Webrequest logs is one of our most sensitive data sets. We should periodically (at least annually, if not quarterly) re-review and approve who has access.
The Security-Team can probably own the process, just need to document what needs to be checked, and make sure the workload is acceptable for everyone.
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Restricted Task | |||||
| Declined | None | T121136 Establish a process to periodically review and approve access for hadoop/hue users |
Let us know when you'll work on this, we can provide the groups that need to be checked.
@MoritzMuehlenhoff this is a very old task, I am wondering if anything needs to be done...
These days all external researchers use time-limited MOUs, which get extended if people still need access, so that's sorted.
What remains are two types of people with unlimited access:
Something which changed since that task was opened is that access groups are mostly supervised by a given group (as e.g. every new addition to analytics-private-data-users gets acked by Analytics). If you want to perform a regular activity check for Hadoop whether people still need it, just go ahead, otherwise let's close the ticket.
Long term there will probably be a generic solution which shows last logins for all services in CAS (and maybe a similar service for each server), but I doubt this ticket is useful to track it.
I think that we can safely close this task for the moment. webrequest data (and other sensitive datasets) can now be accessed via Kerberos and only if belonging to analytics-privatedata-users. There may be users in there that use their credentials every now and then, but as Moritz stated most of non-wmf-staff is tightly controlled via deadlines etc.. (so only wmf-staff remains with some potential user that don't need their account). Given the minimal impact I'd close this task, please re-open if you feel so!