Closed Bug 638515 Opened 14 years ago Closed 14 years ago

Need hole opened from dm-tbpl01 to elasticsearch1.metrics.sjc1.mozilla.com:9200

Categories

(Infrastructure & Operations Graveyard :: NetOps, task)

Product:
Infrastructure & Operations Graveyard
Component:
NetOps
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: jgriffin, Assigned: arzhel)

Details

In bug 601743, there is a patch to update tbpl to store/read comments from ElasticSearch, which is hosted at elasticsearch1.metrics.sjc1.mozilla.com:9200. There is a small php part involved in this, which is currently hosted on sm-brasstacks01. It would be nice to be able to run the php bit from the tbpl machine, dm-tbpl01. Is it possible to open a hole in the firewall from dm-tbpl01 to elasticsearch1.metrics.sjc1.mozilla.com:9200 for HTTP access?
Assignee: server-ops → network-operations
(In reply to comment #0) > In bug 601743, there is a patch to update tbpl to store/read comments from > ElasticSearch, which is hosted at elasticsearch1.metrics.sjc1.mozilla.com:9200. > There is a small php part involved in this, which is currently hosted on > sm-brasstacks01. > > It would be nice to be able to run the php bit from the tbpl machine, > dm-tbpl01. Is it possible to open a hole in the firewall from dm-tbpl01 to > elasticsearch1.metrics.sjc1.mozilla.com:9200 for HTTP access? Can you please elaborate some more on what is triggering what? And who can kick this off? I'm skeptical about services that can be "triggered" from the outside world and would like infrasec to look at this if that's the case.
I'm not exactly sure what you mean by 'triggered', but here's the whole loop: Tinderbox+pushlog is a website with client-side JS, which is available to the world. When a user of TBLP "stars" a failure (i.e., adds a comment related to the failure), that comment data needs to be stored in ElasticSearch, which is running inside the firewall at the address mentioned above. Since TBPL's client-side js cannot see ES, it sends the data to a PHP page, which is currently running on sm-brasstacks01, but which I'd like to move to dm-tbpl01. This PHP page is also publicly visible. The PHP takes the data sent from TBPL, reformats it a bit and does some basic sanity checking, and then sends it to ElasticSearch via HTTP GET/POST. Since the PHP is publicly visible, someone who has seen the source (which would also be publicly visible), could use this knowledge to add some garbage to the database, but he wouldn't be able to delete or change existing records, since the PHP file in question doesn't perform those kinds of operations.
Any update on this?
Component: Server Operations → Server Operations: Netops
Access granted
Assignee: network-operations → arzhel
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Product: mozilla.org → Infrastructure & Operations
Product: Infrastructure & Operations → Infrastructure & Operations Graveyard
You need to log in before you can comment on or make changes to this bug.