Page MenuHomePhabricator
Create Task
Maniphest T346631

[wmcs-cookbooks] SAL messages are shown differently when logging via wm-bot
Closed, ResolvedPublic
Actions

Description

When running WMCS cookbooks from a laptop (or from any host that is not allowed to send TCP messages to tcpircbot on alert1001.wikimedia.org), we send SAL messages through wm-bot instead.

These messages have the same format {user}@{host} {message}, but user and host could be easily spoofed so we are currently not displaying those in the second column of https://sal.toolforge.org/ and instead we display <wm-bot2> in that column, and user@host at the start of the message.

It would be nice to have a more consistent output, and to prevent users from spoofing the username/hostname.

Screenshot 2023-09-18 at 14.47.41.png (208×2 px, 100 KB)

Details

SubjectRepoBranchLines +/-
SAL logging: invert user and projectcloud/wmcs-cookbooksmain+15 -17
dologmsg: standardize logging formatoperations/puppetproduction+92 -60
Parse user@host in wm-bot2 messageslabs/tools/stashbotmaster+14 -4
Customize query in gerrit

Related Objects

Event Timeline

fnegri created this task.Sep 18 2023, 12:49 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 18 2023, 12:49 PM
fnegri triaged this task as Low priority.Sep 18 2023, 12:50 PM
fnegri moved this task from Backlog to wmcs-cookbooks on the Cloud-VPS board.
gerritbot added a comment.Sep 18 2023, 12:50 PM

Change 958439 had a related patch set uploaded (by FNegri; author: FNegri):

[labs/tools/stashbot@master] Parse user@host in wm-bot2 messages

https://gerrit.wikimedia.org/r/958439

gerritbot added a project: Patch-For-Review.Sep 18 2023, 12:50 PM
fnegri added a comment.Sep 18 2023, 12:53 PM

One option could be to connect to wm-bot through a proxy host (e.g. login.toolforge.org), and display the username on that host (e.g. fnegri@tools-sgebastion-10). In this way we could also increase the security of wm-bot that is currently openly accessible on the internet.

fnegri updated the task description. (Show Details)Sep 18 2023, 12:53 PM
fnegri added a subscriber: taavi.
fnegri added a subscriber: dcaro.Sep 18 2023, 5:18 PM

@dcaro suggested we could in the meantime add a prefix like wmbot. to the user@host string, so that we know it was received from wm-bot and it could be spoofed. I have updated my patch to do this. Restricting access to wm-bot and enforcing a proper authentication could be handled in a separate task.

bd808 subscribed.Sep 27 2023, 4:06 PM

user and host could be easily spoofed so we are currently not displaying those in the second column of https://sal.toolforge.org/

I understand where this interpretation comes from, but the reality is a much more boring explanation of "nobody wrote the code yet" rather than a fear of spoofing attacks or their theoretical consequences. I think the spoofing risks are too to low worry about. I find it unlikely that there will be any non-trivial amount of abuse. I also cannot see any real harm from a spoofed message. SAL is not any sort of canonical audit log.

bd808 added a project: Stashbot.Sep 27 2023, 4:07 PM
bd808 moved this task from Backlog to Accepted on the Stashbot board.Sep 27 2023, 5:29 PM
fnegri claimed this task.Sep 28 2023, 9:47 AM
fnegri added a project: cloud-services-team (FY2023/2024-Q1-Q2).
fnegri changed the task status from Open to In Progress.Sep 28 2023, 1:12 PM
fnegri moved this task from Backlog to In progress on the cloud-services-team (FY2023/2024-Q1-Q2) board.
gerritbot added a comment.Jan 5 2024, 8:51 PM

Change 958439 merged by jenkins-bot:

[labs/tools/stashbot@master] Parse user@host in wm-bot2 messages

https://gerrit.wikimedia.org/r/958439

Stashbot added a comment.Jan 5 2024, 9:02 PM

Mentioned in SAL (#wikimedia-cloud) [2024-01-05T21:02:13Z] <wm-bot> <bd808> Updated to 3343de0 (T346631)

Maintenance_bot removed a project: Patch-For-Review.Jan 5 2024, 9:30 PM
fnegri mentioned this in rLTST7cd54b314241: Parse user@host in wm-bot2 messages.Jan 6 2024, 1:22 AM
Stashbot added a comment.Jan 8 2024, 4:10 PM

Mentioned in SAL (#wikimedia-cloud) [2024-01-08T16:10:24Z] <wm-bot> fnegri@tools-sgebastion-10 test message T346631

gerritbot added a comment.Jan 8 2024, 4:25 PM

Change 988669 had a related patch set uploaded (by FNegri; author: FNegri):

[operations/puppet@production] dologmsg: standarize logging format

https://gerrit.wikimedia.org/r/988669

gerritbot added a project: Patch-For-Review.Jan 8 2024, 4:25 PM
Stashbot added a comment.Jan 8 2024, 4:28 PM

Mentioned in SAL (#wikimedia-cloud) [2024-01-08T16:28:30Z] <wmbot~fnegri@tools-sgebastion-10> test message2 T346631

Stashbot added a comment.Jan 8 2024, 5:49 PM

Mentioned in SAL (#wikimedia-cloud) [2024-01-08T17:49:04Z] <wmbot~fnegri@tools-sgebastion-10> test message3 T346631

Stashbot added a comment.Jan 9 2024, 5:42 PM

Mentioned in SAL (#wikimedia-cloud-feed) [2024-01-09T17:42:52Z] <wmbot~fran@wmf3169> %(message)s (T346631)

Stashbot added a comment.Jan 9 2024, 5:42 PM

Mentioned in SAL (#wikimedia-cloud-feed) [2024-01-09T17:42:58Z] <wmbot~fran@wmf3169> %(message)s (T346631)

Stashbot added a comment.Jan 9 2024, 5:43 PM

Mentioned in SAL (#wikimedia-cloud-feed) [2024-01-09T17:43:03Z] <wmbot~fran@wmf3169> %(message)s (T346631)

Stashbot added a comment.Jan 9 2024, 5:49 PM

Mentioned in SAL (#wikimedia-cloud-feed) [2024-01-09T17:49:52Z] <wmbot~fran@wmf3169> START - Cookbook wmcs.do_log_msg (T346631)

Stashbot added a comment.Jan 9 2024, 5:49 PM

Mentioned in SAL (#wikimedia-cloud-feed) [2024-01-09T17:49:58Z] <wmbot~fran@wmf3169> test message2 from local cookbook (T346631)

Stashbot added a comment.Jan 9 2024, 5:50 PM

Mentioned in SAL (#wikimedia-cloud-feed) [2024-01-09T17:50:02Z] <wmbot~fran@wmf3169> END (PASS) - Cookbook wmcs.do_log_msg (exit_code=0) (T346631)

gerritbot added a comment.Jan 10 2024, 11:27 AM

Change 989219 had a related patch set uploaded (by FNegri; author: FNegri):

[cloud/wmcs-cookbooks@main] SAL logging: invert user and project

https://gerrit.wikimedia.org/r/989219

Stashbot added a comment.Jan 10 2024, 4:48 PM

Mentioned in SAL (#wikimedia-cloud-feed) [2024-01-10T16:48:44Z] <wmbot~fran@wmf3169> START - Cookbook wmcs.do_log_msg (T346631)

Stashbot added a comment.Jan 10 2024, 4:48 PM

Mentioned in SAL (#wikimedia-cloud-feed) [2024-01-10T16:48:49Z] <wmbot~fran@wmf3169> test message3 from local cookbook (T346631)

Stashbot added a comment.Jan 10 2024, 4:48 PM

Mentioned in SAL (#wikimedia-cloud-feed) [2024-01-10T16:48:54Z] <wmbot~fran@wmf3169> END (PASS) - Cookbook wmcs.do_log_msg (exit_code=0) (T346631)

gerritbot added a comment.Jan 12 2024, 12:21 PM

Change 988669 merged by FNegri:

[operations/puppet@production] dologmsg: standardize logging format

https://gerrit.wikimedia.org/r/988669

gerritbot added a comment.Jan 12 2024, 12:25 PM

Change 989219 merged by jenkins-bot:

[cloud/wmcs-cookbooks@main] SAL logging: invert user and project

https://gerrit.wikimedia.org/r/989219

fnegri closed this task as Resolved.Jan 12 2024, 12:25 PM
fnegri moved this task from In progress to Done on the cloud-services-team (FY2023/2024-Q1-Q2) board.
fnegri mentioned this in rCCKB577d7a21662d: SAL logging: invert user and project.Jan 12 2024, 12:26 PM
Maintenance_bot removed a project: Patch-For-Review.Jan 12 2024, 12:30 PM
Stashbot added a comment.Jan 12 2024, 12:37 PM

Mentioned in SAL (#wikimedia-cloud) [2024-01-12T12:37:34Z] <wmbot~fnegri@tools-sgebastion-10> test dologmsg after merging T346631

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL