Difference between revisions of "Educaship MediaWiki"

From CNM Wiki
Jump to: navigation, search
 
(85 intermediate revisions by 2 users not shown)
Line 1: Line 1:
[[CNM MediaWiki]] (formerly known as [[CNM Wikiware]]; hereinafter, the ''Soft'') is a [[CNM stable app]] primarily built with [[MediaWiki]]. In addition, the ''Soft'' deploys [[CNM MariaDB]] as its database management system and [[CNM LDAP]] for its [[authentication]] and [[authorization]].  
+
[[Educaship MediaWiki]] (formerly known as [[CNM Wikiware]]; hereinafter, the ''Soft'') is the [[CNM stable app]] that is based on [[MediaWiki]], which is a [[commercial off-the-shelf]] ([[COTS]]) [[wiki engine]]. In addition, the ''Soft'' deploys [[Educaship MariaDB]] as its [[database management system]] and [[Educaship LDAP]] for its [[authentication]] and [[authorization]].  
  
There are two major challenges that need to be addressed:
+
The ''Soft'' is configured to power [[CNM Wiki]], [[WikiHandsOn]], or [[WikiNext]], which are both [[CNMCyber service]]s and parts of [[Opplet]].  
# '''[[Identity and access management]]'''. For a few years, the stable version of the ''Soft'' has not been updated due to new versions' conflict with [[CNM LDAP]]. At some period of time, [[CNM Technology Board]] considered migration [[WSO2 IS]] and wasn't sure whether LDAP would remain necessary.
 
# '''[[Software repository]]'''. Currently, the ''Soft'' itself is used as the repository; no federated repository is available. Because [[CNM Cloud]] includes a few [[end-user application]]s, there is an idea to create one under the [[Warehouse for CNM Cloud]] project. Similarly, [[Wikipedia]] utilizes [[Wikimedia Commons]] as its repository. In addition, a few problems with pictures occurred in the past. As of early 2023, no problems are observed, but the quantity of stored files are about to increase significantly.
 
  
The ''Soft'' is configured to power [[CNM Wiki]], [[WikiHandsOn]], or [[WikiNext]] [[CNMCyber service|service]] of [[CNMCyber]]. The ''App'' is based on [[commercial off-the-shelf]] ([[COTS]]) [[wiki engine]], [[MediaWiki]]. The ''App'' is a part of [[CNM Cloud]].
 
  
 +
==Challenges==
 +
Guys, we are looking for one or more MediaWiki experts to resolve one or more of the challenges that are best described below.
 +
* Screening question: Have you found the description of the challenges? May you resolve one or more of them? Which one or ones?
 +
* We are open to teams. LDAP-MediaWiki and MediaWiki itself may require experts with different skill sets. We are interested in WSO2 IS - MediaWiki as well since we plan to add WSO2 IS. So, WSO2 IS-MediaWiki expert may be another freelancer.
  
==Business functionality==
+
===LDAP integration (urgent task)===
Besides supporting [[CNM Wiki]], the ''App'' serves as a practice tool in the learning that is delivered by [[Bracka School]] and related to [[knowledge management software]].
+
: ''Main wikipage: [[CNM MediaWiki IAM]]''
  
===System-user roles===
+
===File repository===
:[[Opplet]] handles [[identity and access management]] for the ''App'' (including "create account" and "change other users' rights" functions). Thus, the [[system-user role]]s of the ''App's'' users are those [[Opplet role]]s that are specifically based on rights of groups granted by [[MediaWiki]]. The software-defined rights can be found at [https://www.mediawiki.org/wiki/Manual:User_rights#List_of_groups MediaWiki's list of groups].
+
: [[Software repository]]:
 +
:# Currently, the ''Soft'' itself is used as the repository; no federated repository is available. Because [[Opplet]] includes a few [[end-user application]]s, there is an idea to create one under the [[Warehouse for CNM Cloud]] project. Similarly, [[Wikipedia]] utilizes [[Wikimedia Commons]] as its repository.
 +
:# In addition, a few problems with pictures occurred in the past. As of early 2023, no problems are observed, but the quantity of stored files are about to increase significantly.
 +
:# [[SVG]] file support is another issue of the ''Soft'' development. The overwhelming majority of corporate files are in the [[SVG]] format, but, because the ''Soft'' doesn't support SVG, they need to be converted in the [[PNG]] one.
  
===User stories===
+
: So, the team looks for moving the ''Soft's'' files into a new repository. Under the most desired solution, (a) its files shall be available to various applications within [[Opplet]] and (b) SVG-files shall be stored there and displayed properly by the ''Soft's'' instances. If the most desired solution is not feasible, under an acceptable solution various instances of the ''Soft'' shall display the repository's files. The team will provide the hired expert with full access to two virtual machines; on the one ''Soft's'' instance is installed and on the second one a new repository should be installed.
#As a [[NetAnyone]], I need to be able to:
 
#*Read and/or view contents of any wikipage at clearly understood [[URL]]s such as starting with https://wiki.friendsofcnm.org/
 
#*See the logo at the right upper corner and the name of the resource such as [[CNM Wiki]];
 
#*Feel safe while seeing that the ''App's'' resource is verified by the [[SSL certificate]];
 
#As a Russian-speaking [[NetAnyone]], I need to be able to locate wikipages in Russian, possibly, at [[URL]]s starting with https://wiki.friendsofcnm.org/ru
 
#As a [[NetConsumer]], I need to be able to add selected wikipages to my watchlist and receive notifications when the watched wikipages are updated to my email.
 
#As a [[CertAssociate]], I need to be able to:
 
#*Have predefined rights of a user (with a registered account) established at [[MediaWiki]];
 
#*Upload files, including [[SVG]] graphics, with sizes up to 2Mb; the combined size of all downloaded files shouldn't exceed 200Mb.
 
#As a [[CertFellow]], I need to:
 
#*Have predefined rights of a sysop established at [[MediaWiki]];
 
#*Be able to upload files up to 20Mb.
 
#As a [[OppletBureaucrat]], I need to:
 
#*Have predefined rights of a bureaucrat established at [[MediaWiki]];
 
#As a [[CloudAdmin]], I need to:
 
#*Make sure that [[CNM Wiki]] at least gets basic [[cyber-security]] features, especially [https://www.mediawiki.org/wiki/Manual:Security Manual:Security], implemented; new threats are monitored and, based on them, the security policy should be defined and, further, re-defined;
 
#*Be able to restore [[CNM Wiki]] if the working software collapses. No more than one hour of work is allowed to be lost.
 
  
==Architecture==
+
===Mail===
The ''App'' is a [[MediaWiki]] instance that is run on [[CNM Farms]].
+
: [[Opplet]], which part the ''Soft'' is, has a dedicated email server; the team wonders whether we can plug a ''Soft'' email client, which is currently unused, into that server. So, the most desired solution would be integration to our Postfix/Dovecot server; if the most desired solution is not available, internal email functioning would be accepted. The team will provide the hired expert with full access to the virtual machine on which ''Soft's'' instance is installed.
  
===MediaWiki===
+
===SOP===
:''Main wikipage: [[MediaWiki]]''
+
: Currently, [[CNM Farms]] policies are utilized for archive, backup, monitoring, security, snapshot, and restoration policies. However, there could be some ''Soft's'' useful plugins or policies that the team is unaware of. Specifically to its security, the team hasn't done pretty much anything. So, the team looks for (a) the updated ''Soft's'' [[standing operating procedure]] ([[standing operating procedure|SOP]]) and (b) a the ''Soft'' instance that would be built using the new ''SOP''. The team will provide the hired expert with full access to a virtual machine on which ''Soft's'' instance can be installed.
  
:The [[MediaWiki]] software is chosen as the ''App'' engine because its usability, productivity, and reliability. Particularly, [[MediaWiki]]:
+
===Guided tour===
:#Is easy to load (it is a light weight);
+
: We use the [[CNMCyber Guided Tours]] format and need someone to organize an event that would present the ''Soft''. The event should feature:
:#Allows integration with [[CNM Farms]] and, possibly, other [[CNM app]]s;
+
:# A speaker and/or presenter who would demonstrate a separate, so-called experiential, instance of the ''Soft'', while following its description. The participants shall follow the presentation, try the ''Soft'' instance on their own, ask questions, and get the speaker/presenter answers.
:#Is scalable and allows addition of more data as need arises;
+
:# Recording that would be published online by the team.
:#Is easy to navigate with a search function that makes it easy to search what any user wants;
 
:#Is cloud hosted so that it can be accessed anywhere;
 
:#Provides an audit trail that can provide identification of who has entered any new information.  
 
  
:[[MediaWiki]] also has a provision for the future usage of multiple languages. When the time for adding a new language comes, the existing system shall enable this addition without need for additional components to the original system. It will also enable the user to nominate their preferred language when entering their personal information.
+
===Markup specification===
  
===Platform===
+
===Talk-page rename===
:''Main wikipage: [[CNM Farms]]''
 
  
:[[CNM Farms]] shall provide the ''App'' with all resources that the ''App'' needs in order to run smoothly, including:
+
==Business functionality==
:*'''[[PHP]]'''-language support;
+
Besides supporting [[CNM Wiki]], the ''App'' serves as a practice tool in the learning that is delivered by [[Bracka School]] and related to [[knowledge management software]].  
:*'''[[OpenLDAP]]''' that [[CNM Cloud]] uses for [[identity and access management]]; and
 
:*'''[[MariaDB]]''' as the [[database management system]],
 
:Particularly, the platform shall:
 
:#Make sure that the ''App'' is available 99.99% of the time for any 24-hour period;
 
:#Doesn't store any confidential information, so such information cannot be accessed by anyone.
 
  
===Postponed upgrades===
+
===System-user roles===
:Currently, the ''App'' uses an outdated, [[Special:Version|1.26.4 version]] of [[MediaWiki]], because the extension used to connect to its [[OpenLDAP]] does not support newer versions. There are three choices to follow: (1) to find or create a new extension, (2) find another way to connect without using the extension, or (3) keep things as they are.
+
:[[Opplet]] handles [[identity and access management]] ([[identity and access management|IAM]]) for the ''Soft's'' instances (including "create account" and "change other users' rights" functions). Thus, the [[system-user role]]s of the ''Soft's'' users are those [[Opplet role]]s that are specifically based on rights of groups granted by [[MediaWiki]]. The software-defined rights can be found at [https://www.mediawiki.org/wiki/Manual:User_rights#List_of_groups MediaWiki's list of groups].
  
:The team decided to keep things as they are since the current architecture is temporary. When a new private cloud based on [[OpenStack]] is launched in the fourth phase of [[CNM Cloud Project]], its [[Keystone]] solution will be used for authentications. Plus, the ''App'' is going to contain no private information; all of its users' data is stored in [[Opplet.net]].
+
===Platform===
 +
: ''Main wikipage: [[CNM Farms]]''
 +
 
 +
: [[CNM Farms]] shall provide every instance of the ''Soft'' with all resources that the ''Soft'' needs in order to run smoothly, including:
 +
:* '''[[PHP]]'''-language support;
 +
:* '''[[HA]]''', with a target that the ''Soft'' is available 99.99% of the time for any 24-hour period;
 +
:* '''[[OpenLDAP]]''' that [[Opplet]] uses for [[identity and access management]];
 +
:* '''[[TLS]]''', and
 +
:* '''[[MariaDB]]''' as the [[database management system]].
 +
: Particularly, the platform shall not store any confidential information, so such information cannot be accessed by anyone.
  
 
==Security==
 
==Security==
Line 77: Line 64:
 
*[https://www.mediawiki.org/wiki/Manual:Security/en#File_permissions File_permissions]
 
*[https://www.mediawiki.org/wiki/Manual:Security/en#File_permissions File_permissions]
  
===TLS===
 
::''Main wikipage: [[TLS]]''
 
 
===PHP===
 
::''Main wikipage: [[PHP security]]''
 
:[[PHP security]] is needed for pretty much any PHP environment; it is not necessarily specific to the ''App''.
 
LocalSettings.php usually contains sensitive data such as database logins. This data should never be revealed to the public! Due to a security breach somewhere on the server, it might happen that other users are able to view the contents of files. In order to improve security of your data, you should set UNIX permissions for this file accordingly: The webserver user must have access to this file. If this is the same account, who is the owner of the file, then you can set permissions to 600. Sometimes, the webserver user is not the file owner, but they are in the owner's UNIX user group. In this case, permissions of 640 should be fine. For improved security you should narrow permissions down as far as possible.
 
 
Additionally, you can create a MySQL user, who is restricted to only the database used by the wiki and provide this user's credentials in LocalSettings.php. Also you can configure your database server to only accept connections from localhost - this should prevent access from outside in case of leaked credentials.
 
 
===MariaDB===
 
 
===Maintenance scripts===
 
===Maintenance scripts===
 
===Upload security===
 
===Upload security===
Line 98: Line 74:
 
     To create a special group called "uploadaccess", and allow members of that group to upload files:
 
     To create a special group called "uploadaccess", and allow members of that group to upload files:
 
     $wgGroupPermissions['uploadaccess']['upload'] = true;
 
     $wgGroupPermissions['uploadaccess']['upload'] = true;
 
==Development==
 
 
===History===
 
:The first instance, 1.26.4 version, was installed under supervision of [[User: Mina Nizhnih]].
 
 
===Further development===
 
In order to constantly develop the ''App'', [[Friends Of CNM]] is looking for one or more vendors. This development project has at least two phases:
 
:#To identify [[#Acceptance criteria|Acceptance criteria]] that shall be met at the end of any further upgrade; and
 
:#To procure those upgrades from one or more vendors.
 
 
:[[RFB]] has been posted and the following responses are collected so far:
 
:*Define page types, naming conventions, user rights, expected behavior to select a set of useful extensions. Then develop ontologies, templates and forms for pages of various types. Adjust search function to the needs of the project.
 
:* Follow the [[updates]] at https://www.mediawiki.org/wiki/Download/ru and after the appearance of a new stable version, reinstall the ''App''. We used the latest version where the normal LDAP authorization module. You need to keep track of updates to the media and LDAP module. As soon as a newer version appears, you should need to update it on the test and check it out. If all is well, then it will be possible to update on the working site friendsofcnm.org
 
:* Monitor the detection of vulnerabilities and the emergence of solutions to eliminate them, apply them.
 
:* Support [[SSL certificate]] of Let's Encrypt (how to do it https://hostiq.ua/wiki/how-to-install-lets-encrypt-ssl/);
 
:* Regularly check the site for viruses using this link - https://www.virustotal.com/en/url/07612517c24492a2b4ecf505640d0c4e5d060149282543f1376dc6079b911641/analysis/1522339359/
 
:*The system shall ensure that there is no interference to the active users when maintenance is being done.If need be, the system shall not be shut down for maintenance more than once in a 24‐hour period.
 
:*The system shall produce a [[storage capacity]] warning notification when a particular percentage of [[storage capacity]] threshold is crossed with additional notifications issued thereafter at different threshold increments.
 
:*When a new version of the system(application) is released, it shall be possible to upgrade to it from any previous version.
 
 
==Evaluation criteria==
 
 
===Functional===
 
#Mobile client support
 
#Content structuring:
 
#*Automatic updating of links to other pages when moved
 
#*effort required to create a comprehensive structure
 
#*classifying content into subject categories
 
#*HTML Tags
 
#Ease of use
 
#*Finding content
 
#*Navigating up and down, back and forth
 
#*Commenting: Discussion Pages or Threaded?
 
#Ease of content creation
 
#*WYSIWYG editor
 
#*Quoting
 
#*Image Editing
 
#*SVG Editing
 
#Ease of collaborative participation
 
#*Concurrent editing
 
#Content Management – Version tracking
 
#Modularity of installed components – Do they all have to be installed? If not, can they be installed at anytime?
 
#Additional functionality
 
#*Full text search
 
#*Blogs/Forums
 
#*Email Notification
 
#*Calendar
 
#*Structured data
 
#*Structured data trackers, analysis and report tools
 
#*RSS Syndication
 
#*File Galleries
 
#*Articles
 
#*FAQs
 
#*Quizzes
 
#*Featured links
 
#*Slideshow
 
#*Messages
 
#*Chat
 
#*Newsletters
 
#*Shoutbox
 
#Dynamic Content
 
#Automatic Table of Contents
 
#Create links easily with other wikis
 
#Content Template
 
 
===Non-functional===
 
#Security
 
#*LDAP use built in or through plug-in
 
#*Back-end Authentication Methods Supported, e.g., OpenID, Active Directory, LDAP, Shibboleth, CAS, IMAP
 
#*ACL Support
 
#*User and Group Management granularity
 
#*Email encryption
 
#Wiki Release schedule
 
#Size of development community
 
#Extensible programming language
 
#Plug-in availability
 
#*Internal
 
#*External
 
#Import
 
#*From Media-wiki
 
#*From other sources
 
#Export to various formats
 
#Data store
 
#Programming languages supported
 
#Support
 
#*Forums
 
#*Mailing lists
 
#*Chat Channel
 
 
===Software to be evaluated===
 
:#[[BlueSpice MediaWiki]].
 
:#[[Tiki Wiki CMS Groupware]].
 
:#[[Wiki.js]].
 
:#[[XWiki]].
 
 
==Acceptance criteria==
 
===Vulnerability===
 
:{|class="wikitable" width=100% style="text-align:center;"
 
!#
 
|Feature
 
!Acceptance test!!Responsible
 
|-
 
|W001
 
![[PHP security]]
 
|style="text-align:left;"|
 
|Vendor for [[CNM Farms]]
 
|-
 
|W002
 
![[TLS]]
 
|style="text-align:left;"|
 
*''[[Let's Encrypt]]'' [[SSL certificate]] is seen in the [[URL field]] of a [[web browser]]
 
|The ''App'' vendor
 
|}
 
 
===Navigation===
 
#[[URL]]
 
#[[URL]] for Russian speakers
 
#Logo
 
#CNM Wiki name
 
 
===Editing alerts===
 
 
===Uploads===
 
#[[SVG]]
 
 
===Backup restoration===
 
 
==Development==
 
Development of the ''Soft'' occurs under the [[MediaWiki for CNM Cloud]] project.
 
  
 
==See also==
 
==See also==
 +
===Development===
 +
: Development of the ''Soft'' occurs under the [[MediaWiki for CNM Cloud]] project.
  
 
===Related lectures===
 
===Related lectures===
:*[[CNM Apps]].  
+
:* [[CNM Apps]].
  
 
[[Category:CNM COTS products]][[Category: CNM Cyber Orientation]][[Category: Articles]]
 
[[Category:CNM COTS products]][[Category: CNM Cyber Orientation]][[Category: Articles]]

Latest revision as of 06:23, 15 April 2024

Educaship MediaWiki (formerly known as CNM Wikiware; hereinafter, the Soft) is the CNM stable app that is based on MediaWiki, which is a commercial off-the-shelf (COTS) wiki engine. In addition, the Soft deploys Educaship MariaDB as its database management system and Educaship LDAP for its authentication and authorization.

The Soft is configured to power CNM Wiki, WikiHandsOn, or WikiNext, which are both CNMCyber services and parts of Opplet.


Challenges

Guys, we are looking for one or more MediaWiki experts to resolve one or more of the challenges that are best described below.

  • Screening question: Have you found the description of the challenges? May you resolve one or more of them? Which one or ones?
  • We are open to teams. LDAP-MediaWiki and MediaWiki itself may require experts with different skill sets. We are interested in WSO2 IS - MediaWiki as well since we plan to add WSO2 IS. So, WSO2 IS-MediaWiki expert may be another freelancer.

LDAP integration (urgent task)

Main wikipage: CNM MediaWiki IAM

File repository

Software repository:
  1. Currently, the Soft itself is used as the repository; no federated repository is available. Because Opplet includes a few end-user applications, there is an idea to create one under the Warehouse for CNM Cloud project. Similarly, Wikipedia utilizes Wikimedia Commons as its repository.
  2. In addition, a few problems with pictures occurred in the past. As of early 2023, no problems are observed, but the quantity of stored files are about to increase significantly.
  3. SVG file support is another issue of the Soft development. The overwhelming majority of corporate files are in the SVG format, but, because the Soft doesn't support SVG, they need to be converted in the PNG one.
So, the team looks for moving the Soft's files into a new repository. Under the most desired solution, (a) its files shall be available to various applications within Opplet and (b) SVG-files shall be stored there and displayed properly by the Soft's instances. If the most desired solution is not feasible, under an acceptable solution various instances of the Soft shall display the repository's files. The team will provide the hired expert with full access to two virtual machines; on the one Soft's instance is installed and on the second one a new repository should be installed.

Mail

Opplet, which part the Soft is, has a dedicated email server; the team wonders whether we can plug a Soft email client, which is currently unused, into that server. So, the most desired solution would be integration to our Postfix/Dovecot server; if the most desired solution is not available, internal email functioning would be accepted. The team will provide the hired expert with full access to the virtual machine on which Soft's instance is installed.

SOP

Currently, CNM Farms policies are utilized for archive, backup, monitoring, security, snapshot, and restoration policies. However, there could be some Soft's useful plugins or policies that the team is unaware of. Specifically to its security, the team hasn't done pretty much anything. So, the team looks for (a) the updated Soft's standing operating procedure (SOP) and (b) a the Soft instance that would be built using the new SOP. The team will provide the hired expert with full access to a virtual machine on which Soft's instance can be installed.

Guided tour

We use the CNMCyber Guided Tours format and need someone to organize an event that would present the Soft. The event should feature:
  1. A speaker and/or presenter who would demonstrate a separate, so-called experiential, instance of the Soft, while following its description. The participants shall follow the presentation, try the Soft instance on their own, ask questions, and get the speaker/presenter answers.
  2. Recording that would be published online by the team.

Markup specification

Talk-page rename

Business functionality

Besides supporting CNM Wiki, the App serves as a practice tool in the learning that is delivered by Bracka School and related to knowledge management software.

System-user roles

Opplet handles identity and access management (IAM) for the Soft's instances (including "create account" and "change other users' rights" functions). Thus, the system-user roles of the Soft's users are those Opplet roles that are specifically based on rights of groups granted by MediaWiki. The software-defined rights can be found at MediaWiki's list of groups.

Platform

Main wikipage: CNM Farms
CNM Farms shall provide every instance of the Soft with all resources that the Soft needs in order to run smoothly, including:
Particularly, the platform shall not store any confidential information, so such information cannot be accessed by anyone.

Security

Vulnerability alerts

Extensions

  • Extensions
  • Sendmail is required in order for the system to be able to send e-mails.
  • Shell access is required to run maintenance scripts; upgrading MediaWiki may be more difficult without it.

File permissions

Main wikipage: File permission

Maintenance scripts

Upload security

Main wikipage: Upload_security

   Upload permissions
   Per default, all registered users can upload files. To restrict this, you have to change $wgGroupPermissions:
   To prevent normal users from uploading files:
   $wgGroupPermissions['user']['upload'] = false;
   To create a special group called "uploadaccess", and allow members of that group to upload files:
   $wgGroupPermissions['uploadaccess']['upload'] = true;

See also

Development

Development of the Soft occurs under the MediaWiki for CNM Cloud project.

Related lectures