Thank you @Tgr
I've included this in the Security-Team weekly meeting for the 18th
Seems like consensus is that https://gerrit.wikimedia.org/r/c/mediawiki/core/+/478395 is the sanest outcome here. @Tgr anything blocking?
@Bawolff can this task be closed now?
Typically, we ask that staff in the Security group associate their Phab account with their Foo (WMF) account onwiki.
Part of my concern is T140369 but another part is the lack of real managed lifecycle/standards for labtest[n] instances.
Wed, Dec 12
There is a public range but to this point we made it through with using
private IPs as floating IPs which has been a fine test so far. Labtest
instances are not setup in a way that would be OK to expose them on public
IPs to my knowledge.
Tue, Dec 11
Mon, Dec 10
small progress https://phabricator.wikimedia.org/T108360#4812282
Thu, Dec 6
Good points @Aklapper. I am not sure if this wording is ours or default. I am making a note to discuss with Security-Team. One question, I have done some testing of triggering our CSP policy and I don't see this language surface in the UI. Where are people seeing this?
Mon, Dec 3
I want to acknowledge a few things:
Fri, Nov 30
Thanks @faidon for weighing in, I think you got right to the heart of it. Not responding to you necessarily but I'm going to steal the 3 point breakdown as it makes sense to me. I don't feel empowered to relate much of the detail for history here, but I do value this conversation and want to respond.
Thu, Nov 29
Small bit of background from my perspective, I had discussed this on hangout with a few folks who I will let acknowledge their own level of approval. I used !log and pinged @elukey with the intention of uninstalling post work-at-hand. Nothing here was me intending to take unilateral action or circumvent process. I really am under the impression that Debian main has nothing which would be incompatible with WMF prod infrastructure. I have no particular affection for exfat, and would much prefer to be able to use ext but have been assured that is not a possibility. If there are legal issues here I'm glad @Legoktm flagged it.
Wed, Nov 28
@fgiunchedi I need to sync up with you here for other reasons, but if you could take a look at this that would be great
I am under the impression anything in Debian main is ok to install in prod, but this is based on adhoc conversations during the Ubuntu->Debian decision making process.
If I'm not mistaken, this mechanism is how all classes are applied across Cloud to all instances?
(I think probably those things could not be added meaningfully before keystone was moved to cloudcontrol* and then after it wasn't thought about)
Looking at https://phabricator.wikimedia.org/T210595 and https://phabricator.wikimedia.org/T201504, not sure why those things fell through the cracks during keystone merge, I think probably just bad handoff as it's right when I was leaving for vacation (I didn't actually do the keystone merge I think?), but def that's wanted afaik :)
Tue, Nov 27
Mon, Nov 26
Wed, Nov 21
Ah! That's interesting yeah.
We have a doc page somewhere that says this but I can't find it :D but essentially Foo (WMF) account linked to phab and 2fa please and then this is a slam dunk :)
A few divergent points have spawned here :)
Tue, Nov 20
It seems this needs to be scheduled in the grid.
Mon, Nov 19
Fri, Nov 16
@Reedy or @Andrew any idea why labswiki could be left behind here? @Bawolff and I were wondering if it could have had something to do with DC switchover things happening around the same time. Not sure if this should be held open to fix whatever caused this in the first place.
Wikitech experiences periods of significant vandalism, and is a bit of an island with a small pool of patrollers. It wouldn't be unreasonable for this to be UBN.
Thu, Nov 15
Wed, Nov 14
@chasemp, I still can't close it.
Cheers everyone :) There is some amount of normal weekly review process in place here but as an aside there is a long standing policy of adding SRE members in good standing with 2fa and their linked WMF account so I'm went ahead and did this.
Nov 13 2018
Makes sense, again sorry for the drive by comment. Let me know if I can be helpful :)
I don't want to muddy the waters as I have not been involved here :). But
worth noting there is more than the views at play for sanitization. To
mimic the end state of labsdb you would need the equivalent of triggers and
such on sanitarium at least as well.
@JBennett I am throwing your way since you'll be the person ...certifying? approving? the workflow here at the end of the WG session(s).
Nov 8 2018
Ok thanks @mmodell, I want to run the use cases / workflow by the rest of acl*security_team, and I'm learning about the form/task stuff on the fly so I appreciate your patience. I'll sync up with you sooner than later.
I would have figured the form would have a policy for changing the form itself (fields etc) and then tasks would have a policy for the forms implementation. It sounds like the task can be less permissive than the form (which allows edit for the actual form) but not more?
I'm reopening to keep the narrative on this subtype complete. We noticed that users who had edit perms on task were not able to modify the task. @mmodell changed some permission on the view I believe? I'm not sure if this has resolved the issue.
Nov 6 2018
@MaxSem would you mind trying to resolve this now?
Nov 2 2018
If row b is down then so is cloud vps so not much point in this hadoop cluster being up :D
Nov 1 2018
Oct 31 2018
with https://phabricator.wikimedia.org/T204016#4693413 lowering this, maybe it can even be resolved?
My notes from the 2018-10-31 meeting:
Oct 29 2018
Oct 26 2018
@Bawolff I have you as point person here from the relevant meeting so I'm going to go ahead and assign
Oct 22 2018
No technical blockers to this VLAN having public IPs that I know of. Agreed that the switchover could be difficult to make transparent to users. It's possible adding an interface to the neutron router for a new subnet in the existing VLAN would allow cutover to be faster but its probably more trouble than it's worth -- would need to test it out a bit.