploy security-patch style code changes to those app servers. Assuming I can convince Ops to give dedicated app servers to this, which has not been allocated.

Krenair added a comment.Oct 27 2015, 6:13 PM

I think you're going to have to get significant buy-in from RelEng, since it'll mean a lot of duplicated work, in some cases having to be done by different people.

Nemo_bis changed the task status from Open to Stalled.Dec 5 2015, 3:21 PM
Nemo_bis subscribed.

At this stage this seems a mere idea, tagging as stalled. If this happened to become a goal of the WMF then it would need a whole series of blockers in DBA, Deployments, #Community-Advocacy (to set up a new SRP system) and who knows how many others.

csteipp added a parent task: T122375: Segment sensitive data within WMF cluster (tracking).Dec 23 2015, 10:56 PM
Peachey88 subscribed.Jan 15 2016, 12:33 PM
Krenair added a comment.Mar 13 2016, 7:39 PM

What would be the requirements to be a deployer inside this separate cluster? Would it mean anything would be different for non-root volunteers?

MarcoAurelio subscribed.Jan 22 2017, 5:17 PM
Techguru.pc subscribed.Nov 22 2017, 11:12 AM
Phabricator_maintenance added a project: acl*security.Sep 20 2018, 9:16 AM
Aklapper removed a project: Security-Other.Nov 27 2019, 1:38 PM
chasemp added a project: Security.Feb 10 2020, 11:00 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:08 PM
Aklapper added a project: DBA.Nov 9 2020, 12:27 AM

Boldly tagging DBA to hopefully receive feedback if this task (and its parent task) is still a good and feasible idea nowadays, and if this task should still be stalled by definition ("If a report is waiting for further input (e.g. from its reporter or a specific third party) and can currently not be acted on") or should just be open with low priority instead. Thanks in advance for any input.

Marostegui moved this task from Triage to Meta/Epic on the DBA board.Nov 10 2020, 6:36 AM
Marostegui subscribed.

Unfortunately, what was said on 2015 (T101915#1351273) no longer applies.
This would be a complicate effort nowadays (see how difficult and risky is to move wikis from s3 to s5 (T226950)), and would require extra hardware as well.

Aklapper added a comment.Nov 19 2020, 9:50 AM

Thanks for the explanation! Does that mean this task should be declined? Or be open with lowest priority?
(Asking as tasks shouldn't have "stalled" status for unclear reasons for years.)

Marostegui added a comment.Nov 19 2020, 9:52 AM

I would go for the decline, I don't think we have such an amount of private wikis that could justify having more hardware just for them (with the same production specs). Not to mention the difficult and risk described earlier that the move itself would require.

Aklapper closed this task as Declined.Nov 20 2020, 8:05 AM

Thanks! Boldly declining.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL