Page MenuHomePhabricator
Create Task
Maniphest T350516

Enable OpenSearch security plugin - Beta Logs
Open, Needs TriagePublic
Actions

Description

This task is to outline and coordinate enabling the OpenSearch Security Plugin on beta-logs.

Phase 1:
Keep the user-facing workflow the same and enable the backend baseline security requirements.

  • Provision intra-node PKI
  • Provision super admin certificate on singleton host or provision utility to request one
  • Configure security plugin anonymous login user/role/policy
  • Keep "preview" user login working via http-basic-auth
  • Enable the security plugin
  • Provision securityadmin.sh singleton apply utility and on-change automation

Phase 2:
Change the user-facing workflow to use security plugin internal authentication/authorization and remove http-basic-auth.

  • Provision "preview" user in security plugin
  • Configure policy for "preview" user - likely allow all
  • Disable http-basic-auth on apache proxy

Phase 3:
Change the user-facing workflow to use the security plugin authenticating using LDAP.

  • Retain "preview" user for legacy purposes
  • Configure roles/policies for LDAP users
  • Configure security plugin to do authentication requests against LDAP

Phase 4:
Gain experience reducing user permissions to an appropriate set.

  • Disable access to admin functionality for regular and "preview" users:
    • Stack Management
    • Sensitive verbs and endpoints
    • ILM (may need to reinstall the plugin)
  • Provision roles/policies for operators and assign permissions

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
opensearch: add pki_intermediate_name parameteroperations/puppetproduction+16 -7
beta-logs: provision ca on cluster hostsoperations/puppetproduction+7 -0
beta-logs: add dummy pki "secrets"operations/puppetproduction+13 -0
beta-logs: change private_cert_base to match labs-privateoperations/puppetproduction+1 -1
beta-logs: change root_ocsp_key path to match labs-privateoperations/puppetproduction+1 -1
logging: add dummy pki "secrets"labs/privatemaster+13 -0
logging: add ocsp secretlabs/privatemaster+5 -0
initial pki config for beta-logs envoperations/puppetproduction+177 -0
add beta-logs pki keylabs/privatemaster+7 -0
Customize query in gerrit

Related Objects
Search...

Event Timeline

colewhite created this task.Nov 3 2023, 9:52 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 3 2023, 9:52 PM
colewhite added a parent task: T213902: Implement sensitive logstash access control.Nov 3 2023, 9:52 PM
lmata subscribed.Nov 6 2023, 5:57 PM
gerritbot added a comment.Tue, Apr 7, 10:28 PM

Change #1268682 had a related patch set uploaded (by Cwhite; author: Cwhite):

[operations/puppet@production] initial pki config for beta-logs env

https://gerrit.wikimedia.org/r/1268682

gerritbot added a project: Patch-For-Review.Tue, Apr 7, 10:28 PM

Change #1268683 had a related patch set uploaded (by Cwhite; author: Cwhite):

[labs/private@master] add beta-logs pki key

https://gerrit.wikimedia.org/r/1268683

gerritbot added a comment.Thu, Apr 9, 3:48 PM

Change #1269509 had a related patch set uploaded (by Cwhite; author: Cwhite):

[operations/puppet@production] beta-logs: provision ca on cluster hosts

https://gerrit.wikimedia.org/r/1269509

gerritbot added a comment.Fri, Apr 10, 10:07 PM

Change #1268683 merged by Cwhite:

[labs/private@master] add beta-logs pki key

https://gerrit.wikimedia.org/r/1268683

gerritbot added a comment.Fri, Apr 10, 10:08 PM

Change #1268682 merged by Cwhite:

[operations/puppet@production] initial pki config for beta-logs env

https://gerrit.wikimedia.org/r/1268682

gerritbot added a comment.Fri, Apr 10, 10:30 PM

Change #1270089 had a related patch set uploaded (by Cwhite; author: Cwhite):

[labs/private@master] logging: add dummy pki "secrets"

https://gerrit.wikimedia.org/r/1270089

gerritbot added a comment.Fri, Apr 10, 10:30 PM

Change #1270089 merged by Cwhite:

[labs/private@master] logging: add dummy pki "secrets"

https://gerrit.wikimedia.org/r/1270089

gerritbot added a comment.Mon, Apr 13, 10:50 PM

Change #1270586 had a related patch set uploaded (by Cwhite; author: Cwhite):

[labs/private@master] logging: add ocsp secret

https://gerrit.wikimedia.org/r/1270586

gerritbot added a comment.Mon, Apr 13, 10:51 PM

Change #1270586 merged by Cwhite:

[labs/private@master] logging: add ocsp secret

https://gerrit.wikimedia.org/r/1270586

gerritbot added a comment.Mon, Apr 13, 11:01 PM

Change #1270590 had a related patch set uploaded (by Cwhite; author: Cwhite):

[operations/puppet@production] beta-logs: change root_ocsp_key path to match labs-private

https://gerrit.wikimedia.org/r/1270590

gerritbot added a comment.Mon, Apr 13, 11:02 PM

Change #1270590 merged by Cwhite:

[operations/puppet@production] beta-logs: change root_ocsp_key path to match labs-private

https://gerrit.wikimedia.org/r/1270590

gerritbot added a comment.Mon, Apr 13, 11:09 PM

Change #1270591 had a related patch set uploaded (by Cwhite; author: Cwhite):

[operations/puppet@production] beta-logs: change private_cert_base to match labs-private

https://gerrit.wikimedia.org/r/1270591

gerritbot added a comment.Mon, Apr 13, 11:12 PM

Change #1270591 merged by Cwhite:

[operations/puppet@production] beta-logs: change private_cert_base to match labs-private

https://gerrit.wikimedia.org/r/1270591

gerritbot added a comment.Mon, Apr 13, 11:25 PM

Change #1270593 had a related patch set uploaded (by Cwhite; author: Cwhite):

[operations/puppet@production] beta-logs: add dummy pki "secrets"

https://gerrit.wikimedia.org/r/1270593

gerritbot added a comment.Mon, Apr 13, 11:26 PM

Change #1270593 merged by Cwhite:

[operations/puppet@production] beta-logs: add dummy pki "secrets"

https://gerrit.wikimedia.org/r/1270593

gerritbot added a comment.Tue, Apr 14, 11:45 PM

Change #1269509 merged by Cwhite:

[operations/puppet@production] beta-logs: provision ca on cluster hosts

https://gerrit.wikimedia.org/r/1269509

Maintenance_bot removed a project: Patch-For-Review.Wed, Apr 15, 12:31 AM
gerritbot added a comment.Wed, Apr 15, 7:24 PM

Change #1271879 had a related patch set uploaded (by Cwhite; author: Cwhite):

[operations/puppet@production] opensearch: add pki_intermediate_name parameter

https://gerrit.wikimedia.org/r/1271879

gerritbot added a project: Patch-For-Review.Wed, Apr 15, 7:24 PM
gerritbot added a comment.Wed, Apr 15, 9:04 PM

Change #1271879 merged by Cwhite:

[operations/puppet@production] opensearch: add pki_intermediate_name parameter

https://gerrit.wikimedia.org/r/1271879

Maintenance_bot removed a project: Patch-For-Review.Wed, Apr 15, 9:32 PM
colewhite updated the task description. (Show Details)Fri, Apr 17, 10:36 PM
colewhite updated the task description. (Show Details)Fri, Apr 17, 11:06 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits