Page MenuHomePhabricator

Apply proper permissions to stat100x home directories
Open, HighPublic

Description

After the unification of puppet roles/profiles for the stat100x hosts, users with different access levels can coexist on the same hosts (see https://wikitech.wikimedia.org/wiki/Analytics/Data_access), Practically it is not a big deal since most of the users are analytics-privatedata, but in theory a user with lower privileges could read PII/sensitive data downloaded by a analytics-privatedata user to their home directory.

The main problem is that the default permissions for the home dirs, $username:wikidev, are set by the puppet admin module and there is no way in the code to override this behavior.

The ideal situation would be that users on analytics-privatedata could have their home directory with permissions $username:analytics-privatedata and 740 (users need to share data among themselves).

Related Objects

Event Timeline

elukey created this task.Sep 7 2020, 6:23 AM
elukey updated the task description. (Show Details)
elukey updated the task description. (Show Details)
elukey updated the task description. (Show Details)Sep 7 2020, 6:33 AM
elukey added a comment.Sep 7 2020, 6:48 AM

Checked briefly and we could add new parameters to each users of admin's data.yaml, and then read them in the related defines (admin::hashuser mostly) but there are some things to solve first:

  • wikidev is widely deployed on all hosts, other groups like analytics-privatedata are not. What happens if we force a gid where it is not deployed? We need some sort of defensive logic against this use case.
  • is there a better way of doing this?
Milimetric triaged this task as High priority.Sep 10 2020, 4:22 PM
Milimetric edited projects, added Analytics-Clusters; removed Analytics.
Milimetric added a subscriber: Milimetric.

potential easier way: require belonging to analytics-privatedata to log into stat1xxx.