Nucleus Risk Review
Nucleus is a publishing system for Bedrock. It's risk level is P-1 A-2 R-2 Au-2. The system is suitable to run in PaaS, as long as no confidential information is stored in it (ex: unreleased security advisories).
- jgmize, curtisk, hoosteeno, ulfr, cturra, adamm
Project description & scope
- webprod team. create the possibility to publish www.mozilla.org without a pull request (or svn).
- initial use case: release managers publish release notes
- publish through API, instead of using a django admin
- content creators for w.m.o, likely only MoCo
- First release is "RNA", the release notes publishing tool. Content publishers will be staff on the release management team.
- community members with commit access can also use this as they have LDAP accounts
- access given to individual users, on a case by case basis
- Note: we are integrating with browserid/persona https://bugzilla.mozilla.org/show_bug.cgi?id=922377
- PR risk: if someone gains access and publish bogus content
For now only public data, non-critical, will be handled. NOT SUITABLE CONFIDENTIAL DATA. Data awaiting publication might be critical (security advisories). only public data once published.
48 hours restart time is sufficient
Nucleus would be replicated to Bedrock frequently.
* Note: there isn't a direct bedrock to nucleus recovery path AFAIK
User's ACLs needs to be backed up. Weekly is acceptable.
Need for auditability is low with a trusted group of content managers. It is sufficiently satisfied by logs of authentications: creation, modify time, login name. no need to log the detail of changes on a publication.
- jgmize/cturra talk about how to get to web logs
- hoosteeno/jgmize don't allow draft storage of confidential/sensitive info without another security risk assessment
- in order to do security review...
- risk assessment (this meeting)
- security sprint (when code is ready)