Page MenuHomePhabricator

Apply proper permissions to stat100x home directories
Closed, DeclinedPublic

Description

After the unification of puppet roles/profiles for the stat100x hosts, users with different access levels can coexist on the same hosts (see https://wikitech.wikimedia.org/wiki/Analytics/Data_access), Practically it is not a big deal since most of the users are analytics-privatedata, but in theory a user with lower privileges could read PII/sensitive data downloaded by a analytics-privatedata user to their home directory.

The main problem is that the default permissions for the home dirs, $username:wikidev, are set by the puppet admin module and there is no way in the code to override this behavior.

The ideal situation would be that users on analytics-privatedata could have their home directory with permissions $username:analytics-privatedata and 740 (users need to share data among themselves).

Related Objects

Event Timeline

elukey updated the task description. (Show Details)
elukey updated the task description. (Show Details)

Checked briefly and we could add new parameters to each users of admin's data.yaml, and then read them in the related defines (admin::hashuser mostly) but there are some things to solve first:

  • wikidev is widely deployed on all hosts, other groups like analytics-privatedata are not. What happens if we force a gid where it is not deployed? We need some sort of defensive logic against this use case.
  • is there a better way of doing this?
Milimetric edited projects, added Analytics-Clusters; removed Analytics.
Milimetric subscribed.

potential easier way: require belonging to analytics-privatedata to log into stat1xxx.

potential easier way: require belonging to analytics-privatedata to log into stat1xxx.

This is what we decided to do :)