Page MenuHomePhabricator

Access restriction for SPARQL Endpoint for Commons
Closed, ResolvedPublic

Description

One of the problem we are facing with the current WDQS SPARQL endpoint is that it is functionally similar to exposing a raw SQL endpoint to the whole internet. We would never do that with SQL. For SQL we instead provide read-only replicas, which are restricted to WMCS. We need something similar, where we can have a little bit more control over what is accessing this new SPARQL endpoint, with the ability to contact abusive bots / users and block them selectively (as a last resort) when needed and the ability to better understand which use cases are. We want this authentication layer to be as light and as unobtrusive as possible. We're likely to iterate on what the best option is here.

Event Timeline

Gehel created this task.Apr 30 2020, 9:09 AM
Gehel updated the task description. (Show Details)Apr 30 2020, 1:32 PM

Change 605922 had a related patch set uploaded (by ZPapierski; owner: ZPapierski):
[wikidata/query/rdf@master] OAuth Proxy for MediaWiki oauth plugin

https://gerrit.wikimedia.org/r/605922

Change 608633 had a related patch set uploaded (by ZPapierski; owner: ZPapierski):
[operations/puppet@production] Configuration code for oauth proxy

https://gerrit.wikimedia.org/r/c/operations/puppet/ /608633

Change 608824 had a related patch set uploaded (by ZPapierski; owner: ZPapierski):
[operations/puppet@production] Handle oauth proxy settings

https://gerrit.wikimedia.org/r/c/operations/puppet/ /608824

Change 608905 had a related patch set uploaded (by ZPapierski; owner: ZPapierski):
[operations/puppet@production] Authenticate with MW oauth 1.0a for WCQS

https://gerrit.wikimedia.org/r/c/operations/puppet/ /608905

Change 608824 abandoned by ZPapierski:
Handle oauth proxy settings

Reason:
Duplicated by:https://gerrit.wikimedia.org/r/c/operations/puppet/ /608633

https://gerrit.wikimedia.org/r/c/operations/puppet/ /608824

Change 605922 merged by jenkins-bot:
[wikidata/query/rdf@master] OAuth Proxy for MediaWiki oauth plugin

https://gerrit.wikimedia.org/r/c/wikidata/query/rdf/ /605922

Change 608633 merged by Ryan Kemper:
[operations/puppet@production] Handle oauth proxy settings

https://gerrit.wikimedia.org/r/608633

Change 608905 merged by Ryan Kemper:
[operations/puppet@production] Authenticate with MW oauth 1.0a for WCQS

https://gerrit.wikimedia.org/r/608905

Change 609775 had a related patch set uploaded (by ZPapierski; owner: ZPapierski):
[wikidata/query/rdf@master] Handle session with wcqs token

https://gerrit.wikimedia.org/r/609775

Change 609775 merged by jenkins-bot:
[wikidata/query/rdf@master] Handle session with wcqs token

https://gerrit.wikimedia.org/r/609775

Change 609909 had a related patch set uploaded (by ZPapierski; owner: ZPapierski):
[operations/puppet@production] Correct url and path for nginx OAuth 1.0a

https://gerrit.wikimedia.org/r/609909

Zbyszko claimed this task.Jul 13 2020, 12:39 PM

Main resource (/) is secure, but for some reason /sparql endpint is not.

Change 613127 had a related patch set uploaded (by ZPapierski; owner: ZPapierski):
[wikidata/query/rdf@master] Set max session cookie age and allow to be deleted

https://gerrit.wikimedia.org/r/613127

Change 613186 had a related patch set uploaded (by ZPapierski; owner: ZPapierski):
[operations/puppet@production] Add logout location

https://gerrit.wikimedia.org/r/613186

Change 613127 merged by jenkins-bot:
[wikidata/query/rdf@master] Set max session cookie age and allow to be deleted

https://gerrit.wikimedia.org/r/613127

Change 609909 merged by Gehel:
[operations/puppet@production] Correct url and path for nginx OAuth 1.0a

https://gerrit.wikimedia.org/r/609909

Change 613186 merged by Gehel:
[operations/puppet@production] Add logout location

https://gerrit.wikimedia.org/r/613186

Gehel closed this task as Resolved.Aug 17 2020, 12:45 PM