Page MenuHomePhabricator

clarification of cloud terms of use regarding LDAP servers
Closed, ResolvedPublic

Description

The "labs" (cloud VPS) terms of use say this is not allowed "Use of Wikimedia's LDAP server for authentication: "

(for example see T232936).

But nowadays there is not just "a LDAP" server anymore, there are read-only replicas and it has been said that cloud VPSes can use these ro-replicas for testing. For example to get a Gerrit running in cloud VPS to be able to test changes before applying them in prod.

Apparently there is a conflict between the official ToS and what is communicated internally. Let's please clarify that / if it is ok for cloud VPS projects to use ro-LDAP servers and if not which LDAP servers exactly they are allowed to use. (Setting up their own LDAP server has also been discouraged because we want to use centralized settings for LDAP servers.

Event Timeline

Dzahn created this task.Sep 17 2019, 8:57 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 17 2019, 8:57 PM
Paladox edited projects, added Cloud-Services; removed Cloud-VPS.Sep 17 2019, 8:58 PM
Krenair added a comment.EditedSep 17 2019, 10:53 PM

I don't see how having read-only replicas changes the real problems involved, maybe we should just add the missing 's' to 'servers'? The problem is that labs instances should never *see* (i.e. process in any manner) a password that can log (real) people into LDAP, particularly if that user has, or might ever have in future, privileged groups like nda, wmf, or ops. If people want to make separate test users that can't do anything, and process those credentials via a labs machine, just to test the configuration of an app that normally runs in production and would legitimately be a processor of LDAP credentials there, that sounds like something we should consider granting an exemption for on a case-by-case basis?

bd808 added a comment.Sep 18 2019, 4:18 PM

it has been said that cloud VPSes can use these ro-replicas for testing. For example to get a Gerrit running in cloud VPS to be able to test changes before applying them in prod.

I am not sure where this was said, but using the shared LDAP directory that backs Developer accounts for password authentication is against policy in all of Cloud VPS. The existence of multiple replica servers does not make any difference in the potential for exposure of sensitive password material. The actual password hashes are not at risk, but anyone entering a plain text password to a web or cli interface inside of the Cloud VPS environment risks malicious actors capturing that password data and using it to authenticate to a service such as Gerrit or Phabricator to impersonate or take over an account.

Setting up their own LDAP server has also been discouraged because we want to use centralized settings for LDAP servers.

There is no prohibition against setting up an LDAP directory in a Cloud VPS project. What is functionally not allowed is changing the name service switch (NSS) configuration for a Cloud VPS instance to point to a local LDAP directory. Doing this would functionally lock all users out of the instance as the ssh authentication layer is dependent on reading public key data from the shared LDAP directory as well as normal NSS functionality of sourcing password and group data from the directory.

The "easy" way to create a project local LDAP directory is with MediaWiki-Vagrant and it's role::ldapauth manifest or other manifests which include the ::openldap module. There is a tiny bit of documentation on https://wikitech.wikimedia.org/wiki/Nova_Resource:Striker about exposing a MediaWiki-Vagrant managed LDAP directory to the rest of a Cloud VPS project. There is not any comprehensive documentation of the entire process however. I am not opposed to helping make better docs for this, but honestly I do not have any evidence that more than 2-3 projects have ever been interested in doing so.

bd808 claimed this task.Sep 18 2019, 4:25 PM
bd808 triaged this task as Normal priority.

TOU wording updated: https://wikitech.wikimedia.org/w/index.php?title=Wikitech:Cloud_Services_Terms_of_use&diff=1838151&oldid=1790526

@Dzahn does that wording make the intent more clear to you? If I go much further in explicit descriptions I think I may end up in WP:BEANS territory.

Paladox closed this task as Resolved.Tue, Sep 24, 11:15 PM

Closing as resolved.

@bd808 Yes, thank you. It does. The background of the question was Gerrit in cloud VPS specifically. I talked with Paladox about how we can both use his own LDAP server for Gerrit but avoid using it for authentication to get on the instance. There is a local hack that is cherry-picked for that.