You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@kudu.apache.org by Attila Bukor <ab...@apache.org> on 2018/07/25 19:55:23 UTC
securing our infra
Hi Everyone,
I've noticed that our infra is somewhat lacking in terms of security:
- http://kudu.apache.org doesn't redirect to https://kudu.apache.org
- https://jenkins.kudu.apache.org doesn't exist, even though secure information
is sent to this server (passwords)
The newest Chrome release will show warnings when connecting to http://
sites[1], so I think it's about time to fix these and I'd like to volunteer to
do it.
What are your thoughts? Please let me know if I missed any other
security/infra-related shortcomings.
Thanks,
Attila
[1] https://www.wired.com/story/google-chrome-https-not-secure-label/
Re: securing our infra
Posted by Todd Lipcon <to...@cloudera.com.INVALID>.
On Wed, Aug 8, 2018 at 9:46 AM, Attila Bukor <ab...@apache.org> wrote:
> On Thu, Aug 02, 2018 at 01:20:39PM -0700, Mike Percy wrote:
> > I don't really think it's a major security issue since passwords and
> > personal credentials are not transmitted over http.
> Yeah, this is more like a nice to have to prevent Chrome from
> complaining.
> >
> > However +1 from me, we should be able to do the http -> https redirect in
> > the .htaccess file @ https://github.com/apache/
> kudu/blob/gh-pages/.htaccess
> Nice, thanks, didn't know .htaccess is checked in. Just submitted a
> review: https://gerrit.cloudera.org/c/11162/
> >
> > Mike
> >
> > On Thu, Aug 2, 2018 at 12:21 PM Dan Burkert <da...@apache.org>
> wrote:
> >
> > > I think redirecting http://kudu.apache.org to https://kudu.apache.org
> > > would
> > > be a great step. Adding https to the jenkins instance would also be
> nice,
> > > but there may be some complication because of the infra it's hosted on
> (I
> > > think a Cloudera-managed GCE instance?).
> Dan, do you know who manages this part of the infra?
>
Usually that's me. We are just using
https://github.com/carlossg/jenkins-swarm-docker to start the Jenkins
server.
-Todd
>
> > >
> > > - Dan
> > >
> > > On Wed, Jul 25, 2018 at 12:55 PM, Attila Bukor <ab...@apache.org>
> wrote:
> > >
> > > > Hi Everyone,
> > > >
> > > > I've noticed that our infra is somewhat lacking in terms of security:
> > > >
> > > > - http://kudu.apache.org doesn't redirect to https://kudu.apache.org
> > > > - https://jenkins.kudu.apache.org doesn't exist, even though secure
> > > > information
> > > > is sent to this server (passwords)
> > > >
> > > > The newest Chrome release will show warnings when connecting to
> http://
> > > > sites[1], so I think it's about time to fix these and I'd like to
> > > > volunteer to
> > > > do it.
> > > >
> > > > What are your thoughts? Please let me know if I missed any other
> > > > security/infra-related shortcomings.
> > > >
> > > > Thanks,
> > > > Attila
> > > >
> > > > [1] https://www.wired.com/story/google-chrome-https-not-
> secure-label/
> > > >
> > >
>
--
Todd Lipcon
Software Engineer, Cloudera
Re: securing our infra
Posted by Attila Bukor <ab...@apache.org>.
On Thu, Aug 02, 2018 at 01:20:39PM -0700, Mike Percy wrote:
> I don't really think it's a major security issue since passwords and
> personal credentials are not transmitted over http.
Yeah, this is more like a nice to have to prevent Chrome from
complaining.
>
> However +1 from me, we should be able to do the http -> https redirect in
> the .htaccess file @ https://github.com/apache/kudu/blob/gh-pages/.htaccess
Nice, thanks, didn't know .htaccess is checked in. Just submitted a
review: https://gerrit.cloudera.org/c/11162/
>
> Mike
>
> On Thu, Aug 2, 2018 at 12:21 PM Dan Burkert <da...@apache.org> wrote:
>
> > I think redirecting http://kudu.apache.org to https://kudu.apache.org
> > would
> > be a great step. Adding https to the jenkins instance would also be nice,
> > but there may be some complication because of the infra it's hosted on (I
> > think a Cloudera-managed GCE instance?).
Dan, do you know who manages this part of the infra?
> >
> > - Dan
> >
> > On Wed, Jul 25, 2018 at 12:55 PM, Attila Bukor <ab...@apache.org> wrote:
> >
> > > Hi Everyone,
> > >
> > > I've noticed that our infra is somewhat lacking in terms of security:
> > >
> > > - http://kudu.apache.org doesn't redirect to https://kudu.apache.org
> > > - https://jenkins.kudu.apache.org doesn't exist, even though secure
> > > information
> > > is sent to this server (passwords)
> > >
> > > The newest Chrome release will show warnings when connecting to http://
> > > sites[1], so I think it's about time to fix these and I'd like to
> > > volunteer to
> > > do it.
> > >
> > > What are your thoughts? Please let me know if I missed any other
> > > security/infra-related shortcomings.
> > >
> > > Thanks,
> > > Attila
> > >
> > > [1] https://www.wired.com/story/google-chrome-https-not-secure-label/
> > >
> >
Re: securing our infra
Posted by Mike Percy <mp...@apache.org>.
I don't really think it's a major security issue since passwords and
personal credentials are not transmitted over http.
However +1 from me, we should be able to do the http -> https redirect in
the .htaccess file @ https://github.com/apache/kudu/blob/gh-pages/.htaccess
Mike
On Thu, Aug 2, 2018 at 12:21 PM Dan Burkert <da...@apache.org> wrote:
> I think redirecting http://kudu.apache.org to https://kudu.apache.org
> would
> be a great step. Adding https to the jenkins instance would also be nice,
> but there may be some complication because of the infra it's hosted on (I
> think a Cloudera-managed GCE instance?).
>
> - Dan
>
> On Wed, Jul 25, 2018 at 12:55 PM, Attila Bukor <ab...@apache.org> wrote:
>
> > Hi Everyone,
> >
> > I've noticed that our infra is somewhat lacking in terms of security:
> >
> > - http://kudu.apache.org doesn't redirect to https://kudu.apache.org
> > - https://jenkins.kudu.apache.org doesn't exist, even though secure
> > information
> > is sent to this server (passwords)
> >
> > The newest Chrome release will show warnings when connecting to http://
> > sites[1], so I think it's about time to fix these and I'd like to
> > volunteer to
> > do it.
> >
> > What are your thoughts? Please let me know if I missed any other
> > security/infra-related shortcomings.
> >
> > Thanks,
> > Attila
> >
> > [1] https://www.wired.com/story/google-chrome-https-not-secure-label/
> >
>
Re: securing our infra
Posted by Dan Burkert <da...@apache.org>.
I think redirecting http://kudu.apache.org to https://kudu.apache.org would
be a great step. Adding https to the jenkins instance would also be nice,
but there may be some complication because of the infra it's hosted on (I
think a Cloudera-managed GCE instance?).
- Dan
On Wed, Jul 25, 2018 at 12:55 PM, Attila Bukor <ab...@apache.org> wrote:
> Hi Everyone,
>
> I've noticed that our infra is somewhat lacking in terms of security:
>
> - http://kudu.apache.org doesn't redirect to https://kudu.apache.org
> - https://jenkins.kudu.apache.org doesn't exist, even though secure
> information
> is sent to this server (passwords)
>
> The newest Chrome release will show warnings when connecting to http://
> sites[1], so I think it's about time to fix these and I'd like to
> volunteer to
> do it.
>
> What are your thoughts? Please let me know if I missed any other
> security/infra-related shortcomings.
>
> Thanks,
> Attila
>
> [1] https://www.wired.com/story/google-chrome-https-not-secure-label/
>