Page MenuHomePhabricator
Create Task
Maniphest T152212

Clarify Tool Labs' rules to see if Quarry and PAWS are allowed to be hosted there
Closed, ResolvedPublic
Actions

Description

https://wikitech.wikimedia.org/wiki/Nova_Resource:Tools/Rules states:

Do not provide direct access to Labs resources to unauthenticated users:
For instance, do not allow web clients to issue shell commands or arbitrary SQL queries against the databases. Labs resources are shared and limited, and it must be possible to attribute usage to specific wikitech users (that are bound to the terms of use).

Quarry

Quarry (https://quarry.wmflabs.org) authenticates SUL users rather than wikitech users, and runs on its own labs project. I'd like to move it to tools to ease maintenance, and want the rule clarified to see if it is ok.

Anti-abuse features Quarry has:

  • Each query gets killed if it is running for more than 30min
  • Queries have the SUL username of the user running them embedded in a comment in the query, making it easy to contact them even if the person investigating an issue doesn't know where it came from

PAWS

PAWS runs on a mixture of its own labs project and tools' kubernetes cluster, and allows people to execute arbitrary code (in a contained container environment) and access the DB (via a proxy). The following anti-abuse features exist:

  1. Requires users login with their SUL account
  2. A container with only restricted filesystem access and RAM/CPU limits is provided for each user
  3. SQL access has same restrictions / anti-abuse features as Quarry

Event Timeline

yuvipanda created this task.Dec 2 2016, 4:08 PM
Restricted Application added a project: Cloud-Services. · View Herald TranscriptDec 2 2016, 4:08 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
yuvipanda renamed this task from Clarify Tool Labs' rules to see if Quarry is allowed to be hosted there to Clarify Tool Labs' rules to see if Quarry and PAWS are allowed to be hosted there.Dec 2 2016, 4:14 PM
yuvipanda updated the task description. (Show Details)Dec 2 2016, 4:17 PM
valhallasw subscribed.Dec 4 2016, 8:57 PM
  • Exceptions to this rule can be made on a case-by-case basis. Please contact us with your idea, so that we can discuss possible anti-abuse methods. Examples of exceptions are Quarry and PAWS.
chasemp subscribed.EditedDec 5 2016, 2:06 PM
In T152212#2845634, @valhallasw wrote:
  • Exceptions to this rule can be made on a case-by-case basis. Please contact us with your idea, so that we can discuss possible anti-abuse methods. Examples of exceptions are Quarry and PAWS.

This where Quarry and PAWS are links to pages outlining their abuse mitigations from the description seems sensible to me.

bd808 subscribed.Dec 5 2016, 8:31 PM

I don't think either of these projects qualifies as "unauthenticated" in that in my understanding OAuth is used to authenticated the requesting users against metawiki before allowing new resources to be consumed. The mention of "wikitech" users specifically in the rules seems like it could be amended to allow for this SUL auth case. Gross violations of resource limits would likely still be attributed to Quarry/PAWS but if those tools can provide a means to get a more granular view of the requesting users and ideally a means to block accounts that are repeat abusers then we are in a reasonable place to protect the shared resources from abuse.

chasemp added a comment.Dec 5 2016, 8:46 PM

I take the term unauthenticated to mean end users are not directly authenticating to the resources under consumption, i.e. obfuscation of who is eating adhoc DB where who is always the LDAP or Labs user. I can already think of a few ways that definition is bad though :) It would probably be prudent for it to be termed arbitrary access to resources unauthenticated. Otherwise, every webservice in Labs is probably in peril. Arbitrary SQL or some such under the guise of a service account is in many senses an anonymizing proxy. It may come down to the barrier to SUL being meaningful here is we don't tie accounts back anywhere for sure to an LDAP user to my knowledge. I definitely agree the intention is to allow good multi-tenant behavior and reasonable response, but I think I disagree we are in a place to call SUL authenticated in the context of shared resource administration for now.

bd808 added a subscriber: coren.Dec 5 2016, 8:56 PM

The existing rule was introduced with the edit summary "Apparently, one must say things that go without saying". Maybe @coren can clarify. My random guess is that somebody deployed or asked if they could deploy PHPMyAdmin. ;)

scfc triaged this task as Low priority.Feb 16 2017, 10:46 PM
scfc moved this task from Backlog to Ready to be worked on on the Toolforge board.
MZMcBride subscribed.Mar 19 2017, 4:12 AM
MZMcBride added a comment.Mar 19 2017, 4:19 AM

Policy is set by what's happening. The written form just attempts to capture that. The answer to the direct question is that Quarry and PAWS are de facto allowed to be hosted on Labs since they are currently and, as far as I know, nobody is objecting to them being hosted and available there. I've made this wiki edit to hopefully better reflect the reality: https://wikitech.wikimedia.org/w/index.php?title=Nova_Resource:Tools/Rules&diff=1726430&oldid=1267829.

Base subscribed.Mar 19 2017, 5:19 AM
bd808 closed this task as Resolved.Mar 23 2017, 12:35 AM
bd808 assigned this task to MZMcBride.
Phabricator_maintenance removed a subscriber: yuvipanda.Jun 7 2017, 6:39 PM
Aklapper removed a project: Cloud-Services.Jul 18 2023, 1:06 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL