Page MenuHomePhabricator
Create Task
Maniphest T209109

Security model for session storage service
Closed, ResolvedPublic
Actions

Description

We need to establish the security features that make sense for a session storage service, and implement them accordingly (i.e. encryption, access lists, client/server certification verification).

Details

SubjectRepoBranchLines +/-
Kask TLS configurationmediawiki/services/kaskmaster+56 -2
Cassandra client authenticationmediawiki/services/kaskmaster+85 -6
Cassandra client encryptionmediawiki/services/kaskmaster+119 -52
Customize query in gerrit

Related Objects
Search...

Event Timeline

Eevans triaged this task as Medium priority.Nov 8 2018, 8:48 PM
Eevans created this task.
Eevans added a subscriber: Joe.Feb 11 2019, 7:23 PM

To summarize a (IRC) discussion w/ @Joe today:

  • We most definitely need to TLS encrypt HTTP connections
  • With TLS encryption in place, a certificate trust chain would likely suffice for authentication
  • The use of HTTP basic auth could also work, so long as the Authorization header is encrypted over the wire (see above)
  • A certificate trust chain would technically be more secure, but imposes a significant maintenance burden (maintaining a CA, and (re)issuing signed certs)

Any input from the Security-Team here would be appreciated.

Eevans added a project: Security-Team.Feb 11 2019, 7:23 PM
sbassett subscribed.EditedFeb 12 2019, 4:35 PM

@Eevans, @Clarakosi - just booked a quick hangout with the Security-Team for this Friday (2/15) to discuss potential security concerns for this service.

gerritbot subscribed.Feb 12 2019, 5:36 PM

Change 490106 had a related patch set uploaded (by Eevans; owner: Eevans):
[mediawiki/services/kask@master] Cassandra client encryption

https://gerrit.wikimedia.org/r/490106

gerritbot added a project: Patch-For-Review.Feb 12 2019, 5:36 PM
Eevans mentioned this in rMSKS43f383dd7e71: Cassandra client encryption.Feb 12 2019, 5:52 PM
gerritbot added a comment.Feb 12 2019, 7:50 PM

Change 490106 merged by Clarakosi:
[mediawiki/services/kask@master] Cassandra client encryption

https://gerrit.wikimedia.org/r/490106

gerritbot added a comment.Feb 13 2019, 2:37 PM

Change 490332 had a related patch set uploaded (by Eevans; owner: Eevans):
[mediawiki/services/kask@master] Cassandra client authentication

https://gerrit.wikimedia.org/r/490332

Eevans mentioned this in rMSKS9f7557fe6459: Cassandra client authentication.Feb 13 2019, 2:40 PM
Eevans mentioned this in rMSKS4af5ac8dd299: Cassandra client authentication.
Eevans mentioned this in rMSKS38feecfb7d38: Cassandra client authentication.Feb 13 2019, 2:46 PM
gerritbot added a comment.Feb 13 2019, 4:35 PM

Change 490332 merged by Clarakosi:
[mediawiki/services/kask@master] Cassandra client authentication

https://gerrit.wikimedia.org/r/490332

gerritbot added a comment.Feb 20 2019, 9:57 PM

Change 491862 had a related patch set uploaded (by Clarakosi; owner: Clarakosi):
[mediawiki/services/kask@master] Kask TLS configuration

https://gerrit.wikimedia.org/r/491862

Clarakosi mentioned this in rMSKS5689e47f47da: Kask TLS configuration.Feb 20 2019, 10:04 PM
Clarakosi mentioned this in rMSKSf183b1a8f33b: Kask TLS configuration.
Clarakosi mentioned this in rMSKS689367a764b4: Kask TLS configuration.
Clarakosi mentioned this in rMSKS5a95f18dcfd7: Kask TLS configuration.Feb 21 2019, 9:32 PM
Eevans mentioned this in rMSKS61197b442a84: Kask TLS configuration.Feb 25 2019, 5:24 PM
Clarakosi mentioned this in rMSKS34db308be8fc: Kask TLS configuration.Feb 25 2019, 11:37 PM
gerritbot added a comment.Feb 25 2019, 11:51 PM

Change 491862 merged by Eevans:
[mediawiki/services/kask@master] Kask TLS configuration

https://gerrit.wikimedia.org/r/491862

Eevans mentioned this in T206015: Plan/design a session storage service.Apr 1 2019, 2:23 PM
EvanProdromou mentioned this in T215533: Enable use of session storage service in MediaWiki.May 9 2019, 5:57 PM
Maintenance_bot removed a project: Patch-For-Review.May 22 2019, 3:47 PM
Eevans added a subscriber: akosiaris.Jun 11 2019, 6:57 PM

I believe the current status here to be:

  1. Connectivity to session storage will be IP-restricited
  2. We will TLS encrypt the connection between MediaWiki and session storage
  3. We will (eventually) use CA-signed certificates, and validate them
  4. We may move to production (with 1 & 2), and followup with 3 later after sorting out CA particulars

@Joe, @akosiaris does this reflect your opinion as well? I think this issue has remained open to this point in case we needed to implement HTTP basic auth in Kask. If that is not the case, then perhaps we can close this issue?

akosiaris added a comment.Jun 18 2019, 3:56 PM
In T209109#5251064, @Eevans wrote:

I believe the current status here to be:

  1. Connectivity to session storage will be IP-restricited
  2. We will TLS encrypt the connection between MediaWiki and session storage
  3. We will (eventually) use CA-signed certificates, and validate them
  4. We may move to production (with 1 & 2), and followup with 3 later after sorting out CA particulars

@Joe, @akosiaris does this reflect your opinion as well? I think this issue has remained open to this point in case we needed to implement HTTP basic auth in Kask. If that is not the case, then perhaps we can close this issue?

Hi, sorry for the late answer, offsites...

#1 is a bit unclear to me. Yes, the cassandra nodes are IP restricted indeed and only accept connections from the kubernetes pod range. The kubernetes pods range is also IP restricted and only the sessionstore pods can connect to cassandra.

However, anything can currently connect to the sessionstore. IP limiting this is technically possible, however it is going to be a gigantic mess to implement as the mediawiki hosts are NOT some separate network, but rather intermingled with all other hosts. Thus it will require maintaining a list of all mediawiki hosts IP addresses which is very very error prone and tedious (we don't do it for any other service mediawiki connects to either right now).

#2 wise, fully agreed.

#3 wise, we already use CA-signed certificates for the service itself, trusted across our infrastructure. mediawiki hosts already trust it and indeed do verification of certs issued by it (unless I am horribly mistaken, the PHP libraries anyway already do, curl/libcurl definitely do).

So, regarding #4, numbers 2 and 3 are already working anyway, I am not sure if there was an assumption about #1 meaning only mediawiki would be able to connect network wise to the sessionstore.

CCicalese_WMF removed a project: Platform Team Legacy (Next).Jul 26 2019, 5:35 PM
WDoranWMF moved this task from Session Management Service (CDP2) to mop on the Platform Engineering board.Jul 26 2019, 6:25 PM
WDoranWMF edited projects, added Platform Engineering, Platform Team Initiatives (Session Management Service (CDP2)); removed Platform Engineering (Session Management Service (CDP2)).
WDoranWMF moved this task from mop to remove cpt on the Platform Engineering board.Jul 26 2019, 6:28 PM
WDoranWMF removed a project: Platform Engineering.
sbassett removed a project: Security-Team.Oct 4 2019, 5:01 PM
Pchelolo subscribed.Jun 3 2020, 7:21 PM

Anything else to do here or can this be closed?

Eevans added a comment.Jun 4 2020, 4:26 PM

I think we can close it.

Pchelolo closed this task as Resolved.Jun 4 2020, 4:30 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL