Closed Bug 1172173 Opened 10 years ago Closed 10 years ago

Open up access to triage1.dmz.scl3 internally to all Mozilla employees.

Categories

(Infrastructure & Operations :: Corporate VPN: ACL requests, task)

Product:
Infrastructure & Operations
Component:
Corporate VPN: ACL requests
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: mhoye, Assigned: dparsons)

Details

Could we open this up to all Mozillians internally connected by VPN? I will be filing for secreview of the service momentarily, to expose it to the world a bit later.
Assignee: server-ops-virtualization → vpn-acl
Component: Virtualization → Mozilla VPN: ACL requests
QA Contact: cshields → dparsons
:jeff, can you ack this?
Assignee: vpn-acl → dparsons
Flags: needinfo?(jbryner)
Mike can you tell me a little about this system? Who owns it and what type of data is in it? https://mana.mozilla.org/wiki/display/SECURITY/Mozilla+Data+Handling+for+Services+Standard
Flags: needinfo?(jbryner) → needinfo?(mhoye)
Sure! Take a look at http://triage1.dmz.scl3.mozilla.com/ to get a sense of it. It hosts a web service that lets contributors sign up to receive X number of bugs per Y time period, and emails them a brief description of up-to-X bugs along with a request to triage them. I own it. The software running the service is here - https://github.com/mhoye/Canutist/ - and is currently being reviewed by Yvan Boily. It doesn't use a DB, so the only network services running on that machine should be ssh and my app on 80 via lighttpd.
Flags: needinfo?(mhoye)
(Having said that, if you've got a data-handling guidelines doc that's just a tiny bit less completely incomprehensible than that one, I'd be very happy to read it and follow its advice.)
OK, thanks for the info. I signed up ;-] Can you tell me what level of bugs are emailed out? (that would set the data classification level). I'm assuming it does not have access to email out security sensitive, confidential, etc.
It doesn't currently make any distinction wrt bug security level in the code, but the service account it uses to access the API is that of a registered but otherwise unprivileged user. Using that account, it asks for UNCONFIRMED bugs from Firefox, Core and Toolkit products, and any bugs in the Firefox::Untriaged, Core::Untriaged and Toolkit::Untriaged components.
OK. Dan: does this sound ok to open to any mozilla folk with VPN access?
Flags: needinfo?(dveditz)
Sounds like it's only handing out bugs that a random user (without even a log in) could find with a query, in which case even the VPN requirement seems unnecessary. At least in terms of the bug data. Maybe there's worries about the software running the system getting hacked or overwhelmed? The page talks about the need to have the CanConfirm privs. That's of course necessary to do the triage, but does the service have the bugzilla access to be able to confirm that? If so I'd want to look deeper into the security of the app, but if having that privilege is just on the honor system then it looks good.
Flags: needinfo?(dveditz)
Just signed up and there's no confirmation mail or rate limiting on the signups so it'd be pretty easy to create a massive spam problem (and transfer the blame to Mozilla). And no unsubscribe so that transfers the spam problem to mhoye since he's advertised as the manual process in the mail :-) Yes, let's restrict this to the VPN so at least internet jerks can't do it anonymously.
Thanks. It won't send anyone more than one email/day, but I'm going to implement those features before I want to roll it out to the the larger internet.
Any chance I can get an ETA on this?
Dan, consider this an ack from Opsec for an all clear to open to VPN access.
Flags: needinfo?(dparsons)
This is done, but people will have to disconnect/reconnect their VPN connection to access it.
Status: NEW → RESOLVED
Closed: 10 years ago
Flags: needinfo?(dparsons)
Resolution: --- → FIXED
Thank you!
You need to log in before you can comment on or make changes to this bug.