Heads Up: The Next OpenPublic Release Changes Security

#Drupal | Posted

As many of you may be aware, Open Public is a Drupal installation profile built for government sites. The OpenPublic team is working on the next major release, Beta 18, which will be out shortly. This release is going to be the first of several on the road to 1.0, but will be the first time an update offers users a choice between different features.

Upgrading to Beta 18

For users upgrading to OpenPublic Beta 18, you must add an extra step when you upgrade to Beta 18 if you want to retain OpenPublic's existing security settings. It's just one step, but if you miss it, your site will revert to Drupal's basic, built-in security. No other update to OpenPublic has ever done something similar, so we wanted to post in advance about the changes and the new features we're making available.

Typically, OpenPublic installs are a rather simple affair:

  1. Download the latest release of OpenPublic
  2. Unpack it and copy the profiles directory over to your current profiles directory (replace the older files)
  3. Run update.php to update the database

Security Level Choices

Beta 18, however, breaks out the security function built into OpenPublic. We are breaking out the security piece so that we can offer two levels of security: the current feature set and a more advanced feature set. If you're using OpenPublic, you'll now have three choices for security:

  • Built in Drupal Security, essentially not choosing anything special in terms of security
  • Password, a new application that wraps up the basic password controls in Password Policy, OpenPublic's past default
  • Security, a new application that provides more control over password policies and controls for session timeouts and concurrent logins

Enhanced Security Controls

The additional OpenPublic Security app is a real step forward for the distro. OpenPublic Security is built to make password policies compliant with FISMA-type controls, and it provides additional features such as the ability to limit user sessions and automatically lock accounts. We've been using the underlying module on several builds, and we think it's a nice upgrade for those that need a little more security on their site.

If you're updating an existing OpenPublic website and you want to keep your security settings as they are, you'll need to install the Password App:

  1. After you upgrade your site (see above), login
  2. Select "Apps" from the admin shortcut bar
  3. Find and then select OpenPublic Password in the app listing
  4. On the App's detail screen, select "Install App"
    Note that, if you encounter an "Unathorized Access Error," just return to the main Apps screen. If you see that error, it's a reported bug in the Apps module where the App installer is trying to return you to the installation page, rather than the app's configuration page.

Once Password is installed, it provides the same password options as previous versions of OpenPublic. Once installed, go to Configuration > Password Policy to configure your security options. (Now that it's an app, you can also go to the Password app's configuration screen for easy access.)

If, instead of the basic Password settings, you would like to opt-in to advanced security settings, you can do all of the above steps, but instead choose to install OpenPublic Security. This application wraps up several pieces of functionality, including more advanced password policy controls, concurrent login controls, and session timeouts.

The app also uses the app configuration screen to  show you a security checklist so that you can see how your settings align with our default policy, which takes its guidance from FISMA moderate.

For brand new OpenPublic installs, users will be prompted in the setup screen's list of apps to select one app or the other for security, or leave OpenPublic with basic security.

We're pretty excited to be rolling out these new security features, but more excited to be taking the first step towards Open Public 1.0. The improved OpenPublic will have additional features, more improvements, and most importantly it will be focused on being leaner and meaner with contributed functionality wrapped up in pluggable apps.

We'll be talking about OpenPublic 1.0 more at CapitalCamp, so, please, join us!

Shawn Mole