Page MenuHomePhabricator

Establish a process to periodically review and approve access for hadoop/hue users
Closed, DeclinedPublic


Webrequest logs is one of our most sensitive data sets. We should periodically (at least annually, if not quarterly) re-review and approve who has access.

The Security-Team can probably own the process, just need to document what needs to be checked, and make sure the workload is acceptable for everyone.

Related Objects

Event Timeline

csteipp raised the priority of this task from to Needs Triage.
csteipp updated the task description. (Show Details)
csteipp added projects: Security-Team, Analytics.
csteipp added subscribers: csteipp, Ottomata.

Let us know when you'll work on this, we can provide the groups that need to be checked.

chasemp added a parent task: Restricted Task.Sep 4 2018, 6:24 PM

@MoritzMuehlenhoff this is a very old task, I am wondering if anything needs to be done...

These days all external researchers use time-limited MOUs, which get extended if people still need access, so that's sorted.

What remains are two types of people with unlimited access:

  • Staff members who have access to a given group, but no longer need it due to changing projects/positions
  • Volunteers who signed an NDA, who no longer need it

Something which changed since that task was opened is that access groups are mostly supervised by a given group (as e.g. every new addition to analytics-private-data-users gets acked by Analytics). If you want to perform a regular activity check for Hadoop whether people still need it, just go ahead, otherwise let's close the ticket.

Long term there will probably be a generic solution which shows last logins for all services in CAS (and maybe a similar service for each server), but I doubt this ticket is useful to track it.

I think that we can safely close this task for the moment. webrequest data (and other sensitive datasets) can now be accessed via Kerberos and only if belonging to analytics-privatedata-users. There may be users in there that use their credentials every now and then, but as Moritz stated most of non-wmf-staff is tightly controlled via deadlines etc.. (so only wmf-staff remains with some potential user that don't need their account). Given the minimal impact I'd close this task, please re-open if you feel so!