Page MenuHomePhabricator
Create Task
Maniphest T56713

Non-NDA users cannot access graphite.wikimedia.org
Closed, DuplicatePublic
Actions

Description

Author: metatron

Description:
As in https://www.mediawiki.org/wiki/Wikimedia_Labs/Tool_Labs/Roadmap_en#Overview_of_available_features_in_Tool_Labs

Logs / Statistics

Webserver page view/visit statistics: https://graphite.wikimedia.org/ (requires Labs account) ...

I cannot access though having a labs account and entering credentials as requested by site:

A user name and password are being requested by https://graphite.wikimedia.org. The site says: "WMF Labs (use wiki login name not shell)"

Version: unspecified
Severity: normal
See Also:
https://bugzilla.wikimedia.org/show_bug.cgi?id=60112 / T62112: Icinga has httpauth on (not accessible for public)

Details

Reference
bz54713

Related Objects
Search...

StatusSubtypeAssignedTask
 DuplicateNoneT56713 Non-NDA users cannot access graphite.wikimedia.org
Restricted Task

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 22 2014, 2:22 AM
bzimport added projects: WMF-General-or-Unknown, acl*sre-team.
bzimport set Reference to bz54713.
bzimport added a subscriber: Unknown Object (MLST).
bzimport created this task.Sep 27 2013, 4:21 PM
Aklapper added a comment.Sep 30 2013, 10:09 AM

Works for me with my labsconsole.wikimedia.org / gerrit.wikimedia.org / wikitech.wikimedia.org account - I can log in.

Does anybody else have this problem?

Aklapper added a comment.Nov 8 2013, 3:32 PM

Works for me, I can get to https://graphite.wikimedia.org/dashboard/ after entering username and password.

Aklapper added a comment.Nov 11 2013, 10:42 AM

<YuviPanda|away> andre: aude IIRC it requires you to be in a specific LDAP group
<YuviPanda|away> that says you are from the wmf
<aude> ok, so then we need the wmde group made
<YuviPanda|away> yeah
<aude> also, ori-l gave me a Icinga link that i cant see
errr ishmael.wikimedia.org
can't see either
<YuviPanda> yeah, tied to the same group
<YuviPanda> andre: you can search for '[Ops] providing restricted tools to a wider audience ' in the ops list for the last known conversation about this

Matanya added a comment.Dec 19 2013, 8:14 PM

I'm not in the wmf group too, and can't log in to the site with my labs account.

ori added a comment.Dec 19 2013, 8:18 PM

We'd really like to make this completely public, but our Graphite setup has never had a security review, so we can't do it just yet. As an interim solution, we may be able to expand the access criteria so that they include volunteers that have signed an NDA. But because this is a security consideration, the decision is not mine to make.

csteipp added a comment.Dec 20 2013, 12:04 AM

Until we get a security review done, giving NDA users access is not a problem. I'll be working on the review in Feb most likely.

Se4598 added a comment.Apr 1 2014, 11:58 AM

csteipp: any update?

csteipp added a comment.Apr 1 2014, 4:04 PM

I have not been able to get to this yet, sorry.

Krenair added a comment.Aug 14 2014, 2:55 AM

(In reply to Ori Livneh from comment #5)

As an interim
solution, we may be able to expand the access criteria so that they include
volunteers that have signed an NDA. But because this is a security
consideration, the decision is not mine to make.

This was done in Gerrit change 152928 it seems

Krenair added a comment.Oct 7 2014, 9:52 AM

So can we mark this as fixed?

Se4598 added a comment.Oct 7 2014, 2:32 PM

(In reply to Alex Monk from comment #10)

So can we mark this as fixed?

No, this bug is about allowing public access, after the necessary security review has been done. Currently only wmf, ops and NDA users have access.

Krenair added a comment.Oct 7 2014, 2:36 PM

'nda' group = non-WMF staff. I'm changing this bug so it's about allowing public access instead.

Krenair added a project: deprecated-security-team-reviews.Dec 14 2014, 12:31 AM
Liuxinyu970226 subscribed.May 7 2015, 7:39 AM
zhuyifei1999 subscribed.Jul 3 2015, 9:47 AM
Dzahn mentioned this in T108546: grafana access control.Aug 20 2015, 1:04 AM
Dzahn subscribed.

also see T108546

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 20 2015, 1:05 AM
csteipp added a subtask: Restricted Task.Aug 20 2015, 4:05 PM
csteipp closed subtask Restricted Task as Resolved.Oct 27 2015, 11:27 PM
Krinkle edited projects, added Security-Team; removed deprecated-security-team-reviews.Dec 2 2015, 6:22 PM
Krinkle set Security to None.
Krinkle removed a subscriber: wikibugs-l-list.
Dzahn added a comment.May 25 2016, 6:39 PM

@metatron when looking at T108546 would you consider this ticket a duplicate ?

Krenair mentioned this in T137373: add Ladsgroup to nda LDAP group (was: Grant graphite.wikimedia.org rights to grafana-admin LDAP group).Jun 10 2016, 12:26 PM
Krinkle updated the task description. (Show Details)Jun 4 2018, 3:30 PM
Krinkle closed this task as a duplicate of T108546: grafana access control.
Restricted Application removed a subscriber: Liuxinyu970226. · View Herald TranscriptJun 4 2018, 3:31 PM
sbassett moved this task from Incoming to Our Part Is Done on the Security-Team board.Jun 11 2019, 7:12 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL