Difference between revisions of "CNM Wikiware"

From CNM Wiki
Jump to: navigation, search
(Backup)
(Backup restoration)
Line 146: Line 146:
  
 
===Backup restoration===
 
===Backup restoration===
 +
 +
==Related coursework==
 +
*[[Introduction to CNM Cloud]].
 +
 +
[[Category: WorldOpp Orientation]][[Category: Articles]]

Revision as of 01:48, 31 December 2018

CNM Wikiware (hereinafter, the App) is the CNM app that empowers CNM Wiki and, possibly, other publicly-available knowledge bases of Friends Of CNM. The App is both:


Business functionality

Besides supporting CNM Wiki, the App serves as a practice tool in the learning that is delivered by Bracka School and related to knowledge management software.

Permitted user roles

Opplet handles user management for the App (including "create account" and "change other users' rights" functions). Thus, the permitted user roles of the App's users are those Opplet roles that are specifically based on rights of groups granted by MediaWiki. The software-defined rights can be found at MediaWiki's list of groups.

User stories

  1. As a NetAnyone, I need to be able to:
    • Read and/or view contents of any wikipage at clearly understood URLs such as starting with https://wiki.ksacerts.com/
    • See the logo at the right upper corner and the name of the resource such as CNM Wiki;
    • Feel safe while seeing that the App's resource is verified by the SSL certificate;
  2. As a Russian-speaking NetAnyone, I need to be able to locate wikipages in Russian, possibly, at URLs starting with https://wiki.ksacerts.com/ru
  3. As a NetConsumer, I need to be able to add selected wikipages to my watchlist and receive notifications when the watched wikipages are updated to my email.
  4. As a CertAssociate and/or CertDeveloper, I need to be able to:
    • Have predefined rights of a user (with a registered account) established at MediaWiki;
    • Upload files, including SVG graphics, with sizes up to 2Mb; the combined size of all downloaded files shouldn't exceed 200Mb.
  5. As a CertFellow, I need to:
    • Have predefined rights of a sysop established at MediaWiki;
    • Be able to upload files up to 20Mb.
  6. As a OppletBureaucrat, I need to:
    • Have predefined rights of a bureaucrat established at MediaWiki;
  7. As a CloudAdmin, I need to:
    • Make sure that CNM Wiki at least gets basic cyber-security features, especially Manual:Security, implemented; new threats are monitored and, based on them, the security policy should be defined and, further, re-defined;
    • Be able to restore CNM Wiki if the working software collapses. No more than one hour of work is allowed to be lost.

Architecture

The App is a MediaWiki instance that is run on CNM Platform.

MediaWiki

Main wikipage: MediaWiki
The MediaWiki software is chosen as the App engine because its usability, productivity, and reliability. Particularly, MediaWiki:
  1. Is easy to load (it is a light weight);
  2. Allows integration with CNM Platform and, possibly, other CNM apps;
  3. Is scalable and allows addition of more data as need arises;
  4. Is easy to navigate with a search function that makes it easy to search what any user wants;
  5. Is cloud hosted so that it can be accessed anywhere;
  6. Provides an audit trail that can provide identification of who has entered any new information.
MediaWiki also has a provision for the future usage of multiple languages. When the time for adding a new language comes, the existing system shall enable this addition without need for additional components to the original system. It will also enable the user to nominate their preferred language when entering their personal information.

Platform

Main wikipage: CNM Platform
CNM Platform shall provide the App with all resources that the App needs in order to run smoothly, including:
Particularly, the platform shall:
  1. Make sure that the App is available 99.99% of the time for any 24-hour period;
  2. Doesn't store any confidential information, so such information cannot be accessed by anyone.

Postponed upgrades

Currently, the App uses an outdated, 1.26.4 version of MediaWiki, because the extension used to connect to its OpenLDAP does not support newer versions. There are three choices to follow: (1) to find or create a new extension, (2) find another way to connect without using the extension, or (3) keep things as they are.
The team decided to keep things as they are since the current architecture is temporary. When a new private cloud based on OpenStack is launched in the fourth phase of CNM Cloud Project, its Keystone solution will be used for authentications. Plus, the App is going to contain no private information; all of its users' data is stored in Opplet.net.

Security

Vulnerability alerts

Extensions

  • Extensions
  • Sendmail is required in order for the system to be able to send e-mails.
  • Shell access is required to run maintenance scripts; upgrading MediaWiki may be more difficult without it.

File permissions

Main wikipage: File permission

TLS

Main wikipage: TLS

PHP

Main wikipage: PHP security
PHP security is needed for pretty much any PHP environment; it is not necessarily specific to the App.

LocalSettings.php usually contains sensitive data such as database logins. This data should never be revealed to the public! Due to a security breach somewhere on the server, it might happen that other users are able to view the contents of files. In order to improve security of your data, you should set UNIX permissions for this file accordingly: The webserver user must have access to this file. If this is the same account, who is the owner of the file, then you can set permissions to 600. Sometimes, the webserver user is not the file owner, but they are in the owner's UNIX user group. In this case, permissions of 640 should be fine. For improved security you should narrow permissions down as far as possible.

Additionally, you can create a MySQL user, who is restricted to only the database used by the wiki and provide this user's credentials in LocalSettings.php. Also you can configure your database server to only accept connections from localhost - this should prevent access from outside in case of leaked credentials.

MariaDB

Maintenance scripts

Upload security

Main wikipage: Upload_security

   Upload permissions
   Per default, all registered users can upload files. To restrict this, you have to change $wgGroupPermissions:
   To prevent normal users from uploading files:
   $wgGroupPermissions['user']['upload'] = false;
   To create a special group called "uploadaccess", and allow members of that group to upload files:
   $wgGroupPermissions['uploadaccess']['upload'] = true;

Development

History

The first instance, 1.26.4 version, was installed under supervision of User: Mina Nizhnih.

Further development

In order to constantly develop the App, Friends Of CNM is looking for one or more vendors. This development project has at least two phases:

  1. To identify Acceptance criteria that shall be met at the end of any further upgrade; and
  2. To procure those upgrades from one or more vendors.
RFB has been posted and the following responses are collected so far:
  • Define page types, naming conventions, user rights, expected behavior to select a set of useful extensions. Then develop ontologies, templates and forms for pages of various types. Adjust search function to the needs of the project.
  • Follow the updates at https://www.mediawiki.org/wiki/Download/ru and after the appearance of a new stable version, reinstall the App. We used the latest version where the normal LDAP authorization module. You need to keep track of updates to the media and LDAP module. As soon as a newer version appears, you should need to update it on the test and check it out. If all is well, then it will be possible to update on the working site ksacerts.com
  • Monitor the detection of vulnerabilities and the emergence of solutions to eliminate them, apply them.
  • Support SSL certificate of Let's Encrypt (how to do it https://hostiq.ua/wiki/how-to-install-lets-encrypt-ssl/);
  • Regularly check the site for viruses using this link - https://www.virustotal.com/en/url/07612517c24492a2b4ecf505640d0c4e5d060149282543f1376dc6079b911641/analysis/1522339359/
  • The system shall ensure that there is no interference to the active users when maintenance is being done.If need be, the system shall not be shut down for maintenance more than once in a 24‐hour period.
  • The system shall produce a storage capacity warning notification when a particular percentage of storage capacity threshold is crossed with additional notifications issued thereafter at different threshold increments.
  • When a new version of the system(application) is released, it shall be possible to upgrade to it from any previous version.

Acceptance criteria

Vulnerability

# Feature Acceptance test Responsible
W001 PHP security Vendor for CNM Infrastructure
W002 TLS The App vendor

Navigation

  1. URL
  2. URL for Russian speakers
  3. Logo
  4. CNM Wiki name

Editing alerts

Uploads

  1. SVG

Backup restoration

Related coursework