Page MenuHomePhabricator
Create Task
Maniphest T170321

encrypt fundraising database client->server communication
Open, In Progress, MediumPublic
Actions

Description

Mysql client->server communication is not yet encrypted in fundraising.

  • frdb civicrm/drupal service users [T280080]
  • frdb-staging civicrm/drupal service users
  • frdb-staging users
  • frdb-analytics users

Related Objects
Search...

Event Timeline

Jgreen created this task.Jul 11 2017, 8:17 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 11 2017, 8:17 PM
Jgreen added a parent task: Restricted Task.Jul 11 2017, 8:38 PM
Jgreen added a parent task: T183138: fundraising database improvements for 2018 .Dec 18 2017, 1:28 PM
Jgreen renamed this task from encrypt fundraising mysql client->server communication to encrypt fundraising database client->server communication.Jun 21 2018, 6:23 PM
Jgreen removed a parent task: T183138: fundraising database improvements for 2018 .May 22 2019, 5:23 PM
Jgreen moved this task from Triage to Backlog on the fundraising-tech-ops board.Feb 19 2020, 10:50 PM
Dwisehaupt claimed this task.May 14 2020, 5:13 PM
Dwisehaupt moved this task from Backlog to In Progress on the fundraising-tech-ops board.
Dwisehaupt added a subscriber: Dwisehaupt.

SSL capability is available on all dbs. Working though the different tools we have to ensure they use (or can use) ssl connectivity. Then moving onto larger projects such as superset, civi, etc.

Dwisehaupt added a comment.May 15 2020, 6:19 PM

Set of commits that have rolled out ssl connectivity on connections for tools using dbs:

17e67c03 Enable ssl for mysql connections with aide tools
3ddf3678 Enable ssl for mysql connections in pfp
ba969b91 Document future use of ssl for mysql in check_fundraising_jobs
85d31e96 Revert "Add ssl connection by default for dump_database"
be8e101b Add ssl connection by default for dump_database
a875afb4 Add ssl connection by default for compact_innodb_table
0131d4a6 Have schema_dumpler default to ssl connections
8fa87562 Add puppet cert files for mysql use on siem role
Dwisehaupt moved this task from In Progress to Up Next on the fundraising-tech-ops board.May 25 2020, 5:10 PM
Dwisehaupt added a comment.Jun 29 2020, 4:29 PM

A chunk of connections will shift once we can complete T246823 and get one a module that will be in use for stretch and buster. I have a diff available that could add ssl connectivity if the testing is successful with pymysql.

Dwisehaupt added a subtask: T246823: figure out Buster package for python3-mysql.connector for use with fruec.Jul 7 2020, 9:59 PM
Dwisehaupt added a comment.Aug 7 2020, 7:19 PM

This will be of good use when we do the update to pull in this code: https://github.com/civicrm/civicrm-core/pull/17706

Dwisehaupt moved this task from Up Next to Backlog on the fundraising-tech-ops board.Oct 5 2020, 8:39 PM
Dwisehaupt added a comment.Oct 16 2020, 8:10 PM

payments hosts were shifted to using ssl for replication with buster upgrades completed in T256146

Stashbot added a comment.Mar 23 2021, 10:33 PM

Mentioned in SAL (#wikimedia-fundraising) [2021-03-23T22:33:36Z] <dwisehaupt> pushing 60f9baaf50b to fundraising hosts which will enable ssl by default for mysql client connections that use the host my.cnf file - T170321

Dwisehaupt moved this task from Backlog to Up Next on the fundraising-tech-ops board.Mar 30 2021, 10:15 PM
gerritbot added a comment.Apr 1 2021, 1:09 PM

Change 676343 had a related patch set uploaded (by Jgreen; author: Jgreen):

[wikimedia/fundraising/analytics@master] Enable mariadb SSL support based on new config option.

https://gerrit.wikimedia.org/r/676343

gerritbot added a project: Patch-For-Review.Apr 1 2021, 1:09 PM
Dwisehaupt added a comment.Apr 1 2021, 6:01 PM

Pushed this for make_grants to allow the ability to require ssl on user db connections. Not currently enabled for any accounts yet.

[frack::puppet::private] e69d624 Add requires option to user definitions
Jgreen closed subtask T279058: enable SSL database connection for fundraising superset as Resolved.Apr 1 2021, 8:52 PM
Dwisehaupt added a comment.Apr 2 2021, 3:16 AM

Replication user on payments db set to require ssl. Grants script pushed and run on payments1001. Replication stopped and started on a subset of hosts and the connection continues. At the mysql.user table level, the change is seen in the ssl_type value.

Before:
+-------------+----------+
| User        | ssl_type |
+-------------+----------+
| replication |          |
| replication |          |
+-------------+----------+
After:
+-------------+----------+
| User        | ssl_type |
+-------------+----------+
| replication | ANY      |
| replication | ANY      |
+-------------+----------+
Dwisehaupt added a comment.Apr 2 2021, 3:54 AM

Replication user on fundraising db set to require ssl. Grants script pushed and run on frdb1004. Replication stopped and restarted on a set of hosts and the connection succeeded and replication continues. mysql.user table shows updated ssl_type value.

Dwisehaupt moved this task from Up Next to In Progress on the fundraising-tech-ops board.Apr 6 2021, 9:53 PM
gerritbot added a comment.Apr 8 2021, 1:30 PM

Change 676343 merged by Jgreen:

[wikimedia/fundraising/analytics@master] Enable mariadb SSL support based on new config option.

https://gerrit.wikimedia.org/r/676343

Dwisehaupt added a comment.Apr 13 2021, 7:10 PM

Grant scripts updated to use 'create user or replace' (available since 10.1.3) which will allow us to run the scripts and just update the user accounts without the need to drop and recreate grants if we so desire. Tested with my user account and runsgood.

Dwisehaupt added a comment.Apr 14 2021, 7:17 PM

Note: Can't roll forward on require ssl for the fr_stats db user until we sort out the older python2 DjangoBannerStats code and its connections.

Dwisehaupt added a comment.Jun 24 2021, 3:29 AM

civicrm and civi_read db users have been set to require ssl after the completion of steps in T280080. Tested and working in production.

Dwisehaupt moved this task from In Progress to Up Next on the fundraising-tech-ops board.Jul 20 2021, 11:39 PM
Jgreen moved this task from Up Next to Blocked on the fundraising-tech-ops board.Jan 11 2022, 4:16 PM
Jgreen added a subtask: T301905: modernize DjangoBannerStats to python3.Feb 16 2022, 7:00 PM
Aklapper removed a project: Patch-For-Review.Aug 16 2022, 12:29 PM
Aklapper removed Dwisehaupt as the assignee of this task.Sep 26 2022, 10:26 AM

Removing task assignee due to inactivity as this open task has been assigned for more than two years. See the email sent to the task assignee on August 22nd, 2022.
Please assign this task to yourself again if you still realistically [plan to] work on this task - it would be welcome!
If this task has been resolved in the meantime, or should not be worked on ("declined"), please update its task status via "Add Action… 🡒 Change Status".
Also see https://www.mediawiki.org/wiki/Bug_management/Assignee_cleanup for tips how to best manage your individual work in Phabricator. Thanks!

Jgreen closed subtask T301905: modernize DjangoBannerStats to python3 as Resolved.Feb 13 2023, 3:03 PM
Jgreen claimed this task.Feb 16 2023, 3:46 PM

Claiming to take care of the remaining DjangoBannerStats part of this.

Jgreen closed subtask T246823: figure out Buster package for python3-mysql.connector for use with fruec as Declined.Feb 16 2023, 3:54 PM
Jgreen closed this task as Resolved.Mar 9 2023, 6:25 PM
Jgreen moved this task from Blocked to Done on the fundraising-tech-ops board.

DjangoBannerStats and corresponding mysql user now require SSL

Jgreen reopened this task as Open.Mar 9 2023, 6:46 PM
Jgreen changed the task status from Open to In Progress.
Jgreen moved this task from Done to In Progress on the fundraising-tech-ops board.

Reopening because we haven't switched over individual (non-service) users yet.

Jgreen triaged this task as Medium priority.Apr 12 2023, 7:02 PM
Jgreen updated the task description. (Show Details)Jun 2 2023, 4:29 PM
Jgreen updated the task description. (Show Details)Jul 10 2023, 9:46 PM
Jgreen updated the task description. (Show Details)
Jgreen updated the task description. (Show Details)Jul 27 2023, 2:36 PM
Jgreen added subtasks: T280080: Enable SSL for CiviCRM DB connections, T341029: Staging in a mess (but don't look until after your public holiday!).
XenoRyet closed subtask T341029: Staging in a mess (but don't look until after your public holiday!) as Resolved.Jul 31 2023, 7:39 PM
Dwisehaupt mentioned this in T343760: Require ssl for civi database uses.Aug 7 2023, 9:36 PM

Now that the civi code has been fixed in T280080, we can force ssl requirements for civi code uses. This isn't urgent. May want to roll it during a maint window to ensure we don't have unintended consequences.

XenoRyet closed subtask T280080: Enable SSL for CiviCRM DB connections as Resolved.Aug 14 2023, 7:17 PM
Content licensed under Creative Commons Attribution-ShareAlike 4.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL