Page MenuHomePhabricator
Create Task
Maniphest T218165

Add a note on maintain-views to note explicit exclusion of centralauth.oathauth_users
Closed, ResolvedPublic
Actions

Description

For Wikimedia Wikis, on the centralauth table lives the oathauth_users table which stores very sensitive data. I am proposing to add a note such as I did for fa9e5ecb11d6 to note it is deliberately excluded. For sure we don't want anyone to know who has or has not 2FA enabled, let alone the scratch codes...

Note: as you can see at https://quarry.wmflabs.org/query/34258 the table is not being displayed. I don't know if it is however being replicated but not displayed. We should check that too.

Details

SubjectRepoBranchLines +/-
maintain-views: Note explicit exclusion of `oathauth_users` from replicasoperations/puppetproduction+1 -0
Customize query in gerrit

Related Objects

Event Timeline

MarcoAurelio created this task.Mar 12 2019, 10:11 PM
Restricted Application added a project: User-MarcoAurelio. · View Herald TranscriptMar 12 2019, 10:11 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
gerritbot subscribed.Mar 12 2019, 10:15 PM

Change 496063 had a related patch set uploaded (by MarcoAurelio; owner: MarcoAurelio):
[operations/puppet@production] maintain-views: Note explicit exclusion of oathauth_users from replicas

https://gerrit.wikimedia.org/r/496063

gerritbot added a project: Patch-For-Review.Mar 12 2019, 10:15 PM
Base subscribed.Mar 12 2019, 10:17 PM
MarcoAurelio updated the task description. (Show Details)Mar 12 2019, 10:19 PM
MarcoAurelio updated the task description. (Show Details)Mar 12 2019, 10:34 PM
MarcoAurelio updated the task description. (Show Details)
MarcoAurelio moved this task from unsorted/backlog to ready/patched/SWAT on the User-MarcoAurelio board.Mar 13 2019, 12:08 PM
Marostegui subscribed.Mar 14 2019, 1:47 PM

As spoken via IRC, the table is filtered on replication, so it is not even replicated to the wikireplicas (https://gerrit.wikimedia.org/r/plugins/gitiles/operations/puppet/+/production/manifests/realm.pp#203)

gerritbot added a comment.Apr 6 2019, 11:07 AM

Change 496063 had a related patch set uploaded (by MarcoAurelio; owner: MarcoAurelio):
[operations/puppet@production] maintain-views: Note explicit exclusion of oathauth_users from replicas

https://gerrit.wikimedia.org/r/496063

gerritbot added a comment.Apr 8 2019, 3:55 PM

Change 496063 merged by Bstorm:
[operations/puppet@production] maintain-views: Note explicit exclusion of oathauth_users from replicas

https://gerrit.wikimedia.org/r/496063

MarcoAurelio closed this task as Resolved.May 8 2019, 9:23 PM
MarcoAurelio removed a project: Patch-For-Review.
MarcoAurelio moved this task from ready/patched/SWAT to cabinet on the User-MarcoAurelio board.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL