|
(Tag: Redirect target changed) |
(57 intermediate revisions by 2 users not shown) |
Line 1: |
Line 1: |
− | [[CNM Wikiware]] (hereinafter, the ''App'') is the [[CNM app]] that empowers [[CNM Wiki]] and, possibly, other publicly-available [[knowledge base]]s of [[Friends Of CNM]]. The ''App'' is both:
| + | #REDIRECT [[Educaship MediaWiki]] |
− | *[[Knowledge management software]] that utilizes [[MediaWiki]] as its engine and is supported by [[CNM Platform]] including [[MariaDB]] instances that the ''App'' uses as its [[database management system]] and [[OpenLDAP]] that is used as the users' directory. The ''App'' includes a special extension that connects [[MediaWiki]] and [[OpenLDAP]]; and
| |
− | *A service of the [[CNM Cloud]] particularly available at [https://wiki.ksacerts.com wiki.ksacerts.com].
| |
− | | |
− | | |
− | ==Business functionality==
| |
− | Besides supporting [[CNM Wiki]], the ''App'' serves as a practice tool in the learning that is delivered by [[Bracka School]] and related to [[knowledge management software]].
| |
− | | |
− | ===Permitted user roles===
| |
− | :[[Opplet]] handles user management for the ''App'' (including "create account" and "change other users' rights" functions). Thus, the [[permitted user role]]s of the ''App's'' users are those [[Opplet role]]s that are specifically based on rights of groups granted by [[MediaWiki]]. The software-defined rights can be found at [https://www.mediawiki.org/wiki/Manual:User_rights#List_of_groups MediaWiki's list of groups].
| |
− | | |
− | ===User stories===
| |
− | #As a [[NetAnyone]], I need to be able to:
| |
− | #*Read and/or view contents of any wikipage at clearly understood [[URL]]s such as starting with https://wiki.ksacerts.com/
| |
− | #*See the logo at the right upper corner and the name of the resource such as [[CNM Wiki]];
| |
− | #*Feel safe while seeing that the ''App's'' resource is verified by the [[SSL]] certificate;
| |
− | #As a Russian-speaking [[NetAnyone]], I need to be able to locate wikipages in Russian, possibly, at [[URL]]s starting with https://wiki.ksacerts.com/ru
| |
− | #As a [[NetConsumer]], I need to be able to add selected wikipages to my watchlist and receive notifications when the watched wikipages are updated to my email.
| |
− | #As a [[CertAssociate]] and/or [[CertDeveloper]], I need to be able to:
| |
− | #*Have predefined rights of a user (with a registered account) established at [[MediaWiki]];
| |
− | #*Upload files, including [[SVG]] graphics, with sizes up to 2Mb; the combined size of all downloaded files shouldn't exceed 200Mb.
| |
− | #As a [[CertFellow]], I need to:
| |
− | #*Have predefined rights of a sysop established at [[MediaWiki]];
| |
− | #*Be able to upload files up to 20Mb.
| |
− | #As a [[OppletBureaucrat]], I need to:
| |
− | #*Have predefined rights of a bureaucrat established at [[MediaWiki]];
| |
− | #As a [[CloudAdmin]], I need to:
| |
− | #*Make sure that [[CNM Wiki]] at least gets basic [[cyber-security]] features, especially [https://www.mediawiki.org/wiki/Manual:Security Manual:Security], implemented; new threats are monitored and, based on them, the security policy should be defined and, further, re-defined;
| |
− | #*Be able to restore [[CNM Wiki]] if the working software collapses. No more than one hour of work is allowed to be lost.
| |
− | | |
− | ==Architecture==
| |
− | The ''App'' is a [[MediaWiki]] instance that is run on [[CNM Platform]].
| |
− | | |
− | ===MediaWiki===
| |
− | :''Main wikipage: [[MediaWiki]]''
| |
− | | |
− | :The [[MediaWiki]] software is chosen as the ''App'' engine because its usability, productivity, and reliability. Particularly, [[MediaWiki]]:
| |
− | :#Is easy to load (it is a light weight);
| |
− | :#Allows integration with [[CNM Platform]] and, possibly, other [[CNM app]]s;
| |
− | :#Is scalable and allows addition of more data as need arises;
| |
− | :#Is easy to navigate with a search function that makes it easy to search what any user wants;
| |
− | :#Is cloud hosted so that it can be accessed anywhere;
| |
− | :#Provides an audit trail that can provide identification of who has entered any new information.
| |
− | | |
− | :[[MediaWiki]] also has a provision for the future usage of multiple languages. When the time for adding a new language comes, the existing system shall enable this addition without need for additional components to the original system. It will also enable the user to nominate their preferred language when entering their personal information.
| |
− | | |
− | ===Platform===
| |
− | :''Main wikipage: [[CNM Platform]]''
| |
− | | |
− | :[[CNM Platform]] shall provide the ''App'' with all resources that the ''App'' needs in order to run smoothly, including:
| |
− | :*'''[[PHP]]'''-language support;
| |
− | :*'''[[OpenLDAP]]''' that [[CNM Cloud]] uses for [[user management]]; and
| |
− | :*'''[[MariaDB]]''' as the [[database management system]],
| |
− | :Particularly, the platform shall:
| |
− | :#Make sure that the ''App'' is available 99.99% of the time for any 24-hour period;
| |
− | :#Doesn't store any confidential information, so such information cannot be accessed by anyone.
| |
− | | |
− | ===Postponed upgrades===
| |
− | :Currently, the ''App'' uses an outdated, [[Special:Version|1.26.4 version]] of [[MediaWiki]], because the extension used to connect to its [[OpenLDAP]] does not support newer versions. There are three choices to follow: (1) to find or create a new extension, (2) find another way to connect without using the extension, or (3) keep things as they are.
| |
− | | |
− | :The team decided to keep things as they are since the current architecture is temporary. When a new private cloud based on [[OpenStack]] is launched in the fourth phase of [[CNM Cloud Project]], its [[Keystone]] solution will be used for authentications. Plus, the ''App'' is going to contain no private information; all of its users' data is stored in [[Opplet.net]].
| |
− | | |
− | ==Security==
| |
− | ===Vulnerability alerts===
| |
− | | |
− | ===Extensions===
| |
− | *[https://www.mediawiki.org/wiki/Manual:Security/en#Be_careful_about_which_extensions_you_use Extensions]
| |
− | *Sendmail is required in order for the system to be able to send e-mails.
| |
− | *Shell access is required to run maintenance scripts; upgrading MediaWiki may be more difficult without it.
| |
− | | |
− | ===File permissions===
| |
− | ::''Main wikipage: [[File permission]]''
| |
− | *[https://www.mediawiki.org/wiki/Manual:Security/en#File_permissions File_permissions]
| |
− | | |
− | ===TLS===
| |
− | ::''Main wikipage: [[TLS]]''
| |
− | | |
− | ===PHP===
| |
− | ::''Main wikipage: [[PHP security]]''
| |
− | :[[PHP security]] is needed for pretty much any PHP environment; it is not necessarily specific to the ''App''.
| |
− | LocalSettings.php usually contains sensitive data such as database logins. This data should never be revealed to the public! Due to a security breach somewhere on the server, it might happen that other users are able to view the contents of files. In order to improve security of your data, you should set UNIX permissions for this file accordingly: The webserver user must have access to this file. If this is the same account, who is the owner of the file, then you can set permissions to 600. Sometimes, the webserver user is not the file owner, but they are in the owner's UNIX user group. In this case, permissions of 640 should be fine. For improved security you should narrow permissions down as far as possible.
| |
− | | |
− | Additionally, you can create a MySQL user, who is restricted to only the database used by the wiki and provide this user's credentials in LocalSettings.php. Also you can configure your database server to only accept connections from localhost - this should prevent access from outside in case of leaked credentials.
| |
− | | |
− | ===MariaDB===
| |
− | ===Maintenance scripts===
| |
− | ===Upload security===
| |
− | | |
− | Main wikipage: [https://www.mediawiki.org/wiki/Manual:Security/en#Upload_security Upload_security]
| |
− | '''Upload permissions'''
| |
− | Per default, all registered users can upload files. To restrict this, you have to change $wgGroupPermissions:
| |
− | To prevent normal users from uploading files:
| |
− | $wgGroupPermissions['user']['upload'] = false;
| |
− | To create a special group called "uploadaccess", and allow members of that group to upload files:
| |
− | $wgGroupPermissions['uploadaccess']['upload'] = true;
| |
− | | |
− | ==Development==
| |
− | | |
− | ===History===
| |
− | :The first instance, 1.26.4 version, was installed under supervision of [[User: Mina Nizhnih]].
| |
− | | |
− | ===Further development===
| |
− | In order to constantly develop the ''App'', [[Friends Of CNM]] is looking for one or more vendors. This development project has at least two phases:
| |
− | :#To identify [[#Acceptance criteria|Acceptance criteria]] that shall be met at the end of any further upgrade; and
| |
− | :#To procure those upgrades from one or more vendors.
| |
− | | |
− | :[[RFB]] has been posted and the following responses are collected so far:
| |
− | :*Define page types, naming conventions, user rights, expected behavior to select a set of useful extensions. Then develop ontologies, templates and forms for pages of various types. Adjust search function to the needs of the project.
| |
− | :* Follow the [[updates]] at https://www.mediawiki.org/wiki/Download/ru and after the appearance of a new stable version, reinstall the ''App''. We used the latest version where the normal LDAP authorization module. You need to keep track of updates to the media and LDAP module. As soon as a newer version appears, you should need to update it on the test and check it out. If all is well, then it will be possible to update on the working site ksacerts.com
| |
− | :* Monitor the detection of vulnerabilities and the emergence of solutions to eliminate them, apply them.
| |
− | :* Support SSL certificate of Let's Encrypt (how to do it https://hostiq.ua/wiki/how-to-install-lets-encrypt-ssl/);
| |
− | :* Regularly check the site for viruses using this link - https://www.virustotal.com/en/url/07612517c24492a2b4ecf505640d0c4e5d060149282543f1376dc6079b911641/analysis/1522339359/
| |
− | :*The system shall ensure that there is no interference to the active users when maintenance is being done.If need be, the system shall not be shut down for maintenance more than once in a 24‐hour period.
| |
− | :*The system shall produce a storage capacity warning notification when a particular percentage of storage capacity threshold is crossed with additional notifications issued thereafter at different threshold increments.
| |
− | :*When a new version of the system(application) is released, it shall be possible to upgrade to it from any previous version.
| |
− | | |
− | ==Acceptance criteria==
| |
− | ===Vulnerability===
| |
− | :{|class="wikitable" width=100% style="text-align:center;"
| |
− | !#
| |
− | |Feature
| |
− | !Acceptance test!!Responsible
| |
− | |-
| |
− | |W001
| |
− | ![[PHP security]]
| |
− | |style="text-align:left;"|
| |
− | |Vendor for [[CNM Infrastructure]]
| |
− | |-
| |
− | |W002
| |
− | ![[TLS]]
| |
− | |style="text-align:left;"|
| |
− | *''[[Let's Encrypt]]'' [[SSL certificate]] is seen in the [[URL field]] of a [[web browser]]
| |
− | |The ''App'' vendor
| |
− | |}
| |
− | | |
− | ===Navigation===
| |
− | #[[URL]]
| |
− | #[[URL]] for Russian speakers
| |
− | #Logo
| |
− | #CNM Wiki name
| |
− | | |
− | ===Editing alerts===
| |
− | | |
− | ===Uploads===
| |
− | #[[SVG]]
| |
− | | |
− | ===Backup===
| |
− | .ready(function ($)
| |
− | {
| |
− | $('#wpTextbox1').wikiEditor('addToToolbar', {
| |
− | section: 'advanced',
| |
− | group: 'format',
| |
− | tools: {
| |
− | buttonId: {
| |
− | label: 'Comment visible only for editors',
| |
− | type: 'button',
| |
− | icon: '//upload.wikimedia.org/wikipedia/commons/f/f9/Toolbaricon_regular_S_stroke.png',
| |
− | action: {
| |
− | type: 'encapsulate',
| |
− | options: {
| |
− | pre: "<!-- ",
| |
− | peri: "Insert comment here",
| |
− | post: " -->"
| |
− | }
| |
− | }
| |
− | }
| |
− | }
| |
− | });
| |
− | });
| |
− | | |
− | ===Backup restoration===
| |