Page MenuHomePhabricator
Create Task
Maniphest T240870

Audit the WMF LDAP group and limit its permissions
Open, LowPublic
Actions

Description

The WMF LDAP group is often mistaken for the "employee" default group. The purpose of this task is to eliminate this misconception by embracing it.

This task has several parts:

  1. Audit the WMF LDAP group to know what permissions it currently has. Ensure this set of permissions matches what is recorded in wikitech.
  2. Coordinate with stakeholders and decide on a minimum set of permissions that all employees should have (preferably ro).
  3. Break out other needed permissions into another group(s).
  4. Implement and update clinic duty and onboarding documentation.

Related Objects

Event Timeline

colewhite created this task.Dec 16 2019, 4:45 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 16 2019, 4:45 PM
colewhite triaged this task as Low priority.Dec 16 2019, 4:45 PM
MoritzMuehlenhoff subscribed.Dec 16 2019, 4:46 PM
jcrespo subscribed.EditedDec 16 2019, 6:56 PM

"all employees should have"

It was agreed some time ago that not all employees were to be added to the wmf group. The only requirements were to:

  1. Request it
  2. Have a reasonable reason for it

Now, why people with wmf rights but without root should be able to see root passwords through query monitoring is something that I have asked myself many times and reported it as worrying in the past.

colewhite added a comment.Dec 18 2019, 11:40 PM

@jcrespo that sounds bad to me. Perhaps query monitoring is a great candidate for a more specific and limited group?

Krenair subscribed.Dec 18 2019, 11:48 PM
jcrespo added a comment.Dec 19 2019, 7:35 AM

+1

MoritzMuehlenhoff added a comment.Dec 19 2019, 11:19 AM

Do we have non-roots who're using this actively? We could simply switch that to cn=ops otherwise?

jcrespo added a comment.EditedDec 19 2019, 11:26 AM

I belive mediawiki deployers use it sometimes (I cannot say, we can ask). The issue is that the tool is not segmented for mediawiki-only, it monitors the whole fleet, including sensitive servers like bacula or other sre services. (e.g. think like kibana, where it is most frequently used for mw events, but it has or it will have eventually all system-level logs). I am not as worried for those that use it occasionally but need it, at least partially, but for those that never asked for it (e.g. to access other web services) but got it in the wmf bundle, which was I think the core issue of this ticket.

Peachey88 subscribed.Dec 22 2019, 10:32 AM
MZMcBride subscribed.Dec 23 2019, 3:33 AM

Related: T62412: ldap/wmf group should not have +2 in Gerrit. This group has been problematic for a while.

Paladox subscribed.Dec 23 2019, 3:45 AM
Dzahn subscribed.Dec 23 2019, 5:18 AM

Wouldn't it be better to create a new group that actually means "wmf employee" and knowingly give that the permissions we agree it should have, rather than trying to remove stuff from the existing group that does not mean "wmf employee"?

jcrespo added a comment.Dec 26 2019, 9:20 AM

Also note in the past I tried to granularize more, for example I created a group for prometheus editing, as several users only required that and to follow least privileges good practices, but it was scrapped https://wikitech.wikimedia.org/w/index.php?title=LDAP%2FGroups&type=revision&diff=613711&oldid=442504 .

Peachey88 added a comment.Dec 26 2019, 11:31 PM

Do we need a over-all wmf group at all? Would a group per service be better for a granularized access point of view and annual access auditing?

Peachey88 added projects: Security-Team, LDAP.Oct 11 2022, 10:32 AM
mmartorana edited projects, added SecTeam-Processed; removed Security-Team.Oct 13 2022, 4:30 PM
mmartorana subscribed.
In T240870#5764088, @Peachey88 wrote:

Do we need a over-all wmf group at all? Would a group per service be better for a granularized access point of view and annual access auditing?

Hey @Peachey88 - I agree with you that having a group per service would be a little more secure, but I am not sure how feasible that would be.

Please, get in touch with SRE to know if they have any plans to automate this whole process in some way.

Let us know if you need anything else.

jbond edited projects, added Infrastructure-Foundations; removed SRE.Nov 2 2022, 12:58 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits