Page MenuHomePhabricator
Create Task
Maniphest T313231

Dispatch Google workspace integration
Closed, ResolvedPublic
Actions

Description

Setup and tracking of Dispatch Google workspace integration. This will be used to automatically create a google drive folder, and populate an incident document from a template when a new incident is declared.

Related Objects
Search...

Event Timeline

herron triaged this task as Medium priority.Jul 18 2022, 2:21 PM
herron created this task.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 18 2022, 2:21 PM
herron added a parent task: T313228: Deploy Dispatch for SRE incident workflow automation.Jul 18 2022, 2:23 PM
herron mentioned this in T313228: Deploy Dispatch for SRE incident workflow automation.Jul 21 2022, 6:13 PM
lmata assigned this task to herron.Aug 9 2022, 2:33 PM
lmata moved this task from Inbox to In progress on the SRE Observability (FY2022/2023-Q1) board.
herron added a comment.Aug 12 2022, 5:33 PM

The initial feedback from a security review of the API key request is that the permissions outlined in the dispatch docs are too permissive, which I think is fair. The dispatch documentation guides through the process of creating an API key with domain-wide delegation, which AIUI means root level access to all resources within the domain. Within the context of gmail and drive that's far more access than should be needed.

I've logged a bug with the project about this https://github.com/Netflix/dispatch/issues/2408 asking that minimal permissions required be clarified, and at the same time will experiment in my lab setup to see if I can land on a set of minimal permissions to get the drive, docs and gmail plugins up and running.

It also appears that the dispatchdev config has been partially erased and is now throwing database errors when attempting to configure plugins. I'll work on fixing that as well.

herron updated the task description. (Show Details)Aug 16 2022, 4:09 PM
herron added a comment.Aug 16 2022, 4:12 PM
In T313231#8148872, @herron wrote:

The initial feedback from a security review of the API key request is that the permissions outlined in the dispatch docs are too permissive, which I think is fair. The dispatch documentation guides through the process of creating an API key with domain-wide delegation, which AIUI means root level access to all resources within the domain. Within the context of gmail and drive that's far more access than should be needed.

As it turns out, for the purposes of managing a google drive folder, and populating docs a service account and API key can be self served via the gcp console. This has now been done, and is confirmed to be working (new folder and gdoc created from template upon new incident) in my wmcs dispatch lab instance.

lmata edited projects, added SRE Observability (FY2022/2023-Q2); removed SRE Observability (FY2022/2023-Q1).Oct 28 2022, 6:28 PM
herron updated the task description. (Show Details)Nov 14 2022, 10:48 PM
herron closed this task as Resolved.Jan 5 2023, 6:00 PM

This is in place for the production instance, new incidents will create a folder and doc from template (T317316), resolving!

lmata moved this task from Inbox to Done on the SRE Observability (FY2022/2023-Q2) board.Jan 12 2023, 7:00 PM
lmata mentioned this in T308467: implementing an incident response workflow automation tool for SRE.Jan 12 2023, 8:21 PM
BCornwall closed subtask T317316: Fine-tune dispatch SRE incident template as Declined.Aug 24 2023, 4:58 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL