Page MenuHomePhabricator
Create Task
Maniphest T279023

Expose mailman3 internal REST API inside Wikimedia production network
Open, MediumPublic
Actions

Description

The mailman3 service is controlled by a REST API that you can do just about anything with (it's very powerful). It's protected by HTTP auth and that it by default only listens on localhost.

There are various applications of having automation interact with mailman3 to e.g. automatically subscribe/unsubscribe users based on account state or something.

As far as I can tell, the REST API has no further access control besides the singular HTTP auth password - we may want to talk to upstream about that.

In theory we should be able to allow the server to listen on 0.0.0.0 and have ferm block all non-internal connections.

Related Objects
Search...

Event Timeline

Legoktm created this task.Apr 1 2021, 1:08 AM
Legoktm mentioned this in T278361: auto-subscribe cloud-vps and/or toolforge users to cloud-announce.
Ladsgroup added a comment.Apr 1 2021, 12:10 PM

There are two options in IMO:

  • Expose this to internal network upon request, per node (or wide range)
  • Have all scripts live in lists100x and a central place to handle everything (as a brand-new repository like "mailman workers"), it's more secure and less of a hassle to maintain but also triggering an update directly would be challenge.

It's a trade-off, I'm slightly in favor of the latter given the better security and having a place to have all cases in one place (e.g. when we need to update mailman and some APIs might break, etc.) but I'm biased.

taavi subscribed.Apr 1 2021, 12:14 PM
Peachey88 subscribed.Apr 2 2021, 8:16 AM
jijiki triaged this task as Medium priority.Apr 2 2021, 11:46 AM
Aklapper moved this task from Backlog to Mailman v3 on the Wikimedia-Mailing-lists board.Apr 8 2021, 3:06 PM
Legoktm added a subtask: Restricted Task.Apr 21 2021, 11:17 PM
Legoktm added a comment.Apr 21 2021, 11:24 PM

Since we already need envoy in front of the REST API to provide HTTPS, I think we can have it also do some limited access control, or only expose the specific APIs that are needed.

Rubin16 subscribed.Jun 19 2021, 4:23 PM
bd808 mentioned this in T334748: Split cloud-announce into two lists: toolforge-announce and cloudvps-announce.Apr 14 2023, 11:28 PM
Aklapper added a parent task: T334748: Split cloud-announce into two lists: toolforge-announce and cloudvps-announce.Sep 15 2023, 1:40 PM
Peachey88 mentioned this in T351202: stewards1001 / stewards2001: automatically subscribe stewards to mailman lists (was: Enable API access for Mailman3).Nov 14 2023, 8:56 PM
Legoktm added a parent task: T351202: stewards1001 / stewards2001: automatically subscribe stewards to mailman lists (was: Enable API access for Mailman3).Jan 3 2024, 6:15 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL