Uploaded image for project: 'Data Management'
  1. Data Management
  2. DM-20048

Unauthenticated Redis database - lsst-sui-tomcat01.ncsa.illinois.edu

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Done
    • Resolution: Done
    • Fix Version/s: None
    • Component/s: SUIT
    • Labels:
      None
    • Story Points:
      2
    • Epic Link:
    • Sprint:
      SUIT Sprint 2019-07, SUIT Sprint 2019-08
    • Team:
      Science User Interface

      Description

      This is a recreation of a jira ticket submitted by NCSA security in our internal ticket system:

      "Qualys scan has found an instance of Redis that seems to allow unauthenticated connections on lsst-sui-tomcat01.ncsa.illinois.edu

      We would like to make sure only authorized users and hosts are able to connect to this redis instance. There is concern that maybe the Jupiter hubs users/machines can connect to this database."

        Attachments

          Issue Links

            Activity

            Hide
            cclausen Christopher Clausen [X] (Inactive) added a comment -

            We can check in Qualys, but we'd need to know which host(s) this service is running on at this time.  I understand some of this might have been moved into the Kubernetes environment and therefore possibly not on the lsst-sui-tomcat01.ncsa host?

            Show
            cclausen Christopher Clausen [X] (Inactive) added a comment - We can check in Qualys, but we'd need to know which host(s) this service is running on at this time.  I understand some of this might have been moved into the Kubernetes environment and therefore possibly not on the lsst-sui-tomcat01.ncsa host?
            Hide
            loi Loi Ly added a comment -

            My changes are currently in `-int`.  The Redis in question is running on lsst-sui-proxy01.

             

            [loi@lsst-bastion01 ~]$ kubectl get pods -o wide
            NAME                        READY   STATUS    RESTARTS   AGE   IP            NODE               NOMINATED NODE   READINESS GATES
            redis-srv-5596fd9c-rxdq5    1/1     Running   0          42h   10.40.128.5   lsst-sui-proxy01   <none>           <none>

             

             

            Show
            loi Loi Ly added a comment - My changes are currently in `-int`.  The Redis in question is running on lsst-sui-proxy01.   [loi@lsst-bastion01 ~]$ kubectl get pods -o wide NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES redis-srv-5596fd9c-rxdq5 1/1 Running 0 42h 10.40.128.5 lsst-sui-proxy01 <none> <none>    
            Hide
            loi Loi Ly added a comment -

            Christopher Clausen [X] Matthew Thomas Long [X]  Did you get a chance to look at this yet?  I would like to mark it as done and merge my changes.

            Show
            loi Loi Ly added a comment - Christopher Clausen [X] Matthew Thomas Long [X]   Did you get a chance to look at this yet?  I would like to mark it as done and merge my changes.
            Hide
            cclausen Christopher Clausen [X] (Inactive) added a comment -

            At this time, there are not any redis alerts showing in Qualys for any of the LSST hosts at NCSA.  I believe you can close this now.

            Show
            cclausen Christopher Clausen [X] (Inactive) added a comment - At this time, there are not any redis alerts showing in Qualys for any of the LSST hosts at NCSA.  I believe you can close this now.
            Hide
            loi Loi Ly added a comment -

            Christopher Clausen confirmed Qualys is no longer detecting unauthenticated redis installations.  Review completed.

            Show
            loi Loi Ly added a comment - Christopher Clausen confirmed Qualys is no longer detecting unauthenticated redis installations.  Review completed.

              People

              Assignee:
              loi Loi Ly
              Reporter:
              mtlong2 Matthew Thomas Long [X] (Inactive)
              Reviewers:
              Matthew Thomas Long [X] (Inactive), Tatiana Goldina
              Watchers:
              Christopher Clausen [X] (Inactive), Leandro Avila-Diaz, Loi Ly, Matthew Thomas Long [X] (Inactive), Tatiana Goldina, Xiuqin Wu [X] (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Jenkins Builds

                  No builds found.