https://wikitech.wikimedia.org/wiki/Nova_Resource:Tools/Rules states:
> Do not provide direct access to Labs resources to unauthenticated users:
> For instance, do not allow web clients to issue shell commands or arbitrary SQL queries against the databases. Labs resources are shared and limited, and it must be possible to attribute usage to specific wikitech users (that are bound to the terms of use).
## Quarry ##
Quarry (https://quarry.wmflabs.org) authenticates SUL users rather than wikitech users, and runs on its own labs project. I'd like to move it to tools to ease maintenance, and want the rule clarified to see if it is ok.
Anti-abuse features Quarry has:
- Each query gets killed if it is running for more than 30min
- Queries have the SUL username of the user running them embedded in a comment in the query, making it easy to contact them even if the person investigating an issue doesn't know where it came from
## PAWS ##
PAWS runs on a mixture of its own labs project and tools' kubernetes cluster, and allows people to execute arbitrary code (in a contained container environment) and access the DB (via a proxy). The following anti-abuse features exist:
1. Requires users login with their SUL account
2. A container with only restricted filesystem access and RAM/CPU limits is provided for each user
3. SQL access has same restrictions / anti-abuse features as Quarry