Page MenuHomePhabricator
Create Task
Maniphest T237630

Production logstash should be protected by two-factor auth, at the least
Closed, ResolvedPublic
Actions

Description

Many events include personally-identifying information such as client IP address, hence access is currently restricted to the NDA group (as I understand it). Login currently requires a username and password, with no second factor. This seems to be inadequate protection for private information.

Acceptance criteria:

  • Users can find the privacy policy and data controls used for logstash. Ideally we can link to existing documents.
  • Two-factor and any other access controls are configured.

Related Objects

Event Timeline

awight created this task.Nov 7 2019, 11:41 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 7 2019, 11:41 AM
Peachey88 added a project: SRE.Nov 9 2019, 2:43 AM
MoritzMuehlenhoff triaged this task as Medium priority.Nov 11 2019, 8:26 AM
MoritzMuehlenhoff subscribed.

We're in the process of rolling out Apereo CAS (and initial services are getting migrated to it), see https://phabricator.wikimedia.org/T233921 and sub tasks.

fgiunchedi subscribed.Nov 11 2019, 8:50 AM

Indeed what @MoritzMuehlenhoff said, we'll gain 2FA when CAS gets deployed more widely. Regarding the first point @awight where would it make sense to include the links to documentation in your opinion? Do we have existing examples to get inspiration?

JFishback_WMF added a project: Privacy Engineering.Mar 24 2020, 12:08 AM
JFishback_WMF moved this task from Incoming to Watching on the Privacy Engineering board.
JFishback_WMF moved this task from Intake to Backlog on the Privacy board.
fgiunchedi added a project: observability.Apr 20 2021, 8:43 AM
MoritzMuehlenhoff added a comment.Apr 20 2021, 9:32 AM

We'll automatically get 2FA with CAS, but for Kibana that has proven impossible since the SSO features are limited to the Enterprise version and the current structure didn't allow us to setup a manual solution with mod_cas: T246998

That said, with Elastic/Kibana turning non-free, there's now the OpenSearch fork for Elastic and a similar fork for Kibana called OpenSearch Dashboard. OpenSearch has no enterprise tier, so no artificial restrictions to the FLOSS version apply, as such I'd expect that OpenSearch Dashboard also gains SSO capabilities mid-term.

lmata moved this task from Inbox to Backlog on the observability board.Jun 10 2021, 3:11 PM
lmata edited projects, added SRE Observability; removed observability.Jul 12 2021, 2:21 AM
Maintenance_bot added a project: observability.Jul 12 2021, 2:47 AM
lmata moved this task from Inbox to Backlog on the SRE Observability board.Jul 15 2021, 4:09 AM
lmata edited projects, added Observability-Logging; removed SRE Observability.Aug 9 2021, 3:03 AM
Maintenance_bot edited projects, added SRE Observability; removed Observability-Logging.Aug 9 2021, 3:47 AM
bd808 subscribed.Nov 16 2021, 1:17 AM
lmata edited projects, added Observability-Logging; removed SRE Observability.Jan 17 2022, 11:26 PM
fgiunchedi closed this task as Resolved.Mar 24 2022, 4:36 PM
fgiunchedi claimed this task.

Resolving in favor of T246998: Enable SSO for Kibana since that'll mean 2fa for logstash/kibana

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits