Orain Meta

Tech:Private Git: Difference between revisions

Page Discussion

Tech:Private Git (view source)

Revision as of 17:08, 27 March 2015

2,029 bytes removed ,  9 years ago
no edit summary
VisualWikitext
(create first go at)
 
imported>Addshore
No edit summary
Line 8:
 
The keypairs for the user 'git' are stored in the repo along with Orain's SSL cert and private key. The ansible variable file is also stored in the repo. Any files that should not be public but need to be available for either general or ansible operations can be stored. Only ops can commit to the repo via the root user.
 
== Private ==
 
The repo stores private data that if compromised, should be reset immediately in order to ensure the security of the servers and services we operate. Below is a complete list of services and variables which are stored in the repo and how to reset them if necessary.
 
; SSL
 
The clusters SSL cert and SSL private key are both stored in a directory of the repo. If the cert is exposed, there are no concerns assuming the key is still secure. If the private key is exposed, email sysadmin{{@}}orain.org immediately to notify an ops member with SSL access (currently John, but Dusti also has access) to reissue/revoke the cert as appropriate.
 
; MariaDB
 
A few MariaDB passwords are managed in the repo. The root password, the mediawiki password and the debian installation password. If any are exposed, resetting these should be easy by just modifying the repo and forcing an ansible run (although, upon discovering - changing the passwords immediately is preferred and disabling ansible to prevent re-enabling the old passwords).
 
; MediaWiki
 
The wgSecretKey and wgUpgradeKey variables are stored in the repo. If either variables are exposed, simply modify them to another random character string. An email to sysadmin{{@}}orain.org should also be made as wgSecretKey is used in various operations within MediaWiki such as password hashing, OAuth secrets and the reinstall screen for MW (should not be an issue though).
 
; Redis
 
The Redis 'AUTH' password is stored in the repo. If this is exposed, reset the variable to another randomly generated string and force an ansible run. As the installation is restricted to Orain's servers only, exposing this should not have any real user impact.
 
; HHVM
 
The HHVM administrator server's password is stored in the repo. If this is exposed, reset the variable to something else and email sysadmin{{@}}orain.org. This is because the password allows a user to stop a HHVM instance on a server as well as access some details regarding the operation of HHVM on the server.
Anonymous user
Retrieved from "https://meta.orain.org/wiki/Special:MobileDiff/13912"