Maniphest T120484

Store CentralAuth password hashes outside the main database cluster
Open, MediumPublic
Actions

Assigned To

None

Authored By

	• csteipp
	Dec 5 2015, 12:29 AM

Description

Background

MediaWiki has a modular authentication component (AuthManager), for which the default implementation stores account credentials in the local database of that site. The password component is also configurable and flexible, allowing for smooth migration to ever better encryption algos as the industry standard evolves over time (e.g. T216682: Switch WMF production to Argon2 password hashes).

Today, the CentralAuth extension registers an AuthManager implementation that stores account credentials in a separate and centralised database instead.

This database (MySQL/MariaDB) is responsible for storing and retreiving password hashes. Validation of password hashes happens inside the MediaWiki password component, which means MediaWiki requires read access to this database.

Problem statement

If malicious code were to execute on the MediaWiki web servers, any of its databases could be read and leaked, including the separated centralauth database.

To make Wikimedia Foundation sites more resilient to compromise, we CentralAuth should validate submitted login credentials against the database, without the ability to batch-read the hashes themselves from the underlying database.

2015 Proposal

Original task description by @csteipp:

Move all password hashes for CentralAuth accounts out of the main centralauth database and into a database only accessible from a single authentication service.

The service will need to handle,

Password authentication

by implication, it will need to handle new account creation and password resets too

Creating and authenticating temporary / forgotten-password tokens

(possibly) tokens

(possibly) alerting on anomalous request behavior

The service should store password hashes in a format that is no weaker than they are currently stored in CentralAuth.

The service needs high availability (since it will be used for password logins, and possibly token logins)

Anticipated load: https://grafana.wikimedia.org/dashboard/db/authentications (<50 minute)

Related Objects
Search...

Status	Assigned	Task
Open	None	T122375 Segment sensitive data within WMF cluster (tracking)
Duplicate	None	T140813 Protect sensitive user-related information with a UserData / auth / session service
Open	None	T120484 Store CentralAuth password hashes outside the main database cluster
Declined	None	T88811 Develop use-cases & user stories for authnz service
Open	None	T391785 Introduce dedicated tables for CentralAuth passwords, emails and tokens

Event Timeline

• csteipp created this task.Dec 5 2015, 12:29 AM

• csteipp raised the priority of this task from to Needs Triage.

• csteipp updated the task description. (Show Details)

• csteipp added projects: MediaWiki-extensions-CentralAuth, MediaWiki-Core-AuthManager, Security-Team.

• csteipp added subscribers: • csteipp, • dpatrick.

Restricted Application added subscribers: StudiesWorld, Aklapper. · View Herald TranscriptDec 5 2015, 12:29 AM

2-factor authentication would be part of this component?

Krenair subscribed.Dec 5 2015, 1:05 AM

Billinghurst unsubscribed.Dec 14 2015, 10:58 AM

• csteipp added a parent task: T122375: Segment sensitive data within WMF cluster (tracking).Dec 23 2015, 10:57 PM

In T120484#1854644, @Billinghurst wrote:

2-factor authentication would be part of this component?

Two-factor authentication secrets should be stored in a more secure segment of the WMF's cluster (like this task is for password hashes), but this task is specifically about moving the password authentication pieces of CentralAuth into a more secure location. So a single sql injection can't be used to get everyone's password hashes.

Implementing 2FA for CentralAuth wikis in general is a separate task (and what the Security Team is doing next quarter instead of this).

• csteipp updated the task description. (Show Details)Dec 23 2015, 11:03 PM

• csteipp set Security to None.

Billinghurst unsubscribed.Dec 24 2015, 7:14 AM

• csteipp updated the task description. (Show Details)Mar 11 2016, 10:21 PM

• csteipp mentioned this in T130700: Create central OATHAuth table for CentralAuth wikis.Mar 23 2016, 5:30 PM

• csteipp moved this task from Incoming to Epics in progress on the Security-Team board.Apr 15 2016, 7:12 PM

Pictures from our initial whiteboarding of the service, and some considerations for building it.

Overview:

(checklist of stuff to do) | (potential phases) | (dataflow) | COTS considerations

Checklist of Stuff to do (these should be made into tickets):

IMG_20160509_135739837.jpg (4×3 px, 3 MB)

COTS comparison
Language choice
Data store decision
Convert hash formats to strong formats

Phases (potential)

IMG_20160509_135736643.jpg (4×3 px, 2 MB)

Phase 1

Password Authentication via REST API
Ex:CentralAuth as initial consumer
TLS (server authenticated)
Swagger spec

Phase 2

MediaWiki Core as a consumer (for non SUL wikis as the WMF, 3rd party users)
OATH secret storage API
mutual TLS authentication

Dataflow diagrams

IMG_20160509_135728382.jpg (3×4 px, 2 MB)

IMG_20160509_135721782.jpg (3×4 px, 2 MB)

COTS Comparison

IMG_20160509_135712838.jpg (4×3 px, 2 MB)

API - simple / REST preferable
Hash and encrypt secrets
Easy operations with WMF expertise
FOSS
Multi-DC cluster, data management tools
Backups and Disaster Recovery
Easy Integration - time to integrate less than time to build
Secure transport (encryption, authentication of server, client authentication would be nice)

• csteipp added a subscriber: • GWicke.May 20 2016, 10:43 PM

Notes from a meeting between @dpatrick, @csteipp , @Pchelolo and myself: https://docs.google.com/document/d/1-sNsDhJl1KCqOX9De5uTwFypnBaNOB_XzKo9Al8l4bI/edit

Action items:

Gabriel: Check what is needed to support legacy password types in node library
- Consider using passport library, especially for later steps
Gabriel: Talk to ops about storage solutions and hardware
- MySQL vs. Cassandra
- 2-3 physical nodes per DC for redundancy and ease of firewalling
All: Coordinate via task, and make final call after getting a better handle on overall effort & timelines.

• csteipp mentioned this in T136350: Move two-factor auth data (TOTP seed) from labswiki database to LDAP.May 26 2016, 10:02 PM

• GWicke added projects: Services-next, Services.May 26 2016, 11:07 PM

faidon subscribed.May 31 2016, 4:15 PM

• mobrovac subscribed.Jun 3 2016, 5:21 PM

• GWicke mentioned this in T137272: Create BagOStuff subclass for HTTP.Jun 8 2016, 4:08 PM

• GWicke mentioned this in T140813: Protect sensitive user-related information with a UserData / auth / session service.Jul 19 2016, 7:54 PM

• GWicke added a parent task: T140813: Protect sensitive user-related information with a UserData / auth / session service.

Here's a PR with a rough prototype of the API schema: https://github.com/wikimedia/authoid/pull/1

• RobLa-WMF subscribed.Jul 26 2016, 9:12 PM

@Pchelolo also set up a demo of the draft API spec at https://auth-service.wmflabs.org/wikimedia.org/v1/?doc.

bd808 mentioned this in T144712: Check for 2FA protection and enforce validation of 2FA tokens.Sep 5 2016, 5:35 AM

Tokens (user.user_token / globaluser.gu_auth_token) would probably also need to be moved as they are password-equivalent login methods. (see also T50698) Since we are also using them for session invalidation and a service would be too slow for that, that functionality probably needs to be split.

See T140813#2644463 for some considerations about password reset.

• GWicke edited projects, added Services (next); removed Services.Oct 12 2016, 3:59 PM

• GWicke triaged this task as Medium priority.Oct 12 2016, 6:01 PM

• GWicke edited projects, added Services (blocked); removed Services (next), Services-next.

• GWicke added a subtask: T88811: Develop use-cases & user stories for authnz service.Oct 12 2016, 7:58 PM

• GWicke merged a task: T84962: Authn and authz as a service.Oct 12 2016, 9:00 PM

• GWicke added subscribers: • demon, bd808, Parent5446.

Tgr mentioned this in T149003: TemporaryPasswordPrimaryAuthenticationProvider does not work with non-DB-based passwords.Oct 25 2016, 12:37 AM

tstarling added a project: MediaWiki-Platform-Team-Archived.Mar 29 2017, 5:16 AM

tstarling moved this task from Inbox to Blocked on the MediaWiki-Platform-Team-Archived board.Apr 20 2017, 5:25 AM

Tgr mentioned this in T183420: Authentication data should not be available through the normal DB abstraction layer.Dec 20 2017, 9:23 PM

• CCicalese_WMF moved this task from Blocked to Watching on the MediaWiki-Platform-Team-Archived board.Jan 9 2018, 2:52 AM

• CCicalese_WMF edited projects, added Core-Platform-Team-Old; removed MediaWiki-Platform-Team-Archived.Jul 12 2018, 12:26 AM

• CCicalese_WMF moved this task from Inbox to Watching on the Core-Platform-Team-Old board.Jul 12 2018, 12:28 AM

• chasemp edited projects, added Security-team-backlog; removed Security-Team.Sep 4 2018, 3:44 PM

• CCicalese_WMF edited projects, added Platform Team Legacy (Watching / External); removed Core-Platform-Team-Old.Oct 1 2018, 4:50 PM

• mobrovac added a project: Platform Team Workboards (Blocked Externally).Dec 20 2018, 12:47 PM

• demon unsubscribed.Feb 19 2019, 10:38 AM

• mobrovac edited projects, added Services (later), Platform Team Legacy (Later); removed Platform Team Workboards (Blocked Externally), Platform Team Legacy (Watching / External), Services (blocked).Mar 14 2019, 12:38 AM

• chasemp edited projects, added Security-Team; removed Security-team-backlog.Dec 23 2019, 5:12 PM

• chasemp moved this task from Epics in progress to Back Orders on the Security-Team board.

Reedy removed projects: Security-Team, Platform Team Legacy (Later), Services (later).Sep 2 2021, 4:50 PM

Reedy removed subscribers: • RobLa-WMF, • GWicke, • dpatrick.

Tgr closed subtask T88811: Develop use-cases & user stories for authnz service as Declined.Sep 2 2023, 6:11 AM

Restricted Application added a project: MediaWiki-Platform-Team. · View Herald TranscriptSep 2 2023, 6:11 AM

Tgr mentioned this in T345249: Mitigate phase-out of third-party cookies in CentralAuth.Sep 2 2023, 2:05 PM

• larissagaulia moved this task from Inbox, needs triage to Radar on the MediaWiki-Platform-Team board.Sep 4 2023, 11:51 AM

• larissagaulia edited projects, added MediaWiki-Platform-Team (Radar); removed MediaWiki-Platform-Team.

Tgr mentioned this in T348388: SUL3: Use a dedicated domain for login and account creation.Oct 7 2023, 11:39 PM

Bugreporter mentioned this in T352823: Split user table to multiple tables.Dec 6 2023, 3:22 PM

Reedy updated the task description. (Show Details)Jan 4 2024, 10:31 AM

Reedy removed subscribers: • mobrovac, • Pchelolo.

Bugreporter mentioned this in T363695: Create a Wikimedia login domain that can be served by any wiki.Apr 29 2024, 4:26 PM

Bugreporter mentioned this in T375441: Store expiry date and status of temporary account in database.Sep 25 2024, 1:26 PM

Bugreporter mentioned this in T373737: Disable irrelevant extensions on SUL3 login domain.Feb 5 2025, 2:13 AM

Bugreporter mentioned this in T391270: Determine CentralAuth SUL3 defaults.Apr 8 2025, 6:42 AM

PixDeVl subscribed.Apr 8 2025, 3:23 PM

Krinkle renamed this task from Create password-authentication service for use by CentralAuth to Store CentralAuth password hashes outside the main database cluster.Apr 8 2025, 5:24 PM

Krinkle updated the task description. (Show Details)

Krinkle subscribed.

Note: the new task description focuses on moving user passwords to a dedicated database cluster, which would be something overlapped (either can be considered a subtask of, or a CentralAuth equalvent of) with T183420: Authentication data should not be available through the normal DB abstraction layer.

The current shared auth domain contains (or will soon contain) three different functionalities, all implemented as part of MediaWiki core or extension:

A "session" app which stores user session - local wiki will use it for autologin.
A "auth" app to handle password login (and 2FA), similar to https://idp.wikimedia.org/login (note this part is not relevant to temporary users since they have no password).
A "credential management" app to handle change of credential (password and 2FA setting).

There is proposal mentioned in T348388: SUL3: Use a dedicated domain for login and account creation (the version before December 6, 2024 is archived at T348388#10555811) that may take a step further than this. That may propose introduce 2-3 new web apps (or one app with 2-3 features) that may completely replace the current CentralAuth-based implementation.

Bugreporter mentioned this in T391784: Gradually isolate mediawiki authentication code and infrastructure.Apr 13 2025, 9:59 PM

Daimona subscribed.Apr 14 2025, 5:55 PM

@Bugreporter The task objective has not changed, which is to store passwords outside the reach of the main mediawiki database credentals. Previously, it specified one specific solution (build a new service) on the assumption all parties involved know the problem/motiviation. I've clarified the description to state that problem.

In T120484#10724394, @Bugreporter wrote:

Note: the new task description focuses on moving user passwords to a dedicated database cluster, which would be something overlapped (either can be considered a subtask of, or a CentralAuth equalvent of) with T183420: Authentication data should not be available through the normal DB abstraction layer.

That task is a more modest proposal (could be thought of as the first step), which if implemented would protect against SQL injection in queries unrelated to passwords (since they would use a different DB connection) but not against malicious code execution (since MediaWiki would still have access to the password-specific DB connection).

In hindsight I'm not convinced it's worth doing as a standalone step since the risk of SQL injection is pretty low in the first place (especially with all the changes that were made to the RDBMS abstraction layer since then).

In T120484#10760843, @Krinkle wrote:

The task objective ... is to store passwords outside the reach of the main mediawiki database credentals.

I think more specifically it was to store them outside the reach of MediaWiki. And

Validation of password hashes happens inside the MediaWiki password component, which means MediaWiki requires read access to this database.

might or might not have been intended.

If you allow read access, the protection against RCE attacks is pretty limited (you can limit the scale, but RCE attacks are not script kiddie level so the attacker is going to be smart, and a smart attacker would probably be going after specific accounts rather than all hashes which aren't terribly useful anyway).

Also, if you only allow read access, the service will have to implement all the mechanisms which involve writing passwords (hash upgrade, password change, registration) and at that point not having it implement hash validation seems like a weird design decision.

Also also, as I noted in T120484#2645877 and T140813#2644463, a service that meaningfully protects against RCE is a really hard problem as there are many workflows where an attacker would have equivalent impact (creating or reading a temporary password, writing or reading a local or central user token or a local or central session ID, being able to create a bot password or an OAuth consumer, being able to change the email address) and those all would have to be isolated.

So IMO the specific problem statement in this task is not that useful.

Krinkle mentioned this in T391785: Introduce dedicated tables for CentralAuth passwords, emails and tokens.Apr 28 2025, 2:31 PM

	F4021190: IMG_20160509_135821.jpg
	May 16 2016, 10:46 PM

	F4021187: IMG_20160509_135828.jpg
	May 16 2016, 10:46 PM

Store CentralAuth password hashes outside the main database clusterOpen, MediumPublicActions