Closed Bug 1077052 Opened 10 years ago Closed 9 years ago

Flip bit on Ben Kerensa's LDAP to allow access to UserAdvocacy.mozilla.org

Categories

(Infrastructure & Operations :: Infrastructure: LDAP, task)

Product:
Infrastructure & Operations
Component:
Infrastructure: LDAP
Platform:
x86
macOS
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: lsblakk, Unassigned)

Details

specifically /dashboard and /reports
To make sure I understand what you're asking for: I believe you want Ben to be able to get to the URLs https://useradvocacy.mozilla.org/reports/ and https://useradvocacy.mozilla.org/dashboard.  

This server is not formally managed by IT -- it's managed by the User Advocacy team (user-advocacy@mozilla.com).  I believe that the directory is currently locked to folks with a specific LDAP object type; one of the developers will probably need to tweak the config.  I've CCed two of the advocacy folks on this bug.

@Matt -- I don't believe that we discussed how to handle these sorts of operational requests when they come to IT.  Do you have a Bugzilla component they should be moved to?
Flags: needinfo?(mgrimes)
We didn't actually discuss this. I'm fine with Benjamin having access though as he's a valued contributor and has already signed an NDA. Looping in Rob as well.
Flags: needinfo?(mgrimes)
So, as I understand it, we only got the OK from Sec Team to have the server not on VPN and open only to Mozilla employees. We don't have a permission model underneath it that tracks that kind of thing so we can't "flip a bit" or anything.

We followed the config in https://bugzilla.mozilla.org/show_bug.cgi?id=989548#c2 exactly. It sounds like per comment 4, we need a new config but I don't know what that is exactly and if we have to do sec review again.
Flags: needinfo?(cliang)
Figuring out the correct AuthLDAPURL will depend on who you want to give access to.  

Right now, the AuthLDAPURL only allows for people who are Mozilla Corporation employees.  Ben is in a group of users known as Mozilla Net folks.   I believe that all that you need to do to include that group is make the following change:

   AuthLDAPURL "ldap://ldap.db.scl3.mozilla.com/dc=mozilla?mail?sub?(|(objectclass=MozComPerson)(objectclass=MozNetPerson))"

... but this will include a lot of other people who aren't Ben.  I'm not sure what the requirements are for getting a Mozilla 'Net LDAP account.
Flags: needinfo?(cliang)
Jabba, can we do (|(objectclass=MozComPerson)(mail=whatever@mozilla.com)) ?
Flags: needinfo?(jdow)
If we had to, we could make it (|(objectclass=MozComPerson)(uid=bkerensa)).  

However, based on past experience, I'm guessing that other people who are not MoCo will need to be added.  Hence my question on trying to figure out who you want to give access to the dashboards, etc. =)
It's probably best to create a new LDAP group for access to this, then you can require ldap-group cn=team_moco_mofo and require ldap-group cn=useradvocacy and membership in either would grant access.
Flags: needinfo?(jdow)
I think the question is to send this back to Sec Team: who can and can't we give access to per their earlier review.
(CC Michal, who helped with some of our security questions before)

@Michal feel free to redirect this to a more appropriate person.  Thanks!
Flags: needinfo?(mpurzynski)
I understand that the server is already publicly available, per

https://bugzilla.mozilla.org/show_bug.cgi?id=1063619

I was able to connect to it without a VPN.

As for giving access - it's already LDAP integrated and that's good. What kind of data do you give access to?

The project leader / manager is the person who can ACK (or not) people who should have access.
Flags: needinfo?(mpurzynski)
@michal - The user-facing reports probably won't ever have the need to contain PII, but may contain important confidential information relating to Search stats, ADIs, monthly actives, etc.

Given that Ben Kerensa is trusted with delicate data elsewhere, I don't think that I have a personal issue here, but I could see Security or Legal having other ideas.

Thanks

(In reply to Rob from comment #11)
> @michal - The user-facing reports probably won't ever have the need to
> contain PII, but may contain important confidential information relating to
> Search stats, ADIs, monthly actives, etc.
> 
> Given that Ben Kerensa is trusted with delicate data elsewhere, I don't
> think that I have a personal issue here, but I could see Security or Legal
> having other ideas.
> 
> Thanks

I was able to chat with Michal earlier on IRC he said given the approval by Matt in Comment 2 and my NDA & Membership of Security Group etc that this should not be an issue.
Any update Rob?
Flags: needinfo?(rrayborn)
QA Contact: jdow → rrayborn
Flags: needinfo?(mgrimes)
Hey Ben. Give it a shot now. You should have access. Let me know if that is not the case.
Flags: needinfo?(mgrimes)
Works!
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Flags: needinfo?(rrayborn)
You need to log in before you can comment on or make changes to this bug.