2016-08-18 02:51:04 +02:00
|
|
|
# Secure, maintain, and upgrade
|
2016-07-12 22:52:29 +02:00
|
|
|
|
2016-08-09 23:52:33 +02:00
|
|
|
This page covers topics that will help you maintain a healthy, up-to-date, and
|
|
|
|
secure Zulip installation, including:
|
|
|
|
|
|
|
|
- [Upgrading](#upgrading)
|
2016-08-25 19:48:42 +02:00
|
|
|
- [Upgrading from a git repository](#upgrading-from-a-git-repository)
|
|
|
|
- [Backups](#backups)
|
2016-08-09 23:52:33 +02:00
|
|
|
- [Monitoring](#monitoring)
|
|
|
|
- [Scalability](#scalability)
|
|
|
|
- [Security Model](#security-model)
|
2016-08-25 05:51:42 +02:00
|
|
|
- [Management commands](#management-commands)
|
|
|
|
|
2016-08-25 19:48:42 +02:00
|
|
|
## Upgrading
|
2016-08-10 01:53:50 +02:00
|
|
|
|
|
|
|
**We recommend reading this entire section before doing your first
|
|
|
|
upgrade.**
|
|
|
|
|
|
|
|
To upgrade to a new version of the zulip server, download the appropriate
|
|
|
|
release tarball from
|
|
|
|
[https://www.zulip.com/dist/releases/](https://www.zulip.com/dist/releases/)
|
|
|
|
|
2016-08-25 18:10:09 +02:00
|
|
|
You also have the option of creating your own release tarballs from a
|
2016-10-19 11:55:44 +02:00
|
|
|
copy of the zulip.git repository using
|
|
|
|
`tools/build-release-tarball`. And, starting with Zulip version 1.4,
|
|
|
|
you can upgrade Zulip [to a version in a Git repository
|
2016-10-21 15:26:37 +02:00
|
|
|
directly](#upgrading-from-a-git-repository).
|
2016-08-10 01:53:50 +02:00
|
|
|
|
|
|
|
Next, run as root:
|
|
|
|
|
|
|
|
```
|
|
|
|
/home/zulip/deployments/current/scripts/upgrade-zulip zulip-server-VERSION.tar.gz
|
|
|
|
```
|
|
|
|
|
|
|
|
The upgrade process will shut down the Zulip service and then run `apt-get upgrade`, a
|
|
|
|
puppet apply, any database migrations, and then bring the Zulip service back
|
|
|
|
up. Upgrading will result in some brief downtime for the service, which should be
|
|
|
|
under 30 seconds unless there is an expensive transition involved. Unless you
|
|
|
|
have tested the upgrade in advance, we recommend doing upgrades at off hours.
|
|
|
|
|
2016-08-25 06:51:01 +02:00
|
|
|
Note that upgrading an existing Zulip production server from Ubuntu
|
|
|
|
14.04 Trusty to Ubuntu 16.04 Xenial will require significant manual
|
|
|
|
intervention on your part to migrate the data in the database from
|
|
|
|
Postgres 9.3 to Postgres 9.5. Contributions on testing and
|
|
|
|
documenting this process are welcome!
|
|
|
|
|
2016-08-25 19:48:42 +02:00
|
|
|
### Preserving local changes to configuration files
|
2016-08-10 01:53:50 +02:00
|
|
|
|
|
|
|
**Warning**: If you have modified configuration files installed by
|
|
|
|
Zulip (e.g. the nginx configuration), the Zulip upgrade process will
|
|
|
|
overwrite your configuration when it does the `puppet apply`.
|
|
|
|
|
|
|
|
You can test whether this will happen assuming no upstream changes to
|
|
|
|
the configuration using `scripts/zulip-puppet-apply` (without the
|
|
|
|
`-f` option), which will do a test puppet run and output and changes
|
|
|
|
it would make. Using this list, you can save a copy of any files
|
|
|
|
that you've modified, do the upgrade, and then restore your
|
|
|
|
configuration.
|
|
|
|
|
|
|
|
If you need to do this, please report the issue so
|
|
|
|
that we can make the Zulip puppet configuration flexible enough to
|
|
|
|
handle your setup.
|
|
|
|
|
2016-08-25 19:48:42 +02:00
|
|
|
### Troubleshooting with the upgrade log
|
2016-08-10 01:53:50 +02:00
|
|
|
|
|
|
|
The Zulip upgrade script automatically logs output to
|
2016-08-25 19:48:42 +02:00
|
|
|
`/var/log/zulip/upgrade.log`. Please use those logs to include output
|
|
|
|
that shows all errors in any bug reports.
|
2016-08-10 01:53:50 +02:00
|
|
|
|
2016-08-25 19:48:42 +02:00
|
|
|
After the upgrade, we recommend checking `/var/log/zulip/errors.log`
|
|
|
|
to confirm that your users are not experiencing errors after the
|
|
|
|
upgrade.
|
|
|
|
|
|
|
|
### Rolling back to a prior version
|
2016-08-10 01:53:50 +02:00
|
|
|
|
|
|
|
The Zulip upgrade process works by creating a new deployment under
|
|
|
|
`/home/zulip/deployments/` containing a complete copy of the Zulip server code,
|
|
|
|
and then moving the symlinks at `/home/zulip/deployments/current` and
|
|
|
|
`/root/zulip` as part of the upgrade process.
|
|
|
|
|
|
|
|
This means that if the new version isn't working,
|
|
|
|
you can quickly downgrade to the old version by using
|
|
|
|
`/home/zulip/deployments/<date>/scripts/restart-server` to return to
|
|
|
|
a previous version that you've deployed (the version is specified
|
|
|
|
via the path to the copy of `restart-server` you call).
|
|
|
|
|
2016-08-25 19:48:42 +02:00
|
|
|
### Updating settings
|
2016-08-10 01:53:50 +02:00
|
|
|
|
|
|
|
If required, you can update your settings by editing `/etc/zulip/settings.py`
|
|
|
|
and then run `/home/zulip/deployments/current/scripts/restart-server` to
|
|
|
|
restart the server.
|
|
|
|
|
2016-08-25 19:48:42 +02:00
|
|
|
### Applying Ubuntu system updates
|
2016-08-10 01:53:50 +02:00
|
|
|
|
|
|
|
While the Zulip upgrade script runs `apt-get upgrade`, you are responsible for
|
|
|
|
running this on your system on a regular basis between Zulip upgrades to
|
|
|
|
ensure that it is up to date with the latest security patches.
|
|
|
|
|
|
|
|
### API and your Zulip URL
|
|
|
|
|
|
|
|
To use the Zulip API with your Zulip server, you will need to use the
|
|
|
|
API endpoint of e.g. `https://zulip.example.com/api`. Our Python
|
|
|
|
API example scripts support this via the
|
|
|
|
`--site=https://zulip.example.com` argument. The API bindings
|
|
|
|
support it via putting `site=https://zulip.example.com` in your
|
|
|
|
.zuliprc.
|
|
|
|
|
|
|
|
Every Zulip integration supports this sort of argument (or e.g. a
|
|
|
|
`ZULIP_SITE` variable in a zuliprc file or the environment), but this
|
|
|
|
is not yet documented for some of the integrations (the included
|
|
|
|
integration documentation on `/integrations` will properly document
|
|
|
|
how to do this for most integrations). We welcome pull requests for
|
|
|
|
integrations that don't discuss this!
|
|
|
|
|
|
|
|
Similarly, you will need to instruct your users to specify the URL
|
|
|
|
for your Zulip server when using the Zulip desktop and mobile apps.
|
|
|
|
|
2016-08-25 19:48:42 +02:00
|
|
|
### Memory leak mitigation
|
2016-08-10 01:53:50 +02:00
|
|
|
|
|
|
|
As a measure to mitigate the impact of potential memory leaks in one
|
|
|
|
of the Zulip daemons, the service automatically restarts itself
|
|
|
|
every Sunday early morning. See `/etc/cron.d/restart-zulip` for the
|
|
|
|
precise configuration.
|
|
|
|
|
2016-08-25 19:48:42 +02:00
|
|
|
## Upgrading from a git repository
|
2016-07-31 02:53:05 +02:00
|
|
|
|
|
|
|
Starting with version 1.4, the Zulip server supports doing deployments
|
|
|
|
from a Git repository. To configure this, you will need to add
|
|
|
|
`zulip::static_asset_compiler` to your `/etc/zulip/zulip.conf` file's
|
|
|
|
`puppet_classes` entry, like this:
|
|
|
|
|
|
|
|
```
|
|
|
|
puppet_classes = zulip::voyager, zulip::static_asset_compiler
|
|
|
|
```
|
|
|
|
|
|
|
|
Then, run `scripts/zulip-puppet-apply` to install the dependencies for
|
|
|
|
building Zulip's static assets. You can configure the `git`
|
|
|
|
repository that you'd like to use by adding a section like this to
|
|
|
|
`/etc/zulip/zulip.conf`; by default it uses the main `zulip`
|
|
|
|
repository (shown below).
|
|
|
|
|
|
|
|
```
|
|
|
|
[deployment]
|
|
|
|
git_repo_url = https://github.com/zulip/zulip.git
|
|
|
|
```
|
|
|
|
|
|
|
|
Once that is done (and assuming the currently installed version of
|
|
|
|
Zulip is new enough that this script exists), you can do deployments
|
|
|
|
by running as root:
|
|
|
|
|
|
|
|
```
|
2016-08-25 18:11:31 +02:00
|
|
|
/home/zulip/deployments/current/scripts/upgrade-zulip-from-git <branch>
|
2016-07-31 02:53:05 +02:00
|
|
|
```
|
|
|
|
|
|
|
|
and Zulip will automatically fetch the relevant branch from the
|
|
|
|
specified repository, build the static assets, and deploy that
|
|
|
|
version. Currently, the upgrade process is slow, but it doesn't need
|
|
|
|
to be; there is ongoing work on optimizing it.
|
|
|
|
|
2016-08-25 19:48:42 +02:00
|
|
|
## Backups
|
2016-07-12 22:52:29 +02:00
|
|
|
|
|
|
|
There are several pieces of data that you might want to back up:
|
|
|
|
|
|
|
|
* The postgres database. That you can back up like any postgres
|
|
|
|
database; we have some example tooling for doing that incrementally
|
|
|
|
into S3 using [wal-e](https://github.com/wal-e/wal-e) in
|
|
|
|
`puppet/zulip_internal/manifests/postgres_common.pp` (that's what we
|
|
|
|
use for zulip.com's database backups). Note that this module isn't
|
|
|
|
part of the Zulip server releases since it's part of the zulip.com
|
2016-10-19 11:55:44 +02:00
|
|
|
configuration (see
|
|
|
|
[https://github.com/zulip/zulip/issues/293](https://github.com/zulip/zulip/issues/293)
|
|
|
|
for a ticket about fixing this to make life easier for running
|
|
|
|
backups).
|
2016-07-12 22:52:29 +02:00
|
|
|
|
|
|
|
* Any user-uploaded files. If you're using S3 as storage for file
|
|
|
|
uploads, this is backed up in S3, but if you have instead set
|
2016-10-19 11:55:44 +02:00
|
|
|
`LOCAL_UPLOADS_DIR`, any files uploaded by users (including avatars)
|
2016-07-12 22:52:29 +02:00
|
|
|
will be stored in that directory and you'll want to back it up.
|
|
|
|
|
2016-10-19 11:55:44 +02:00
|
|
|
* Your Zulip configuration including secrets from `/etc/zulip/`.
|
|
|
|
E.g. if you lose the value of `secret_key`, all users will need to
|
|
|
|
login again when you setup a replacement server since you won't be
|
|
|
|
able to verify their cookies; if you lose `avatar_salt`, any
|
|
|
|
user-uploaded avatars will need to be re-uploaded (since avatar
|
|
|
|
filenames are computed using a hash of `avatar_salt` and user's
|
|
|
|
email), etc.
|
2016-07-12 22:52:29 +02:00
|
|
|
|
2016-10-19 11:55:44 +02:00
|
|
|
* The logs under `/var/log/zulip` can be handy to have backed up, but
|
2016-07-12 22:52:29 +02:00
|
|
|
they do get large on a busy server, and it's definitely
|
|
|
|
lower-priority.
|
|
|
|
|
2016-10-19 11:27:26 +02:00
|
|
|
If you are interested in backups because you are moving from one Zulip
|
|
|
|
server to another server and can't transfer a full postgres dump
|
|
|
|
(which is definitely the simplest approach), our draft
|
|
|
|
[conversion and export design document](conversion.html) may help.
|
|
|
|
The tool is well designed and was tested carefully with dozens of
|
|
|
|
realms as of mid-2016 but is not integrated into Zulip's regular
|
|
|
|
testing process, and thus it is worth asking on the Zulip developers
|
|
|
|
mailing list whether it needs any minor updates to do things like
|
|
|
|
export newly added tables.
|
|
|
|
|
2016-08-10 01:53:50 +02:00
|
|
|
### Restore from backups
|
2016-07-12 22:52:29 +02:00
|
|
|
|
|
|
|
To restore from backups, the process is basically the reverse of the above:
|
|
|
|
|
|
|
|
* Install new server as normal by downloading a Zulip release tarball
|
|
|
|
and then using `scripts/setup/install`, you don't need
|
|
|
|
to run the `initialize-database` second stage which puts default
|
|
|
|
data into the database.
|
|
|
|
|
2016-10-19 11:55:44 +02:00
|
|
|
* Unpack to `/etc/zulip` the `settings.py` and `secrets.conf` files
|
|
|
|
from your backups.
|
2016-07-12 22:52:29 +02:00
|
|
|
|
2016-10-19 11:55:44 +02:00
|
|
|
* Restore your database from the backup using `wal-e`; if you ran
|
2016-07-12 22:52:29 +02:00
|
|
|
`initialize-database` anyway above, you'll want to first
|
|
|
|
`scripts/setup/postgres-init-db` to drop the initial database first.
|
|
|
|
|
|
|
|
* If you're using local file uploads, restore those files to the path
|
|
|
|
specified by `settings.LOCAL_UPLOADS_DIR` and (if appropriate) any
|
|
|
|
logs.
|
|
|
|
|
2016-10-19 11:55:44 +02:00
|
|
|
* Start the server using `scripts/restart-server`.
|
2016-07-12 22:52:29 +02:00
|
|
|
|
|
|
|
This restoration process can also be used to migrate a Zulip
|
|
|
|
installation from one server to another.
|
|
|
|
|
|
|
|
We recommend running a disaster recovery after you setup backups to
|
|
|
|
confirm that your backups are working; you may also want to monitor
|
|
|
|
that they are up to date using the Nagios plugin at:
|
|
|
|
`puppet/zulip_internal/files/nagios_plugins/check_postgres_backup`.
|
|
|
|
|
|
|
|
Contributions to more fully automate this process or make this section
|
|
|
|
of the guide much more explicit and detailed are very welcome!
|
|
|
|
|
|
|
|
|
2016-07-31 02:42:55 +02:00
|
|
|
### Postgres streaming replication
|
2016-07-12 22:52:29 +02:00
|
|
|
|
|
|
|
Zulip has database configuration for using Postgres streaming
|
|
|
|
replication; you can see the configuration in these files:
|
|
|
|
|
2016-10-19 11:55:44 +02:00
|
|
|
* `puppet/zulip_internal/manifests/postgres_slave.pp`
|
|
|
|
* `puppet/zulip_internal/manifests/postgres_master.pp`
|
|
|
|
* `puppet/zulip_internal/files/postgresql/*`
|
2016-07-12 22:52:29 +02:00
|
|
|
|
|
|
|
Contribution of a step-by-step guide for setting this up (and moving
|
|
|
|
this configuration to be available in the main `puppet/zulip/` tree)
|
|
|
|
would be very welcome!
|
|
|
|
|
2016-08-25 19:37:15 +02:00
|
|
|
## Monitoring
|
2016-07-12 22:52:29 +02:00
|
|
|
|
|
|
|
The complete Nagios configuration (sans secret keys) used to
|
|
|
|
monitor zulip.com is available under `puppet/zulip_internal` in the
|
|
|
|
Zulip Git repository (those files are not installed in the release
|
|
|
|
tarballs).
|
|
|
|
|
|
|
|
The Nagios plugins used by that configuration are installed
|
|
|
|
automatically by the Zulip installation process in subdirectories
|
|
|
|
under `/usr/lib/nagios/plugins/`. The following is a summary of the
|
|
|
|
various Nagios plugins included with Zulip and what they check:
|
|
|
|
|
|
|
|
Application server and queue worker monitoring:
|
|
|
|
|
2016-10-19 11:55:44 +02:00
|
|
|
* `check_send_receive_time` (sends a test message through the system
|
2016-07-12 22:52:29 +02:00
|
|
|
between two bot users to check that end-to-end message sending works)
|
|
|
|
|
2016-10-19 11:55:44 +02:00
|
|
|
* `check_rabbitmq_consumers` and `check_rabbitmq_queues` (checks for
|
2016-07-12 22:52:29 +02:00
|
|
|
rabbitmq being down or the queue workers being behind)
|
|
|
|
|
2016-10-19 11:55:44 +02:00
|
|
|
* `check_queue_worker_errors` (checks for errors reported by the queue
|
|
|
|
workers)
|
2016-07-12 22:52:29 +02:00
|
|
|
|
2016-10-19 11:55:44 +02:00
|
|
|
* `check_worker_memory` (monitors for memory leaks in queue workers)
|
2016-07-12 22:52:29 +02:00
|
|
|
|
2016-10-19 11:55:44 +02:00
|
|
|
* `check_email_deliverer_backlog` and `check_email_deliverer_process`
|
2016-07-12 22:52:29 +02:00
|
|
|
(monitors for whether outgoing emails are being sent)
|
|
|
|
|
|
|
|
Database monitoring:
|
|
|
|
|
2016-10-19 11:55:44 +02:00
|
|
|
* `check_postgres_replication_lag` (checks streaming replication is up
|
2016-07-12 22:52:29 +02:00
|
|
|
to date).
|
|
|
|
|
2016-10-19 11:55:44 +02:00
|
|
|
* `check_postgres` (checks the health of the postgres database)
|
2016-07-12 22:52:29 +02:00
|
|
|
|
2016-10-19 11:55:44 +02:00
|
|
|
* `check_postgres_backup` (checks backups are up to date; see above)
|
2016-07-12 22:52:29 +02:00
|
|
|
|
2016-10-19 11:55:44 +02:00
|
|
|
* `check_fts_update_log` (monitors for whether full-text search updates
|
2016-07-12 22:52:29 +02:00
|
|
|
are being processed)
|
|
|
|
|
|
|
|
Standard server monitoring:
|
|
|
|
|
2016-10-19 11:55:44 +02:00
|
|
|
* `check_website_response.sh` (standard HTTP check)
|
2016-07-12 22:52:29 +02:00
|
|
|
|
2016-10-19 11:55:44 +02:00
|
|
|
* `check_debian_packages` (checks apt repository is up to date)
|
2016-07-12 22:52:29 +02:00
|
|
|
|
|
|
|
If you're using these plugins, bug reports and pull requests to make
|
|
|
|
it easier to monitor Zulip and maintain it in production are
|
|
|
|
encouraged!
|
|
|
|
|
2016-08-09 23:52:33 +02:00
|
|
|
## Scalability
|
2016-07-12 22:52:29 +02:00
|
|
|
|
|
|
|
This section attempts to address the considerations involved with
|
|
|
|
running Zulip with a large team (>1000 users).
|
|
|
|
|
|
|
|
* We recommend using a [remote postgres
|
2016-10-24 15:35:54 +02:00
|
|
|
database](prod-postgres.html) for isolation, though it is
|
2016-07-12 22:52:29 +02:00
|
|
|
not required. In the following, we discuss a relatively simple
|
|
|
|
configuration with two types of servers: application servers
|
|
|
|
(running Django, Tornado, RabbitMQ, Redis, Memcached, etc.) and
|
|
|
|
database servers.
|
|
|
|
|
|
|
|
* You can scale to a pretty large installation (O(~1000) concurrently
|
|
|
|
active users using it to chat all day) with just a single reasonably
|
|
|
|
large application server (e.g. AWS c3.2xlarge with 8 cores and 16GB
|
|
|
|
of RAM) sitting mostly idle (<10% CPU used and only 4GB of the 16GB
|
|
|
|
RAM actively in use). You can probably get away with half that
|
|
|
|
(e.g. c3.xlarge), but ~8GB of RAM is highly recommended at scale.
|
|
|
|
Beyond a 1000 active users, you will eventually want to increase the
|
|
|
|
memory cap in `memcached.conf` from the default 512MB to avoid high
|
|
|
|
rates of memcached misses.
|
|
|
|
|
|
|
|
* For the database server, we highly recommend SSD disks, and RAM is
|
|
|
|
the primary resource limitation. We have not aggressively tested
|
|
|
|
for the minimum resources required, but 8 cores with 30GB of RAM
|
|
|
|
(e.g. AWS's m3.2xlarge) should suffice; you may be able to get away
|
|
|
|
with less especially on the CPU side. The database load per user is
|
|
|
|
pretty optimized as long as `memcached` is working correctly. This
|
|
|
|
has not been tested, but from extrapolating the load profile, it
|
|
|
|
should be possible to scale a Zulip installation to 10,000s of
|
|
|
|
active users using a single large database server without doing
|
|
|
|
anything complicated like sharding the database.
|
|
|
|
|
|
|
|
* For reasonably high availability, it's easy to run a hot spare
|
|
|
|
application server and a hot spare database (using Postgres
|
|
|
|
streaming replication; see the section on configuring this). Be
|
|
|
|
sure to check out the section on backups if you're hoping to run a
|
|
|
|
spare application server; in particular you probably want to use the
|
|
|
|
S3 backend for storing user-uploaded files and avatars and will want
|
|
|
|
to make sure secrets are available on the hot spare.
|
|
|
|
|
|
|
|
* Zulip does not support dividing traffic for a given Zulip realm
|
|
|
|
between multiple application servers. There are two issues: you
|
2016-10-19 11:55:44 +02:00
|
|
|
need to share the memcached/Redis/RabbitMQ instance (these should
|
2016-07-12 22:52:29 +02:00
|
|
|
can be moved to a network service shared by multiple servers with a
|
|
|
|
bit of configuration) and the Tornado event system for pushing to
|
|
|
|
browsers currently has no mechanism for multiple frontend servers
|
|
|
|
(or event processes) talking to each other. One can probably get a
|
|
|
|
factor of 10 in a single server's scalability by [supporting
|
|
|
|
multiple tornado processes on a single
|
|
|
|
server](https://github.com/zulip/zulip/issues/372), which is also
|
|
|
|
likely the first part of any project to support exchanging events
|
|
|
|
amongst multiple servers.
|
|
|
|
|
|
|
|
Questions, concerns, and bug reports about this area of Zulip are very
|
|
|
|
welcome! This is an area we are hoping to improve.
|
|
|
|
|
2016-07-31 02:42:55 +02:00
|
|
|
## Security Model
|
2016-07-12 22:52:29 +02:00
|
|
|
|
|
|
|
This section attempts to document the Zulip security model. Since
|
|
|
|
this is new documentation, it likely does not cover every issue; if
|
|
|
|
there are details you're curious about, please feel free to ask
|
|
|
|
questions on the Zulip development mailing list (or if you think
|
2016-08-13 23:35:44 +02:00
|
|
|
you've found a security bug, please report it to
|
2016-10-19 11:52:02 +02:00
|
|
|
zulip-security@googlegroups.com so we can do a responsible security
|
2016-08-13 23:35:44 +02:00
|
|
|
announcement).
|
2016-07-12 22:52:29 +02:00
|
|
|
|
2016-07-31 02:42:55 +02:00
|
|
|
### Secure your Zulip server like your email server
|
2016-07-12 22:52:29 +02:00
|
|
|
|
|
|
|
* It's reasonable to think about security for a Zulip server like you
|
|
|
|
do security for a team email server -- only trusted administrators
|
|
|
|
within an organization should have shell access to the server.
|
|
|
|
|
|
|
|
In particular, anyone with root access to a Zulip application server
|
|
|
|
or Zulip database server, or with access to the `zulip` user on a
|
|
|
|
Zulip application server, has complete control over the Zulip
|
|
|
|
installation and all of its data (so they can read messages, modify
|
|
|
|
history, etc.). It would be difficult or impossible to avoid this,
|
|
|
|
because the server needs access to the data to support features
|
|
|
|
expected of a group chat system like the ability to search the
|
|
|
|
entire message history, and thus someone with control over the
|
|
|
|
server has access to that data as well.
|
|
|
|
|
2016-07-31 02:42:55 +02:00
|
|
|
### Encryption and Authentication
|
2016-07-12 22:52:29 +02:00
|
|
|
|
|
|
|
* Traffic between clients (web, desktop and mobile) and the Zulip is
|
|
|
|
encrypted using HTTPS. By default, all Zulip services talk to each
|
|
|
|
other either via a localhost connection or using an encrypted SSL
|
|
|
|
connection.
|
|
|
|
|
|
|
|
* The preferred way to login to Zulip is using an SSO solution like
|
|
|
|
Google Auth, LDAP, or similar. Zulip stores user passwords using
|
|
|
|
the standard PBKDF2 algorithm. Password strength is checked and
|
2016-10-19 11:55:44 +02:00
|
|
|
weak passwords are visually discouraged using the `zxcvbn` library,
|
2016-07-12 22:52:29 +02:00
|
|
|
but Zulip does not by default have strong requirements on user
|
|
|
|
password strength. Modify `static/js/common.js` to adjust the
|
2016-10-23 08:19:20 +02:00
|
|
|
password strength requirements (patches welcome to make this
|
|
|
|
controllable by an easy setting!).
|
2016-07-12 22:52:29 +02:00
|
|
|
|
|
|
|
* Zulip requires CSRF tokens in all interactions with the web API to
|
|
|
|
prevent CSRF attacks.
|
|
|
|
|
2016-07-31 02:42:55 +02:00
|
|
|
### Messages and History
|
2016-07-12 22:52:29 +02:00
|
|
|
|
2016-10-23 08:19:20 +02:00
|
|
|
* Zulip message content is rendered using a specialized Markdown
|
2016-07-12 22:52:29 +02:00
|
|
|
parser which escapes content to protect against cross-site scripting
|
|
|
|
attacks.
|
|
|
|
|
|
|
|
* Zulip supports both public streams and private ("invite-only")
|
2016-10-23 08:19:20 +02:00
|
|
|
streams. Any Zulip user can join any public stream in the realm,
|
|
|
|
and can view the complete message history of any public stream
|
|
|
|
without joining the stream.
|
2016-07-12 22:52:29 +02:00
|
|
|
|
2016-09-14 17:31:21 +02:00
|
|
|
* A private ("invite-only") stream is hidden from users who are not
|
|
|
|
subscribed to the stream. Users who are not members of a private
|
|
|
|
stream cannot read messages on the stream, send messages to the
|
|
|
|
stream, or join the stream, even if they are a Zulip realm
|
|
|
|
administrator. Users can join private streams only when they are
|
|
|
|
invited. However, any member of a private stream can invite other
|
|
|
|
users to the stream. When a new user joins a private stream, they
|
|
|
|
can see future messages sent to the stream, but they do not receive
|
|
|
|
access to the stream's message history.
|
2016-07-12 22:52:29 +02:00
|
|
|
|
2016-10-23 08:19:20 +02:00
|
|
|
* Zulip supports editing the content and topics of messages that have
|
|
|
|
already been sent. As a general philosophy, our policies provide
|
|
|
|
hard limits on the ways in which message content can be changed or
|
|
|
|
undone. In contrast, our policies around message topics favor
|
|
|
|
usefulness (e.g. for conversational organization) over faithfulness
|
|
|
|
to the original.
|
|
|
|
|
|
|
|
The message editing policy can be configured on the realm
|
|
|
|
administration page. There are three configurations provided out of
|
|
|
|
the box: (i) users cannot edit messages at all, (ii) users can edit
|
|
|
|
any message they have sent, and (iii) users can edit the content of
|
|
|
|
any message they have sent in the last N minutes, and the topic of
|
|
|
|
any message they have sent. In (ii) and (iii), topic edits can also
|
|
|
|
be propagated to other messages with the same original topic, even
|
|
|
|
if those messages were sent by other users. The default setting is
|
|
|
|
(iii), with N = 10.
|
|
|
|
|
|
|
|
In addition, and regardless of the configuration above, messages
|
|
|
|
with no topic can always be edited to have a topic, by anyone in the
|
|
|
|
organization, and the topic of any message can also always be edited
|
|
|
|
by a realm administrator.
|
|
|
|
|
|
|
|
Also note that while edited messages are synced immediately to open
|
|
|
|
browser windows, editing messages is not a safe way to redact secret
|
|
|
|
content (e.g. a password) shared unintentionally. Other users may
|
|
|
|
have seen and saved the content of the original message, or have an
|
|
|
|
integration (e.g. push notifications) forwarding all messages they
|
|
|
|
receive to another service. Zulip also stores and sends to clients
|
|
|
|
the content of every historical version of a message.
|
2016-07-12 22:52:29 +02:00
|
|
|
|
2016-07-31 02:42:55 +02:00
|
|
|
### Users and Bots
|
2016-07-12 22:52:29 +02:00
|
|
|
|
|
|
|
* There are three types of users in a Zulip realm: Administrators,
|
|
|
|
normal users, and bots. Administrators have the ability to
|
|
|
|
deactivate and reactivate other human and bot users, delete streams,
|
|
|
|
add/remove administrator privileges, as well as change configuration
|
|
|
|
for the overall realm (e.g. whether an invitation is required to
|
|
|
|
join the realm). Being a Zulip administrator does not provide the
|
|
|
|
ability to interact with other users' private messages or the
|
|
|
|
messages sent to private streams to which the administrator is not
|
|
|
|
subscribed. However, a Zulip administrator subscribed to a stream
|
|
|
|
can toggle whether that stream is public or private. Also, Zulip
|
|
|
|
realm administrators have administrative access to the API keys of
|
|
|
|
all bots in the realm, so a Zulip administrator may be able to
|
|
|
|
access messages sent to private streams that have bots subscribed,
|
|
|
|
by using the bot's credentials.
|
|
|
|
|
|
|
|
In the future, Zulip's security model may change to allow realm
|
|
|
|
administrators to access private messages (e.g. to support auditing
|
|
|
|
functionality).
|
|
|
|
|
|
|
|
* Every Zulip user has an API key, available on the settings page.
|
|
|
|
This API key can be used to do essentially everything the user can
|
|
|
|
do; for that reason, users should keep their API key safe. Users
|
|
|
|
can rotate their own API key if it is accidentally compromised.
|
|
|
|
|
|
|
|
* To properly remove a user's access to a Zulip team, it does not
|
|
|
|
suffice to change their password or deactivate their account in the
|
|
|
|
SSO system, since neither of those prevents authenticating with the
|
|
|
|
user's API key or those of bots the user has created. Instead, you
|
|
|
|
should deactivate the user's account in the Zulip administration
|
2016-10-19 11:55:44 +02:00
|
|
|
interface (`/#administration`); this will automatically also
|
2016-07-12 22:52:29 +02:00
|
|
|
deactivate any bots the user had created.
|
|
|
|
|
|
|
|
* The Zulip mobile apps authenticate to the server by sending the
|
|
|
|
user's password and retrieving the user's API key; the apps then use
|
|
|
|
the API key to authenticate all future interactions with the site.
|
|
|
|
Thus, if a user's phone is lost, in addition to changing passwords,
|
|
|
|
you should rotate the user's Zulip API key.
|
|
|
|
|
|
|
|
* Zulip bots are used for integrations. A Zulip bot can do everything
|
|
|
|
a normal user in the realm can do including reading other, with a
|
|
|
|
few exceptions (e.g. a bot cannot login to the web application or
|
|
|
|
create other bots). In particular, with the API key for a Zulip
|
|
|
|
bot, one can read any message sent to a public stream in that bot's
|
|
|
|
realm. A likely future feature for Zulip is [limited bots that can
|
|
|
|
only send messages](https://github.com/zulip/zulip/issues/373).
|
|
|
|
|
|
|
|
* Certain Zulip bots can be marked as "API super users"; these special
|
|
|
|
bots have the ability to send messages that appear to have been sent
|
|
|
|
by another user (an important feature for implementing integrations
|
|
|
|
like the Jabber, IRC, and Zephyr mirrors).
|
|
|
|
|
2016-07-31 02:42:55 +02:00
|
|
|
### User-uploaded content
|
2016-07-12 22:52:29 +02:00
|
|
|
|
|
|
|
* Zulip supports user-uploaded files; ideally they should be hosted
|
|
|
|
from a separate domain from the main Zulip server to protect against
|
|
|
|
various same-domain attacks (e.g. zulip-user-content.example.com)
|
|
|
|
using the S3 integration.
|
|
|
|
|
|
|
|
The URLs of user-uploaded files are secret; if you are using the
|
|
|
|
"local file upload" integration, anyone with the URL of an uploaded
|
|
|
|
file can access the file. This means the local uploads integration
|
|
|
|
is vulnerable to a subtle attack where if a user clicks on a link in
|
|
|
|
a secret .PDF or .HTML file that had been uploaded to Zulip, access
|
|
|
|
to the file might be leaked to the other server via the Referrer
|
2016-10-19 11:55:44 +02:00
|
|
|
header (see [the "Uploads world readable" issue on
|
|
|
|
GitHub](https://github.com/zulip/zulip/issues/320)).
|
2016-07-12 22:52:29 +02:00
|
|
|
|
|
|
|
The Zulip S3 file upload integration is relatively safe against that
|
|
|
|
attack, because the URLs of files presented to users don't host the
|
|
|
|
content. Instead, the S3 integration checks the user has a valid
|
|
|
|
Zulip session in the relevant realm, and if so then redirects the
|
|
|
|
browser to a one-time S3 URL that expires a short time later.
|
|
|
|
Keeping the URL secret is still important to avoid other users in
|
|
|
|
the Zulip realm from being able to access the file.
|
|
|
|
|
|
|
|
* Zulip supports using the Camo image proxy to proxy content like
|
|
|
|
inline image previews that can be inserted into the Zulip message
|
|
|
|
feed by other users over HTTPS.
|
|
|
|
|
|
|
|
* By default, Zulip will provide image previews inline in the body of
|
|
|
|
messages when a message contains a link to an image. You can
|
|
|
|
control this using the `INLINE_IMAGE_PREVIEW` setting.
|
|
|
|
|
2016-07-31 02:42:55 +02:00
|
|
|
### Final notes and security response
|
2016-07-12 22:52:29 +02:00
|
|
|
|
|
|
|
If you find some aspect of Zulip that seems inconsistent with this
|
2016-10-19 11:55:44 +02:00
|
|
|
security model, please report it to zulip-security@googlegroups.com so
|
|
|
|
that we can investigate and coordinate an appropriate security release
|
|
|
|
if needed.
|
2016-07-12 22:52:29 +02:00
|
|
|
|
|
|
|
Zulip security announcements will be sent to
|
|
|
|
zulip-announce@googlegroups.com, so you should subscribe if you are
|
|
|
|
running Zulip in production.
|
|
|
|
|
2016-08-25 05:51:42 +02:00
|
|
|
## Management commands
|
|
|
|
|
|
|
|
Zulip has a large library of [Django management
|
|
|
|
commands](https://docs.djangoproject.com/en/1.8/ref/django-admin/#django-admin-and-manage-py).
|
|
|
|
To use them, you will want to be logged in as the `zulip` user and for
|
|
|
|
the purposes of this documentation, we assume the current working
|
|
|
|
directory is `/home/zulip/deployments/current`.
|
|
|
|
|
|
|
|
Below, we should several useful examples, but there are more than 100
|
|
|
|
in total. We recommend skimming the usage docs (or if there are none,
|
|
|
|
the code) of a management command before using it, since they are
|
|
|
|
generally less polished and more designed for expert use than the rest
|
|
|
|
of the Zulip system.
|
|
|
|
|
|
|
|
### manage.py shell
|
|
|
|
|
|
|
|
You can get an iPython shell with full access to code within the Zulip
|
2016-10-19 11:55:44 +02:00
|
|
|
project using `manage.py shell`, e.g., you can do the following to
|
2016-08-25 05:51:42 +02:00
|
|
|
change an email address:
|
|
|
|
|
|
|
|
```
|
|
|
|
$ /home/zulip/deployments/current/manage.py shell
|
|
|
|
In [1]: user_profile = get_user_profile_by_email("email@example.com")
|
|
|
|
In [2]: do_change_user_email(user_profile, "new_email@example.com")
|
|
|
|
```
|
|
|
|
|
|
|
|
#### manage.py dbshell
|
|
|
|
|
|
|
|
This will start a postgres shell connected to the Zulip database.
|
|
|
|
|
|
|
|
### Grant administrator access
|
|
|
|
|
|
|
|
You can make any user a realm administrator on the command line with
|
|
|
|
the `knight` management command:
|
|
|
|
|
|
|
|
```
|
|
|
|
./manage.py knight username@example.com -f
|
|
|
|
```
|
|
|
|
|
2016-10-19 11:55:44 +02:00
|
|
|
#### Creating API super users with manage.py
|
2016-08-25 05:51:42 +02:00
|
|
|
|
|
|
|
If you need to manage the IRC, Jabber, or Zephyr mirrors, you will
|
2016-10-19 11:55:44 +02:00
|
|
|
need to create API super users. To do this, use `./manage.py knight`
|
2016-08-25 05:51:42 +02:00
|
|
|
with the `--permission=api_super_user` argument. See
|
|
|
|
`bots/irc-mirror.py` and `bots/jabber_mirror.py` for further detail on
|
|
|
|
these.
|
|
|
|
|
2016-10-19 11:27:26 +02:00
|
|
|
#### Exporting users and realms with manage.py export
|
|
|
|
|
|
|
|
If you need to do an export of a single user or of an entire realm, we
|
|
|
|
have tools in `management/` that essentially export Zulip data to the
|
|
|
|
file system.
|
|
|
|
|
|
|
|
`export_single_user.py` exports the message history and realm-public
|
2016-10-23 02:39:32 +02:00
|
|
|
metadata for a single Zulip user (including that user's *received*
|
|
|
|
messages as well as their sent messages).
|
2016-10-19 11:27:26 +02:00
|
|
|
|
|
|
|
A good overview of the process for exporting a single realm when
|
|
|
|
moving a realm to a new server (without moving a full database dump)
|
|
|
|
is in
|
|
|
|
[management/export.py](https://github.com/zulip/zulip/blob/master/zerver/management/commands/export.py). We
|
|
|
|
recommend you read the comment there for words of wisdom on speed,
|
|
|
|
what is and is not exported, what will break upon a move to a new
|
|
|
|
server, and suggested procedure.
|
2016-08-25 05:51:42 +02:00
|
|
|
|
|
|
|
### Other useful manage.py commands
|
|
|
|
|
|
|
|
There are a large number of useful management commands under
|
2016-02-13 19:17:15 +01:00
|
|
|
`zerver/management/commands/`; you can also see them listed using
|
2016-08-25 05:51:42 +02:00
|
|
|
`./manage.py` with no arguments.
|