Request for review of change to browserid network ACLs

RESOLVED FIXED

Status

RESOLVED FIXED
6 years ago
6 years ago

People

(Reporter: gene, Assigned: jstevensen)

Tracking

Details

(Reporter)

Description

6 years ago
https://intranet.mozilla.org/Services/Ops/BrowserID/NetworkACLs

We've (services operations) created a new service called "zbroker". This is a web service which accepts requests from servers such as "drain all zeus load balancer connections to me" or "add me back into my zeus load balancer pool". The zbroker will only allow a client add or remove itself from a load balance pool (not other IPs).

We would like to run this service on port 80 on our "adm" servers. These servers currently are the puppetmasters for our servers. As such, our servers currently initiate connections to these "adm" hosts over the puppet port 8140.

We thought this would be a good place to run it because the hosts already initiate connections to it, and because it has the network access to make subsequent calls to our zeus load balancers.

We'd like an opsec review of this planned change. The change would manifest in a firewall opening from all of our current puppet clients in production (and staging and dev), to the their adm puppetmasters over the new port 80, in addition to the existing port 8140.
(Assignee)

Comment 1

6 years ago
We will review this change request this week.
(Reporter)

Comment 2

6 years ago
Just talked to Joe on the phone. His team will review this ticket this afternoon and will send out an update at the end of the day with either results, or a new date/time that they can have the review completed, in the case that they have questions.
Assignee: nobody → jstevensen
(Assignee)

Comment 3

6 years ago
Eugene,

This doesn't look like a serious concern, but we have a couple of questions. I'll schedule a quick vidyo meeting for 9am PDT or at another convenient time.
(Assignee)

Comment 4

6 years ago
Discussed with Gene today. 

Permitting the webheads to initiate connections to adm hosts running zbroker is approved.
(Reporter)

Updated

6 years ago
Blocks: 789333
(Assignee)

Updated

6 years ago
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.