Security/Reviews/Nucleus
Nucleus Risk Review
Reference: https://mana.mozilla.org/wiki/display/SECURITY/Business+Level+Risk+Assessment
Contents
TL;DR
Nucleus is a publishing system for Bedrock. It's risk level is P-1 A-2 R-2 Au-2. The system is suitable to run in PaaS, as long as no confidential information is stored in it (ex: unreleased security advisories).
Attendees:
- jgmize, curtisk, hoosteeno, ulfr, cturra, adamm
Project description & scope
- webprod team. create the possibility to publish www.mozilla.org without a pull request (or svn).
- initial use case: release managers publish release notes
- publish through API, instead of using a django admin
Target users
- content creators for w.m.o, likely only MoCo
- First release is "RNA", the release notes publishing tool. Content publishers will be staff on the release management team.
- community members with commit access can also use this as they have LDAP accounts
- access given to individual users, on a case by case basis
- Note: we are integrating with browserid/persona https://bugzilla.mozilla.org/show_bug.cgi?id=922377
Threats
- PR risk: if someone gains access and publish bogus content
Privacy: 1
For now only public data, non-critical, will be handled. NOT SUITABLE CONFIDENTIAL DATA. Data awaiting publication might be critical (security advisories). only public data once published.
Availability: 2
48 hours restart time is sufficient
Recovery: 2
Nucleus would be replicated to Bedrock frequently.
* Note: there isn't a direct bedrock to nucleus recovery path AFAIK
User's ACLs needs to be backed up. Weekly is acceptable.
Audit: 2
Need for auditability is low with a trusted group of content managers. It is sufficiently satisfied by logs of authentications: creation, modify time, login name. no need to log the detail of changes on a publication.
Action items
- jgmize/cturra talk about how to get to web logs
- hoosteeno/jgmize don't allow draft storage of confidential/sensitive info without another security risk assessment
- in order to do security review...
- risk assessment (this meeting)
- security sprint (when code is ready)