Tue, Apr 23
Wed, Apr 17
Tue, Apr 16
The last item here will take coordination with other internal WMF folks as what goes on foundation.wm.o is still complicated
Thu, Apr 11
Reassiging to reflect the reality of Filippo's awesomeness
Wed, Apr 10
Tue, Apr 9
@EvanProdromou please associate your (WMF) issued onwiki account and this should be ready to go
Looks great @aezell
good to go
@WDoranWMF please add 2fa to your phabricator account, and then we can process this :)
Mon, Apr 8
@bd808 explained the problem to be better, and the above outline is a misunderstanding on my part. Seems like the short term fix here is to have a case-insensitive check at the wikitech layer that prevents the case account duping which will/could have weird consequences with the case insensitivity on LDAP. @bd808 agreed to poke at it this week.
I'm not close to an ldap expert so links below are for myself :D
Fri, Apr 5
Thank you @Tgr
This must have been missed because of recent events, apologies. I'm putting it back on the agenda :)
Account links and 2fa match up.
Thu, Apr 4
Thanks @bd808. I'm going to propose we do this in the next working group meeting on monday.
Mon, Apr 1
Can we tell ldap to enforce non-case sensitivity?
Mar 26 2019
Mar 21 2019
Mar 20 2019
Can we find a way to ensure toolsadmin.wikimedia.org doesn't start allowing LDAP user creations when this is fixed? Right now user creation is stopped via wikitech, and is broken there but it would be best to couple the two.
Mar 18 2019
Outcome from a meeting
Mar 15 2019
I may have some of this in the dusty halls of my brain:
Mar 14 2019
Mar 13 2019
@Schniggendiller I do not see 2fa on your account within Phabricator. If you can follow https://www.mediawiki.org/wiki/Phabricator/Help/Two-factor_Authentication_Resets to add a second factor it will allow me to add you to Security issues.
Mar 12 2019
poke @CKoerner_WMF would you have time to talk about #1 and #2 this week?
Mar 6 2019
Mar 4 2019
Thank you @revi, I had been wondering where we could hook into this process to keep the list current. Are there removals also from this election we need to process?
Mar 1 2019
Feb 27 2019
Feb 25 2019
Feb 21 2019
This is becoming a monster of a thread for context and discussion, thanks to @Tgr for continually updating the description for overview. Mostly @Bawolff mirrors my concerns but I had some thoughts that I don't see totally reflected in the discussion to this point.
Feb 14 2019
I wonder if the only legitimate use case for modifying that page is accompanied by the ability to change that SSH key, and so potentially is sanest as a right limited to toolforge admins/roots.
Feb 12 2019
- manager approval
- linked wmf account
- discussed in sec team meeting
I'll take care of this today or tomorrow
Feb 11 2019
Discussed this a bit on IRC and there was a good point made about the queries themselves potentially (inadvertently even) containing sensitive data:
Feb 8 2019
Feb 6 2019
In theory there are tests that submit things to the grid via tools-checker
than ensure the gridmaster itself is functioning but previously we had
issues where DNS was faulty and that cascaded down IIRC so we put in some
service level checking there
Jan 16 2019
Date: Wed Jan 16 13:10:52 2019 +0000(rush) Add dsharpe to security@ for T213742
Jan 15 2019
So to me it seems like there is LDAP client config here that is confusing the admin module, the two cannot really co-exist sanely. I have some idea of how that might happen but no time to look into it atm. The LDAP setup on the NFS servers is strictly for perms lookup and is not used by the overall host. Look at how the nfsd-ldap package works that is installed on labstore1004/5
Jan 14 2019
Jan 10 2019
Could a change to coming from a 172 address have effected ratelimit whitelisting?
Pardon the pile on appearance here @TBolliger. I very much appreciate it's difficult to balance transparency and efficacy in the short term but @Bawolff for me has hit the nail on the head. Any outcome from exploring and planning will be easy to reverse engineer, but also will need to be utilized and accepted in-the-least by the members of Security and acl*stewards. If anything can be done here it's going to be beneficial to be as transparent as possible as early as possible, though I totally understand if there are issues/constraints that are not public to begin with. I assume you'll be looking at techniques such as http://valve.github.io/fingerprintjs2/ and marrying to onwiki blocking and identity correlation. To that effect...
Jan 9 2019
I will bring this up in the weekly meeting for the security team but I wanted to respond briefly now, I don't know that Security-Team is a primary stakeholder here other than being generally supportive of the value add of ORES+TWN.