[Wikidata-bugs] [Maniphest] [Changed Subscribers] T90115: BlazeGraph Security Review
Liuxinyu970226 removed a subscriber: Liuxinyu970226. TASK DETAIL https://phabricator.wikimedia.org/T90115 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: csteipp, Liuxinyu970226 Cc: Deskana, ksmith, JanZerebecki, Bene, MoritzMuehlenhoff, GWicke, Thompsonbry.systap, Smalyshev, Joe, csteipp, Beebs.systap, Haasepeter, Aklapper, Manybubbles, jkroll, Wikidata-bugs, Jdouglas, aude, Krenair, Malyacko ___ Wikidata-bugs mailing list Wikidata-bugs@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs
[Wikidata-bugs] [Maniphest] [Changed Subscribers] T90115: BlazeGraph Security Review
ksmith added a subscriber: Deskana. ksmith added a comment. @csteipp: Discovery plans to deploy this in beta status, and then (based on my understanding), we plan to shift to other priorities while we wait for feedback to come in. Our level of effort after that will depend in part on that feedback. It will be up to @Deskana to prioritize any work in Q2. Presumably if you said "this must happen", we would find a way to make it happen. TASK DETAIL https://phabricator.wikimedia.org/T90115 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: csteipp, ksmith Cc: Deskana, ksmith, JanZerebecki, Bene, MoritzMuehlenhoff, GWicke, Thompsonbry.systap, Smalyshev, Joe, Liuxinyu970226, csteipp, Beebs.systap, Haasepeter, Aklapper, Manybubbles, jkroll, Wikidata-bugs, Jdouglas, aude, Krenair, Malyacko ___ Wikidata-bugs mailing list Wikidata-bugs@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs
[Wikidata-bugs] [Maniphest] [Changed Subscribers] T90115: BlazeGraph Security Review
csteipp added a subscriber: MoritzMuehlenhoff. csteipp added a comment. In https://phabricator.wikimedia.org/T90115#1259754, @Beebs.systap wrote: > > - @Beebs.systap, is there a special mailing list we need to be on to get > > notified of security issues? Is someone from Ops subscribed? > > > Is there an OPS email alias that should be added? We generally do announce > to the developers list, but do push out specific notices directly in some > cases. @MoritzMuehlenhoff does ops have an email address for upgrade notifications? TASK DETAIL https://phabricator.wikimedia.org/T90115 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: csteipp Cc: MoritzMuehlenhoff, GWicke, Thompsonbry.systap, Smalyshev, Joe, Liuxinyu970226, csteipp, Beebs.systap, Haasepeter, Aklapper, Manybubbles, jkroll, Wikidata-bugs, Jdouglas, aude, daniel, JanZerebecki, Krenair ___ Wikidata-bugs mailing list Wikidata-bugs@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs
[Wikidata-bugs] [Maniphest] [Changed Subscribers] T90115: BlazeGraph Security Review
Beebs.systap added a subscriber: Thompsonbry.systap. TASK DETAIL https://phabricator.wikimedia.org/T90115 REPLY HANDLER ACTIONS Reply to comment or attach files, or !close, !claim, !unsubscribe or !assign . EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: csteipp, Beebs.systap Cc: Thompsonbry.systap, Smalyshev, Joe, Liuxinyu970226, csteipp, Beebs.systap, Haasepeter, Aklapper, Manybubbles, jkroll, Wikidata-bugs, Jdouglas, aude, GWicke, daniel, JanZerebecki ___ Wikidata-bugs mailing list Wikidata-bugs@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs
[Wikidata-bugs] [Maniphest] [Changed Subscribers] T90115: BlazeGraph Security Review
csteipp added a subscriber: Joe. csteipp added a comment. Talked with Nik today about running this. We're planning to expose sending raw queries into our cluster. The biggest threats are a malicious users causes data corruption or resource consumption DoS, or an attacker is able to compromise the Blazegraph server and pivot to the rest of our cluster. The data in Blazegraph is all public (assuming we work out removing deleted/suppressed items), so authorization within Blazegraph isn't a big concern. Mitigating those threats: - We want to make sure we are aware of security patches to Blazegraph, and ops applies those in an appropriate timeframe. @Beebs.systap, is there a special mailing list we need to be on to get notified? I haven't seen any CVE's issued for Blazegraph, so I want to make sure we're watching the right places. - Since we know that we're running a more risky environment than most Blazegraph users, it would be nice if we could ensure that if it's compromised, the attacker can't start attacking the cluster. @joe, I know ops isn't too fond of creating many new subnets for our services, but since we're starting from scratch, is this a case where we can put the boxes on a dedicated subnet and make sure the other mediawiki infrastructure isn't directly routable from there? - In blazegraph, @manybubbles is looking into what options need to be disabled to prevent queries from, - modify existing data - opening external or internal resources (it sounds like there might be capabilities to cause Blazegraph to query an external db, or load local files) - At the application (proxy?) layer, we'll setup some per-ip/user throttles, and make sure we set appropriate timeouts - We'll make sure revision deletion is working correctly so we don't leak suppressed items TASK DETAIL https://phabricator.wikimedia.org/T90115 REPLY HANDLER ACTIONS Reply to comment or attach files, or !close, !claim, !unsubscribe or !assign . EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: csteipp Cc: Joe, Liuxinyu970226, csteipp, Beebs.systap, Haasepeter, Aklapper, Manybubbles, jkroll, Smalyshev, Wikidata-bugs, Jdouglas, aude, GWicke, daniel, JanZerebecki ___ Wikidata-bugs mailing list Wikidata-bugs@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs