Closed
Bug 1311468
Opened 8 years ago
Closed 7 years ago
Allow external tools partial access to a read-only replica of the prod Treeherder DB
Categories
(Tree Management :: Treeherder: Infrastructure, defect)
Tree Management
Treeherder: Infrastructure
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: wlach, Assigned: wlach)
References
Details
Attachments
(2 files, 2 obsolete files)
For redash (bug XXX) and maybe other applications (ActiveData?), it would be nice to have a read-only copy of the treeherder database with any sensitive data (passwords, hawk credentials, session tokens) sanitized and removed. I understand this should be pretty easy with RDS? NI'ing :emorley on the details of what should be sanitized. After that we can ping someone from operations to actually set this up.
Assignee | ||
Updated•8 years ago
|
Flags: needinfo?(emorley)
Assignee | ||
Comment 1•8 years ago
|
||
To be clear, I think we only want to mirror the "treeherder" database. The various per-project databases we can skip (since they will be going away soon).
Comment 2•8 years ago
|
||
I hope this extract is just a diff-since-last-extract[1], and in some popular format[2] so we do not need to spin up a database to access the records. [1] I do not mean a fine grained diff; just a list of all records that have had some value change since last time; hopefully it will include all the related records (details, notes and stars) for completness. [2] like JSON!! :)
Assignee | ||
Comment 3•8 years ago
|
||
(In reply to Kyle Lahnakoski [:ekyle] from comment #2) > I hope this extract is just a diff-since-last-extract[1], and in some > popular format[2] so we do not need to spin up a database to access the > records. > > [1] I do not mean a fine grained diff; just a list of all records that have > had some value change since last time; hopefully it will include all the > related records (details, notes and stars) for completness. > [2] like JSON!! :) The proposal is to expose a full database that you can access via the standard mysql client. Everything should be included except for security-sensitive stuff.
Updated•8 years ago
|
Depends on: treeherder-heroku
Comment 4•8 years ago
|
||
For completeness, the various options for exporting MySQL data from Treeherder are: 1) Periodic/one-off .sql dump to an archive on S3 2) Periodic/one-off creation of a standalone RDS instance based on a recent prod RDS snapshot 3) A read-only RDS replica that's always up to date with production (ie this bug) For 1-2 just dropping/excluding sensitive tables makes the most sense to me. For 3, I think the best option is just to limit access using MySQL user GRANTs: https://dev.mysql.com/doc/refman/5.6/en/grant.html https://dev.mysql.com/doc/refman/5.6/en/privileges-provided.html Permissions can be given either per-DB, per-table or even per-column. At a minimum, the sensitive tables are (someone will want to double-check): treeherder.auth_user (due to the password field, though we don't use it) treeherder.credentials (the `secret` field) treeherder.django_admin_log (the `object_repr` field, if it were ever to contain eg a full representation of any secret, which it doesn't so far for the Credentials model) treeherder.django_session (session_key and session_data fields) mysql.<some of, probably best to not grant any>
Flags: needinfo?(emorley)
Comment 5•8 years ago
|
||
For example: GRANT SELECT ON treeherder.foo TO 'someuser'@'%' REQUIRE SSL; GRANT SELECT (column_bar) ON treeherder.baz TO 'someuser'@'%' REQUIRE SSL; The REQUIRE SSL is very important. MySQL doesn't support exclusion rules, so everything has to be whitelisted explicitly (though probably a good thing, since it prevent us accidentally allowing a new table to slip through). However to speed things up, the grant list can be generated using something like: http://stackoverflow.com/a/16818441 We could check the resultant SQL into the repository for reference, or even run as part of deploy.
Comment 6•8 years ago
|
||
Also, if you wanted to help with the Terraform parts, it should be mostly a copy-paste of the existing prod entry: https://github.com/mozilla-platform-ops/devservices-aws/blob/abd9ffe24e0a8ad6fb928eb981537dd17d776bdb/treeherder/rds.tf#L268-L293 ...except using `replicate_source_db` set to `treeherder-prod` and removing `username`, `password` etc. See: https://www.terraform.io/docs/providers/aws/r/db_instance.html
Assignee | ||
Comment 7•8 years ago
|
||
(In reply to Ed Morley [:emorley] from comment #4) > For completeness, the various options for exporting MySQL data from > Treeherder are: > 1) Periodic/one-off .sql dump to an archive on S3 > 2) Periodic/one-off creation of a standalone RDS instance based on a recent > prod RDS snapshot > 3) A read-only RDS replica that's always up to date with production (ie this > bug) > > For 1-2 just dropping/excluding sensitive tables makes the most sense to me. > > For 3, I think the best option is just to limit access using MySQL user > GRANTs: > https://dev.mysql.com/doc/refman/5.6/en/grant.html > https://dev.mysql.com/doc/refman/5.6/en/privileges-provided.html > > Permissions can be given either per-DB, per-table or even per-column. > > At a minimum, the sensitive tables are (someone will want to double-check): > ... I think it makes sense to just leave out any tables which deal with administrativia or bookkeeping. However, we do want the auth_user table (or at least the 'id' and 'email' columns), as that's how we identify who made the various classifications. I guess that leaves this list of tables to mirror: auth_user # only 'id' and 'email' columns bug_job_map bugscache build_platform classified_failure datasource exclusion_profile exclusion_profile_exclusions failure_classification failure_line failure_match job job_detail job_duration job_exclusion job_group job_log job_note job_type machine machine_platform matcher option option_collection performance_alert performance_alert_summary performance_bug_template performance_datum performance_framework performance_signature product reference_data_signatures repository repository_group runnable_job text_log_error text_log_step text_log_summary text_log_summary_line user_exclusion_profile I think for now we can just create one user ('th_user') and give the password out selectively to internal staff who might want to use this db (for now I think that would just be myself, ekyle and whoever would set up the redash instance) :fubar, is this + emorley's comments enough information for you to set this up in the next week or so?
Flags: needinfo?(klibby)
Comment 8•8 years ago
|
||
Whilst we were on SCL3 we didn't have the ability to do some of the tasks that were really within the app developer / dev-ops scope, so had to ask Kendall to do them. Now we're on Heroku we have the power to them ourselves, so we both can (and should) move that dividing line between roles. Apart from the default user on RDS, all other users are not configured via AWS/Terraform, but standard MySQL commands. As such, I think the ask from fubar needs to be constrained to: * create a terraform config for a MySQL read replica of the prod DB * apply that config And then it's up to us to: * figure out SQL for creating a user with those permissions (this is pretty much done with the above) * get review on that SQL * apply that SQL to the MySQL master using the existing th_admin account * check that the read only user cannot access or write to things they shoudn't * give the credentials to whomever needs them
Comment 9•8 years ago
|
||
What type of replication is used to make the mirror? Forgive if I show my age, but there used to be SQL statement replication (common) and binary replication (uncommon, or hard). If it is the former, please be sure there are no SQL updates to master that contain dynamic values; the SQL replicated to the mirror will result in different data. No auto-increment columns, and definitely no mirror-corrupting CURDATE() (oh the stories!!). https://dev.mysql.com/doc/refman/5.7/en/replication-features-auto-increment.html
Comment 10•8 years ago
|
||
By default RDS uses MIXED format for binlogs, which handles this fine: http://dev.mysql.com/doc/refman/5.6/en/binary-log-mixed.html The old SCL3 DB nodes also used MIXED, and we ran a master-slave setup fine there too.
Comment 11•8 years ago
|
||
There are enough mentions of 'sensitive data' in this bug that I've inclined ask for an RRA with infrasec (or however our actual sec rep is these days) before moving ahead. They're quite quick (~30min), and I'd like to know what data we're worried about and implications of leaks. Thoughts? https://wiki.mozilla.org/Security/Risk_management/Rapid_Risk_Assessment Setting up a read replica RDS instance should be pretty easy, though, especially as I'm poking around working on 1309874 and 1309874.
Flags: needinfo?(klibby)
Comment 12•8 years ago
|
||
Yeah that seems fair. Adjusting bug summary to reflect using grants not sanitisation (comment 4). Hmm though I've been wondering how we're going to handle breaking schema changes in the future? ie I'd prefer to not slow down development velocity, so no more than notifying people prior to changing, unlike our API where we can use versioning. Is this going to be fine for people using this? It seems like we need confirmation that that's the case first?
Component: Treeherder → Treeherder: Infrastructure
Summary: Create a sanitized, read-only mirror of the treeherder production database → Allow external tools partial access to a read-only replica of the prod Treeherder DB
Comment 13•8 years ago
|
||
I think it is fair to demand clients of this mirror all know the schema can change without notice. I am building a client that reviews the `information.schema` before it pulls data: * information_schema.tables * information_schema.table_constraints * information_schema.key_column_usage * information_schema.columns Is there a version number in the TH database that tracks the migrations?
Assignee | ||
Comment 14•8 years ago
|
||
(In reply to Kyle Lahnakoski [:ekyle] from comment #13) > I think it is fair to demand clients of this mirror all know the schema can > change without notice. I am building a client that reviews the > `information.schema` before it pulls data: > > * information_schema.tables > * information_schema.table_constraints > * information_schema.key_column_usage > * information_schema.columns > > Is there a version number in the TH database that tracks the migrations? Migrations are tracked in treeherder.django_migrations, though that doesn't tell you what changed, only *that* something changed. And yeah, I agree that we should just provide this data on an "as-is" basis. That said, I don't anticipate a huge amount of churn for the mature parts of the database (at least once the datasource migration is complete).
Assignee | ||
Comment 15•8 years ago
|
||
I believe the following SQL should be sufficient to create the user with the right permissions. Obviously 'mysecurepassword' should be replaced with something else. ;)
Comment 16•8 years ago
|
||
Comment on attachment 8806121 [details] SQL statements for creating user + setting permissions I do not know if the sensitive tables will be scrubbed from the mirror, if so it may be simpler to allow all reads: > GRANT SELECT ON treeherder.* TO 'thuser' I would also like to read the metadata, so I may understand how the data relates: > GRANT SELECT ON information_schema.tables TO 'thuser' > GRANT SELECT ON information_schema.table_constraints TO 'thuser' > GRANT SELECT ON information_schema.key_column_usage TO 'thuser' > GRANT SELECT ON information_schema.columns TO 'thuser' Thanks!
Assignee | ||
Comment 17•8 years ago
|
||
(In reply to Kyle Lahnakoski [:ekyle] from comment #16) > Comment on attachment 8806121 [details] > SQL statements for creating user + setting permissions > > I do not know if the sensitive tables will be scrubbed from the mirror, if > so it may be simpler to allow all reads: > > > GRANT SELECT ON treeherder.* TO 'thuser' The way things currently are, no, they will not be scrubbed. So I think we should be selective about what we make viewable. Modifying these rules later should not be a big deal (any treeherder dev should be able to do it) > I would also like to read the metadata, so I may understand how the data > relates: > > > GRANT SELECT ON information_schema.tables TO 'thuser' > > GRANT SELECT ON information_schema.table_constraints TO 'thuser' > > GRANT SELECT ON information_schema.key_column_usage TO 'thuser' > > GRANT SELECT ON information_schema.columns TO 'thuser' The tables in information schema seem to be readable by default in my testing.
Assignee | ||
Comment 18•8 years ago
|
||
Forgot to require ssl for the various grants
Attachment #8806121 -
Attachment is obsolete: true
Assignee | ||
Comment 19•8 years ago
|
||
(In reply to Kendall Libby [:fubar] from comment #11) > There are enough mentions of 'sensitive data' in this bug that I've inclined > ask for an RRA with infrasec (or however our actual sec rep is these days) > before moving ahead. They're quite quick (~30min), and I'd like to know what > data we're worried about and implications of leaks. Thoughts? > https://wiki.mozilla.org/Security/Risk_management/Rapid_Risk_Assessment > > Setting up a read replica RDS instance should be pretty easy, though, > especially as I'm poking around working on 1309874 and 1309874. I've created an RRA template and shared it with you, emorley, and jgriffin. I've also talked with jgriffin, and I don't think we need to wait on going through the full process to proceed with a prototype. It's not like we're exposing a SQL server to the whole world: we're just configuring an internal, authenticated service to a very small number of trusted users @ Mozilla.
Comment 20•8 years ago
|
||
(In reply to William Lachance (:wlach) from comment #19) > > I've created an RRA template and shared it with you, emorley, and jgriffin. Awesome, thank you! > I've also talked with jgriffin, and I don't think we need to wait on going > through the full process to proceed with a prototype. It's not like we're > exposing a SQL server to the whole world: we're just configuring an > internal, authenticated service to a very small number of trusted users @ > Mozilla. Agreed; today's a loss to meetings, but I'll pick up this and the other terraform bits for treeherder tomorrow.
Comment 21•8 years ago
|
||
Do we want the read replica to be multi-az like the source? If we're going to have other random consumers it seems likely, but want to verify as it does make the db instance more expensive.
Assignee | ||
Comment 22•8 years ago
|
||
(In reply to Kendall Libby [:fubar] from comment #21) > Do we want the read replica to be multi-az like the source? If we're going > to have other random consumers it seems likely, but want to verify as it > does make the db instance more expensive. So my understanding of what we're using to back the RDS database is a bit sketchy, but my understanding is that we're using a beefier instance type on production vs. stage/prototype. I honestly have noticed any problems with the performance of the db for stage/prototype, so let's just start with that level at first. We can always upgrade later if there's a need.
Comment 23•8 years ago
|
||
(In reply to Kendall Libby [:fubar] from comment #21) > Do we want the read replica to be multi-az like the source? If we're going > to have other random consumers it seems likely, but want to verify as it > does make the db instance more expensive. I don't think any need for multi-AZ, it can also be a db.m4.xlarge rather than the db.m4.2xlarge of prod. We can always change this later if needed (destroying and re-creating is fine for that, given it's just a replica).
Comment 24•8 years ago
|
||
Ok, I've spun up treeherder-prod-ro as single-AZ, m4.xl. but otherwise the same.
Assignee | ||
Comment 25•8 years ago
|
||
I updated the script for two changes: * Changed the name of the readonly user to th_user * Granted access to the new "push" and "commit" tables I ran this on treeherder production (with a different password, obv) and can login into the mirror as th_user just fine from here. I think we're done here. Thanks all!
Attachment #8806350 -
Attachment is obsolete: true
Assignee | ||
Updated•8 years ago
|
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Comment 26•8 years ago
|
||
Thank you for generating the SQL. However in the RRA we said: 1) We'd code review any permissions SQL 2) We'd possibly check it into the repo, so we could tell what was the most recently applied permissions 3) We'd use one set of credentials per consumer (so need different usernames, and need to come up with a naming scheme; I think we should move away from the th_blah, since the DB is all ours) In addition, I see there are now two duplicate users on prod - `thuser` and `th_user`.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Comment 27•8 years ago
|
||
Also we need to come up with some documentation that will ensure that anyone who receives these credentials: 1) Doesn't accidentally leak them by not using SSL (by missing CLI options or using the wrong version of the C API backend to their client) 2) Uses the correct read-only replica hostname, and not the master, since the credentials will work on either
Comment 28•8 years ago
|
||
I've disabled thuser and th_user for now, until we've completed the above.
Assignee | ||
Comment 29•8 years ago
|
||
Sorry, I didn't recall those takeaways from the RRA, and they weren't in the final document. They seem pretty reasonable though, so let's just do them. (In reply to Ed Morley [:emorley] from comment #26) > Thank you for generating the SQL. > > However in the RRA we said: > 1) We'd code review any permissions SQL Ok, well, can you tell me whether it's ok? > 2) We'd possibly check it into the repo, so we could tell what was the most > recently applied permissions > 3) We'd use one set of credentials per consumer (so need different > usernames, and need to come up with a naming scheme; I think we should move > away from the th_blah, since the DB is all ours) Should I create a script under bin/ to generate the sql (with username and password as input)? For documentation I feel like the mana's the best place, though it looks like the treeherder page is pretty out of date. Thoughts?
Flags: needinfo?(emorley)
Comment 30•8 years ago
|
||
(In reply to Ed Morley [:emorley] from comment #27) > Also we need to come up with some documentation that will ensure that anyone > who receives these credentials: > 1) Doesn't accidentally leak them by not using SSL (by missing CLI options > or using the wrong version of the C API backend to their client) > 2) Uses the correct read-only replica hostname, and not the master, since > the credentials will work on either This sounds dangerous. I suggest we break the mirrorness... a) I hope the mysql credentials on the read-only image can be separate from those on production; after all, they are part of different schema (the mysql schema), so should not be mirrored. b) The master TH users, and their authentication data, should be removed from the read-only mirror even though no user has permission to access them c) It would be nice to have the RO usernames be email addresses, if only to have a contact name. I imagine the master TH application would be periodically removing the sensitive data from the mirror, using it own secured credentials.
Assignee | ||
Comment 31•8 years ago
|
||
(In reply to Kyle Lahnakoski [:ekyle] from comment #30) > (In reply to Ed Morley [:emorley] from comment #27) > > Also we need to come up with some documentation that will ensure that anyone > > who receives these credentials: > > 1) Doesn't accidentally leak them by not using SSL (by missing CLI options > > or using the wrong version of the C API backend to their client) > > 2) Uses the correct read-only replica hostname, and not the master, since > > the credentials will work on either > > This sounds dangerous. I suggest we break the mirrorness... > > a) I hope the mysql credentials on the read-only image can be separate from > those on production; after all, they are part of different schema (the mysql > schema), so should not be mirrored. You can't write to the read-only miror because it's read-only. > b) The master TH users, and their authentication data, should be removed > from the read-only mirror even though no user has permission to access them We already discussed this in the RRA. This is an internal system to be used by a very small number of trusted users (activedata and redash, basically). Given that, and the fact that Treeherder data is not particularly sensitive, it was determined that w don't need to spend a ton of effort on additional mitigations. > c) It would be nice to have the RO usernames be email addresses, if only to > have a contact name. There are only two users, 'redash' and 'activedata'. I think that's enough. I don't want to user email addresses because the owner of a service might change.
Comment 32•8 years ago
|
||
(In reply to William Lachance (:wlach) from comment #31) > (In reply to Kyle Lahnakoski [:ekyle] from comment #30) > > This sounds dangerous. I suggest we break the mirrorness... > > > > a) I hope the mysql credentials on the read-only image can be separate from > > those on production; after all, they are part of different schema (the mysql > > schema), so should not be mirrored. > > You can't write to the read-only miror because it's read-only. We call it a read-only mirror, but something is writing to it. Furthermore, I am referring to the `mysql` schema, not the `treeherder` schema. The `mysql` schema holds the mysql users; the master and mirror can have different users. > > b) The master TH users, and their authentication data, should be removed > > from the read-only mirror even though no user has permission to access them > > We already discussed this in the RRA. This is an internal system to be used > by a very small number of trusted users (activedata and redash, basically). > Given that, and the fact that Treeherder data is not particularly sensitive, > it was determined that w don't need to spend a ton of effort on additional > mitigations. In that case, we should not be worried about "[credentials] doesn't accidentally leak them by not using SSL"; we can restrict the inbound IPs to the known locations of the few users. Even if the RO password leaks the attack surface is small. > > c) It would be nice to have the RO usernames be email addresses, if only to > > have a contact name. > > There are only two users, 'redash' and 'activedata'. I think that's enough. > I don't want to user email addresses because the owner of a service might > change. Good point. ActiveData is easy enough to find, but the "redash" user seems too generic. May I suggest inventing a project name, using it as the username, and making a wiki page for contact info (under https://wiki.mozilla.org/EngineeringProductivity/Projects)? Or maybe name the user "bug1279580"?
Comment 33•8 years ago
|
||
(In reply to William Lachance (:wlach) from comment #29) > Sorry, I didn't recall those takeaways from the RRA, and they weren't in the > final document. They seem pretty reasonable though, so let's just do them. No problem :-) (We'd mentioned some in bug comments prior, and then very briefly in the last few minutes of the meeting, but I don't think they were written down by Tristan) > Should I create a script under bin/ to generate the sql (with username and > password as input)? The main use cases for this script are to simplify/reduce margin for error when: 1) adding additional read-only users 2) adding GRANTs in response to new Django ORM tables 3) recreating the RO mirror from scratch (only relevant if we were to go via the route of only adding these users to the RO mirror) I think it may be useful to commit the final SQL to the repo (rather than only the script to generate it), since it's easier to review. But we could always add a comment (or script) saying how to generate it using CONCAT() etc (which can be run whenever we add new Django tables). Open to ideas though. I'll add some comments to the current attachment. > For documentation I feel like the mana's the best place, though it looks > like the treeherder page is pretty out of date. Thoughts? When I finally get around to finishing the Heroku infra docs, I'll be adding them to read the docs, so I think this should be in RTD too. (At most the Mana page will be a copy-paste of parts of RTD just for MOC.) -- (In reply to Kyle Lahnakoski [:ekyle] from comment #30) > I imagine the master TH application would be periodically removing the > sensitive data from the mirror, using it own secured credentials. MySQL replication cannot be made to work like that (especially not on RDS). If you're interested in reading more, these are prety useful reads: http://dev.mysql.com/doc/refman/5.6/en/replication.html https://www.percona.com/blog/2013/01/09/how-does-mysql-replication-really-work/ http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_ReadRepl.html > We call it a read-only mirror, but something is writing to it. Furthermore, > I am referring to the `mysql` schema, not the `treeherder` schema. The > `mysql` schema holds the mysql users; the master and mirror can have > different users. Yes the MySQL replication process requires that writes be made. When we say read only, we mean the `read_only` variable is set, however this doesn't affect the replication process (or any user who has the SUPER permissions, however we don't get that on RDS). By default on RDS, the `read_only` variable is set to `{TrueIfReplica}`. We could override that and set it to `0` regardless though, via the existing `treeherder` parameter group. Pros: * Can add users just to the RO mirror Cons: * Means anyone who uses the standard RW user could accidentally make changes to the RO mirror and mean it's no longer in sync * Means any time we delete+recreate the RO mirror, we have to manually re-add the RO users again (since they don't exist on the master) I'm open to thoughts either way. > In that case, we should not be worried about "[credentials] doesn't > accidentally leak them by not using SSL"; we can restrict the inbound IPs to > the known locations of the few users. Even if the RO password leaks the > attack surface is small. We can't limit access to certain IPs on the master, due to the way Heroku works (we discussed this in the RRA), so if the RO user is on both it doesn't help. Even if we do add the RO users to only the RO mirror (and then limit IP access to that, if it's even possible to do a split VPC across master and replication slave using RDS), I disagree that it's ok to plan to leak credentials due to incorrect configuration. It takes very little effort to connect securely, so we may as well get people to do so. Defence in depth doesn't mean we can just ignore half of the defences that were agreed upon both before and in the RRA.
Flags: needinfo?(emorley)
Comment 34•8 years ago
|
||
Comment on attachment 8811907 [details] Updated name of readonly user, grant access to push table >CREATE USER 'th_user' IDENTIFIED BY 'mysecurepassword'; Not much help for now, but once we're on MySQL 5.7 we can move the `REQUIRE SSL` to the CREATE USER command to avoid duplication: http://mysqlserverteam.com/building-a-better-create-user-command/ For the password we generate for them, I think we should make it reasonably long (just no longer than 32 characters, since that doesn't work with replication according to MySQL docs). >GRANT SELECT (id, email) ON treeherder.auth_user to 'th_user' REQUIRE SSL; I'm happy to also add `username` here. >GRANT SELECT ON treeherder.bug_job_map to 'th_user' REQUIRE SSL; ... >GRANT SELECT ON treeherder.user_exclusion_profile to 'th_user' REQUIRE SSL; These look good to me :-) To generate up to date lists of the table based GRANTs, we can use something like: SELECT CONCAT('GRANT SELECT ON ', table_schema, '.', table_name, ' to ''user'' REQUIRE SSL;') AS grant_stmt FROM information_schema.TABLES WHERE table_schema = 'treeherder' AND table_name NOT REGEXP 'django_|auth_|credentials|corsheaders_|task_set_meta'; >FLUSH PRIVILEGES; Flush privileges is only required if the `mysql.user` table was modified directly rather than by using GRANT statements.
Comment 35•8 years ago
|
||
(In reply to Ed Morley [:emorley] from comment #33) > I disagree that it's ok to plan to leak > credentials due to incorrect configuration. It takes very little effort to > connect securely, so we may as well get people to do so. Defence in depth > doesn't mean we can just ignore half of the defences that were agreed upon > both before and in the RRA. I do not recall suggesting "a plan to leak" nor "ignoring half the defenses". If you got that impression from my use of "should not be worried", it is unfortunate you interpreted as "do not care and take no action"; I would have hoped you would have interpreted it as "relatively unlikely to be exploited while passwords were reissued, and the system re-secured".
Comment 36•8 years ago
|
||
(In reply to Kyle Lahnakoski [:ekyle] from comment #35) > I would have hoped you would have interpreted it as "relatively > unlikely to be exploited while passwords were reissued, and the system > re-secured". Sadly it's unlikely to happen like that though. Either in automation, or when people are making one-off connections using the CLI/MySQLWorkbench, if the SSL options are omitted, the user may just enable them and try again, not realising they've leaked the credentials. Worse, if the user if using an insecure version of libmysqlclient (this includes even the latest 5.5.x and 5.6.x releases), their connection can be silently MITMed without them knowing (this has been wontfixed by Oracle). In both of these cases we wouldn't know to rotate the credentials.
Comment 37•8 years ago
|
||
Assignee | ||
Comment 38•8 years ago
|
||
Comment on attachment 8813386 [details] [review] [treeherder] wlach:1311468-docs > mozilla:master This only covers the administration portion. I wasn't sure how to talk about the specifics of how a user might use these credentials (and the SSL certificates correctly). I figure we can probably just do that on a case-by-case basis for now, given that we only have two consumers of this service.
Attachment #8813386 -
Flags: review?(emorley)
Comment 39•8 years ago
|
||
I think the wrong file was git added to the PR?
Comment 40•8 years ago
|
||
Comment on attachment 8813386 [details] [review] [treeherder] wlach:1311468-docs > mozilla:master (pending the git add of admin.rst :-))
Attachment #8813386 -
Flags: review?(emorley)
Assignee | ||
Comment 41•8 years ago
|
||
Comment on attachment 8813386 [details] [review] [treeherder] wlach:1311468-docs > mozilla:master Oops, fixed. :)
Attachment #8813386 -
Flags: review?(emorley)
Updated•8 years ago
|
Attachment #8813386 -
Flags: review?(emorley) → review+
Comment 42•8 years ago
|
||
Commit pushed to master at https://github.com/mozilla/treeherder https://github.com/mozilla/treeherder/commit/f34e6fc6387c1f25d98643b2a77d4c04babaa9c1 Bug 1311468 - Add docs for creating readonly Treeherder users (#1993)
Assignee | ||
Comment 43•8 years ago
|
||
Can we resolve this bug? I'm personally fine with things the way they are for now, but if others believe we should do other stuff, they can always file followups...
Comment 44•8 years ago
|
||
Commit pushed to master at https://github.com/mozilla/treeherder https://github.com/mozilla/treeherder/commit/88120c6da775f607af0078efc8e240d68a7f069b Bug 1311468 - fix typo
Updated•7 years ago
|
Assignee: nobody → wlachance
Status: REOPENED → RESOLVED
Closed: 8 years ago → 7 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•