Page MenuHomePhabricator

Create password-authentication service for use by CentralAuth
Open, MediumPublic

Description

(Potential Security-Team goal for April-June 2016)

To make the WMF more resilient to compromise, move all password hashes for CentralAuth accounts out of the main centralauth database and into a database only accessible from a single authentication service.

The service will need to handle,

  • Password authentication
    • by implication, it will need to handle new account creation and password resets too
  • Creating and authenticating temporary / forgotten-password tokens
  • (possibly) tokens
  • (possibly) alerting on anomalous request behavior

The service should store password hashes in a format that is no weaker than they are currently stored in CentralAuth.

The service needs high availability (since it will be used for password logins, and possibly token logins)

Event Timeline

csteipp raised the priority of this task from to Needs Triage.
csteipp updated the task description. (Show Details)
csteipp added subscribers: csteipp, dpatrick.

2-factor authentication would be part of this component?

2-factor authentication would be part of this component?

Two-factor authentication secrets should be stored in a more secure segment of the WMF's cluster (like this task is for password hashes), but this task is specifically about moving the password authentication pieces of CentralAuth into a more secure location. So a single sql injection can't be used to get everyone's password hashes.

Implementing 2FA for CentralAuth wikis in general is a separate task (and what the Security Team is doing next quarter instead of this).

csteipp set Security to None.

Pictures from our initial whiteboarding of the service, and some considerations for building it.

Overview:
IMG_20160509_135821.jpg (3×4 px, 5 MB)

(checklist of stuff to do) | (potential phases) | (dataflow) | COTS considerations

Checklist of Stuff to do (these should be made into tickets):

IMG_20160509_135739837.jpg (4×3 px, 3 MB)

  • COTS comparison
  • Language choice
  • Data store decision
  • Convert hash formats to strong formats

Phases (potential)

IMG_20160509_135736643.jpg (4×3 px, 2 MB)

Phase 1

  • Password Authentication via REST API
  • Ex:CentralAuth as initial consumer
  • TLS (server authenticated)
  • Swagger spec

Phase 2

  • MediaWiki Core as a consumer (for non SUL wikis as the WMF, 3rd party users)
  • OATH secret storage API
  • mutual TLS authentication

Dataflow diagrams

IMG_20160509_135728382.jpg (3×4 px, 2 MB)

IMG_20160509_135721782.jpg (3×4 px, 2 MB)

IMG_20160509_135828.jpg (3×4 px, 4 MB)

COTS Comparison

IMG_20160509_135712838.jpg (4×3 px, 2 MB)

  • API - simple / REST preferable
  • Hash and encrypt secrets
  • Easy operations with WMF expertise
  • FOSS
  • Multi-DC cluster, data management tools
  • Backups and Disaster Recovery
  • Easy Integration - time to integrate less than time to build
  • Secure transport (encryption, authentication of server, client authentication would be nice)

Notes from a meeting between @dpatrick, @csteipp , @Pchelolo and myself: https://docs.google.com/document/d/1-sNsDhJl1KCqOX9De5uTwFypnBaNOB_XzKo9Al8l4bI/edit

Action items:

  • Gabriel: Check what is needed to support legacy password types in node library
    • Consider using passport library, especially for later steps
  • Gabriel: Talk to ops about storage solutions and hardware
    • MySQL vs. Cassandra
    • 2-3 physical nodes per DC for redundancy and ease of firewalling
  • All: Coordinate via task, and make final call after getting a better handle on overall effort & timelines.

Tokens (user.user_token / globaluser.gu_auth_token) would probably also need to be moved as they are password-equivalent login methods. (see also T50698) Since we are also using them for session invalidation and a service would be too slow for that, that functionality probably needs to be split.

See T140813#2644463 for some considerations about password reset.