Page MenuHomeSoftware Heritage
Create Task
Maniphest T314

restrict flower (celery console) access
Closed, MigratedEdits Locked
Actions

Description

The Flower celery console is currently available read/write at http://moma.internal.softwareheritage.org:5555/ , which is accessible only via the internal VPN.
That is no security threat for now, but for consistency with other access controls we should rather make it accessible only to, say, developers, who are the same set of people currently able to deploy packages and fiddle with running services.

Celery does support HTTP basic auth, but it'd be probably better to deploy it behind a real HTTP service, with reverse proxying.

Event Timeline

zack created this task.Feb 23 2016, 10:51 AM
Herald added a project: Staff. · View Herald TranscriptFeb 23 2016, 10:51 AM
olasd added a subscriber: olasd.Feb 23 2016, 1:24 PM

I think that in the medium term we should get rid of flower and replicate the useful functionality through the scheduler interface.

Flower has a lot of issues with the way we work, as it stores its information in-memory instead of using a database. This breaks down badly when you run millions of jobs like we do...

zack added a comment.Feb 23 2016, 2:45 PM

I think that in the medium term we should get rid of flower and replicate the useful functionality through the scheduler interface.

Ditching flower is certainly an option. And what you mention about our own interface might be a good fit for an idea I briefly mentioned F2F a while ago: creating an "SWH admin tool" which we can use to (re)schedule jobs, monitor the current state, start/stop workers, scale up/down, etc. I had in mind more of a CLI tool, but other UI might be possible too.

That said, I don't think we fancy implementing ourselves generic monitor functionalities that, I suspect, should be the same for all celery, and even rabbitmq, users. So maybe there is room here for a more in-depth search of what other queue monitoring tools exist. We certainly aren't the only one with millions of jobs in our queues; hopefully someone else has released monitoring stuff that is more "professional" than celery.

zack removed projects: System administrators, Staff.Mar 10 2016, 5:51 PM
zack added a project: Puppet recipes.Apr 1 2016, 10:19 AM
zack closed this task as Resolved.Apr 11 2016, 11:17 AM
zack claimed this task.

This is now fixed. HTTP auth has been added to http://moma.internal.softwareheritage.org:5555/tasks?limit=100 . Username/password are available from the credential storage at infra/moma/flower

olasd changed the visibility from "All Users" to "Public (No Login Required)".May 13 2016, 5:08 PM
gitlab-migration changed the task status from Resolved to Migrated.Oct 19 2022, 5:51 PM
gitlab-migration claimed this task.
gitlab-migration added a subscriber: gitlab-migration.

This task has been migrated to GitLab.

About · Developer information · Legal