You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@kudu.apache.org by Attila Bukor <ab...@apache.org> on 2018/07/25 19:55:23 UTC

securing our infra

Hi Everyone,

I've noticed that our infra is somewhat lacking in terms of security:

- http://kudu.apache.org doesn't redirect to https://kudu.apache.org
- https://jenkins.kudu.apache.org doesn't exist, even though secure information
  is sent to this server (passwords)

The newest Chrome release will show warnings when connecting to http://
sites[1], so I think it's about time to fix these and I'd like to volunteer to
do it.

What are your thoughts? Please let me know if I missed any other
security/infra-related shortcomings.

Thanks,
Attila

[1] https://www.wired.com/story/google-chrome-https-not-secure-label/

Re: securing our infra

Posted by Todd Lipcon <to...@cloudera.com.INVALID>.

On Wed, Aug 8, 2018 at 9:46 AM, Attila Bukor <ab...@apache.org> wrote:

> On Thu, Aug 02, 2018 at 01:20:39PM -0700, Mike Percy wrote:
> > I don't really think it's a major security issue since passwords and
> > personal credentials are not transmitted over http.
> Yeah, this is more like a nice to have to prevent Chrome from
> complaining.
> >
> > However +1 from me, we should be able to do the http -> https redirect in
> > the .htaccess file @ https://github.com/apache/
> kudu/blob/gh-pages/.htaccess
> Nice, thanks, didn't know .htaccess is checked in. Just submitted a
> review: https://gerrit.cloudera.org/c/11162/
> >
> > Mike
> >
> > On Thu, Aug 2, 2018 at 12:21 PM Dan Burkert <da...@apache.org>
> wrote:
> >
> > > I think redirecting http://kudu.apache.org to https://kudu.apache.org
> > > would
> > > be a great step.  Adding https to the jenkins instance would also be
> nice,
> > > but there may be some complication because of the infra it's hosted on
> (I
> > > think a Cloudera-managed GCE instance?).
> Dan, do you know who manages this part of the infra?
>

Usually that's me. We are just using
https://github.com/carlossg/jenkins-swarm-docker to start the Jenkins
server.

-Todd

>
> > >
> > > - Dan
> > >
> > > On Wed, Jul 25, 2018 at 12:55 PM, Attila Bukor <ab...@apache.org>
> wrote:
> > >
> > > > Hi Everyone,
> > > >
> > > > I've noticed that our infra is somewhat lacking in terms of security:
> > > >
> > > > - http://kudu.apache.org doesn't redirect to https://kudu.apache.org
> > > > - https://jenkins.kudu.apache.org doesn't exist, even though secure
> > > > information
> > > >   is sent to this server (passwords)
> > > >
> > > > The newest Chrome release will show warnings when connecting to
> http://
> > > > sites[1], so I think it's about time to fix these and I'd like to
> > > > volunteer to
> > > > do it.
> > > >
> > > > What are your thoughts? Please let me know if I missed any other
> > > > security/infra-related shortcomings.
> > > >
> > > > Thanks,
> > > > Attila
> > > >
> > > > [1] https://www.wired.com/story/google-chrome-https-not-
> secure-label/
> > > >
> > >
>



-- 
Todd Lipcon
Software Engineer, Cloudera

Re: securing our infra

Posted by Attila Bukor <ab...@apache.org>.

On Thu, Aug 02, 2018 at 01:20:39PM -0700, Mike Percy wrote:
> I don't really think it's a major security issue since passwords and
> personal credentials are not transmitted over http.
Yeah, this is more like a nice to have to prevent Chrome from
complaining.
> 
> However +1 from me, we should be able to do the http -> https redirect in
> the .htaccess file @ https://github.com/apache/kudu/blob/gh-pages/.htaccess
Nice, thanks, didn't know .htaccess is checked in. Just submitted a
review: https://gerrit.cloudera.org/c/11162/
> 
> Mike
> 
> On Thu, Aug 2, 2018 at 12:21 PM Dan Burkert <da...@apache.org> wrote:
> 
> > I think redirecting http://kudu.apache.org to https://kudu.apache.org
> > would
> > be a great step.  Adding https to the jenkins instance would also be nice,
> > but there may be some complication because of the infra it's hosted on (I
> > think a Cloudera-managed GCE instance?).
Dan, do you know who manages this part of the infra?
> >
> > - Dan
> >
> > On Wed, Jul 25, 2018 at 12:55 PM, Attila Bukor <ab...@apache.org> wrote:
> >
> > > Hi Everyone,
> > >
> > > I've noticed that our infra is somewhat lacking in terms of security:
> > >
> > > - http://kudu.apache.org doesn't redirect to https://kudu.apache.org
> > > - https://jenkins.kudu.apache.org doesn't exist, even though secure
> > > information
> > >   is sent to this server (passwords)
> > >
> > > The newest Chrome release will show warnings when connecting to http://
> > > sites[1], so I think it's about time to fix these and I'd like to
> > > volunteer to
> > > do it.
> > >
> > > What are your thoughts? Please let me know if I missed any other
> > > security/infra-related shortcomings.
> > >
> > > Thanks,
> > > Attila
> > >
> > > [1] https://www.wired.com/story/google-chrome-https-not-secure-label/
> > >
> >

Re: securing our infra

Posted by Mike Percy <mp...@apache.org>.

I don't really think it's a major security issue since passwords and
personal credentials are not transmitted over http.

However +1 from me, we should be able to do the http -> https redirect in
the .htaccess file @ https://github.com/apache/kudu/blob/gh-pages/.htaccess

Mike

On Thu, Aug 2, 2018 at 12:21 PM Dan Burkert <da...@apache.org> wrote:

> I think redirecting http://kudu.apache.org to https://kudu.apache.org
> would
> be a great step.  Adding https to the jenkins instance would also be nice,
> but there may be some complication because of the infra it's hosted on (I
> think a Cloudera-managed GCE instance?).
>
> - Dan
>
> On Wed, Jul 25, 2018 at 12:55 PM, Attila Bukor <ab...@apache.org> wrote:
>
> > Hi Everyone,
> >
> > I've noticed that our infra is somewhat lacking in terms of security:
> >
> > - http://kudu.apache.org doesn't redirect to https://kudu.apache.org
> > - https://jenkins.kudu.apache.org doesn't exist, even though secure
> > information
> >   is sent to this server (passwords)
> >
> > The newest Chrome release will show warnings when connecting to http://
> > sites[1], so I think it's about time to fix these and I'd like to
> > volunteer to
> > do it.
> >
> > What are your thoughts? Please let me know if I missed any other
> > security/infra-related shortcomings.
> >
> > Thanks,
> > Attila
> >
> > [1] https://www.wired.com/story/google-chrome-https-not-secure-label/
> >
>

Re: securing our infra

Posted by Dan Burkert <da...@apache.org>.

I think redirecting http://kudu.apache.org to https://kudu.apache.org would
be a great step.  Adding https to the jenkins instance would also be nice,
but there may be some complication because of the infra it's hosted on (I
think a Cloudera-managed GCE instance?).

- Dan

On Wed, Jul 25, 2018 at 12:55 PM, Attila Bukor <ab...@apache.org> wrote:

> Hi Everyone,
>
> I've noticed that our infra is somewhat lacking in terms of security:
>
> - http://kudu.apache.org doesn't redirect to https://kudu.apache.org
> - https://jenkins.kudu.apache.org doesn't exist, even though secure
> information
>   is sent to this server (passwords)
>
> The newest Chrome release will show warnings when connecting to http://
> sites[1], so I think it's about time to fix these and I'd like to
> volunteer to
> do it.
>
> What are your thoughts? Please let me know if I missed any other
> security/infra-related shortcomings.
>
> Thanks,
> Attila
>
> [1] https://www.wired.com/story/google-chrome-https-not-secure-label/
>