Page MenuHomePhabricator
Create Task
Maniphest T120532

Use user-specific passwords for accessing Analytics MariaDB replica databases
Open, MediumPublic
Actions

Description

Opening this ticket to discuss if this is possible. If the answer is "no", we can decline it for now.

I think there would be 3 major advantages to having each user authenticate to mysql individually:

  • We can audit who is accessing the data
  • We can potentially have more granular authorization rules within mysql, so, e.g., if one groups needs to store something sensitive in a schema, we can restrict access to that table.
  • No shared group passwords (just for hygiene-- although the security of this system won't be affected much, having a shared password here I believe encourages people to use shared passwords elsewhere, where it may affect their security directly).

Disadvantages:

  • Security will depend on user-chosen passwords, most likely, and users usually chose weak passwords
  • Overhead of account setup (although maybe mysql can use ldap? I've also setup password synchronization for ldap->mysql using other tools for several large organizations a while back, so something like that might be an option)

Related Objects
Search...

Event Timeline

csteipp created this task.Dec 5 2015, 6:04 PM
csteipp raised the priority of this task from to Needs Triage.
csteipp updated the task description. (Show Details)
csteipp added subscribers: csteipp, jcrespo, Ottomata.
Restricted Application added subscribers: StudiesWorld, Aklapper. · View Herald TranscriptDec 5 2015, 6:04 PM
csteipp added projects: SRE, Security-Team.Dec 5 2015, 6:04 PM
csteipp set Security to None.
ori subscribed.Dec 5 2015, 6:22 PM

MariaDB has a free and open source PAM authentication module (MySQL's is enterprise-only). It can be used to provide LDAP authentication.

Krenair subscribed.Dec 5 2015, 8:38 PM
Peachey88 subscribed.Dec 6 2015, 5:04 AM
jcrespo added a comment.EditedDec 7 2015, 8:06 AM

Creating one account per user not only it is possible, but desirable. There are 2 main problems:

  • Administration overhead, in an already short staff
  • Lack of proper group/role support, which would mean for MariaDB 10.0, code is not transparent

However, all of these will not work or improve security (but make it worse) if cluster and mysql accounts are not disabled after being unused for a while.

fgiunchedi triaged this task as Medium priority.Dec 7 2015, 2:51 PM
fgiunchedi subscribed.
jcrespo added a subscriber: Nuria.Feb 12 2016, 5:08 PM
Ottomata added a comment.Feb 12 2016, 5:23 PM

+1 for this, we've wanted it for a while.

Ottomata added a comment.Feb 12 2016, 5:23 PM

Not just for EventLogging DB, but all research/analytics MySQL DBs.

csteipp added a comment.Feb 16 2016, 4:33 PM

@Ottomata, what would need to happen to trial either the ldap solution, or creating user accounts in the db itself?

@jcrespo, do you know if the db servers there support TLS connections? If user connect with their ldap passwords, I'd prefer they don't login over cleartext.

Ottomata added a comment.Feb 16 2016, 4:35 PM

what would need to happen to trial either the ldap solution,

don't know much about it...

creating user accounts in the db itself?

This could be done, the problem is managing it. I've done this in the past with puppet, but I think folks don't like this idea much (I'm not sure I do either).

MoritzMuehlenhoff subscribed.Feb 16 2016, 4:47 PM
jcrespo added a comment.Feb 16 2016, 4:52 PM

The idea would be to manage the grants on the server, use the LDAP passwords. That is possible.

In theory, all eventlogging-related hosts have SSL deployed, but for backwards compatibility it is not enforced yet. But yes, it is a blocker (it is just that it may be already resolved, but requires investigation).

jcrespo added a subtask: T111654: Set up TLS for MariaDB replication.Feb 16 2016, 5:57 PM
jcrespo closed subtask T111654: Set up TLS for MariaDB replication as Resolved.Feb 9 2017, 5:08 PM
jcrespo added a parent task: Restricted Task.Feb 20 2017, 4:39 PM
Platonides updated the task description. (Show Details)Jun 19 2017, 10:25 PM
Bawolff edited projects, added acl*security; removed Security-Team.Sep 4 2018, 4:20 PM
Phabricator_maintenance moved this task from Backlog to Acknowledged on the SRE board.Jan 26 2019, 8:27 PM
chasemp added a project: Security.Feb 10 2020, 10:59 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:07 PM
Dzahn added a project: Data-Engineering.May 10 2023, 12:19 AM
Ottomata renamed this task from Use user-specific passwords for accessing EventLogging database to Use user-specific passwords for accessing Analytics MariaDB replica databases.May 10 2023, 12:48 PM
jbond edited projects, added Data-Persistence; removed SRE.May 22 2023, 4:08 PM
jcrespo added a comment.May 22 2023, 4:24 PM

Everybody be careful (I was confused for some time) when reading "Analytics MariaDB replica databases", wikireplicas already have per-user authentication. These are not wikireplicas (or the analytics-focused wikireplicas), but the analytics network private replicas of production (dbstore*) for data engineering and research usage.

JArguello-WMF moved this task from Incoming (new tickets) to Radar (External Teams) on the Data-Engineering board.Jun 29 2023, 11:53 PM
BTullis edited projects, added Data-Platform-SRE; removed Data-Engineering.Jul 14 2023, 11:16 PM
Gehel moved this task from Incoming to MariaDB (Analytics / WMCS) on the Data-Platform-SRE board.Dec 6 2023, 2:00 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL