Page MenuHomePhabricator
Create Task
Maniphest T347295

Consider enforcing 2FA for GitLab users with maintainer/owner permissions
Open, MediumPublic
Actions

Description

Two factor authentication was enabled for groups with elevated privileges (like sre). Users outside of this group may also have elevated permissions through maintainer permissions in certain projects. This allows users to merge changes or schedule CI jobs in the trusted environment.

We should consider enforcing 2FA for this group of users as well. The group is more heterogeneous. So enabling 2FA is a bit more complicated and would require custom tooling (like a script looping over every user with maintainer permission and enabling 2FA).

Maybe it makes sense to enable 2FA instance wide instead of creating more custom tooling for access control.

Event Timeline

Jelto created this task.Sep 25 2023, 1:26 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 25 2023, 1:26 PM
LSobanski triaged this task as Medium priority.Sep 25 2023, 3:35 PM
LSobanski moved this task from Incoming to Backlog on the collaboration-services board.
Stashbot added a comment.Sep 25 2023, 11:24 PM

Mentioned in SAL (#wikimedia-releng) [2023-09-25T23:24:58Z] <brennen> gitlab: disabling separate 2fa policies for groups under /repos (T347295)

brennen added projects: Release-Engineering-Team, User-brennen.Sep 25 2023, 11:25 PM
brennen added subscribers: thcipriani, brennen.

Two factor authentication was enabled for groups with elevated privileges (like sre). Users outside of this group may also have elevated permissions through maintainer permissions in certain projects. This allows users to merge changes or schedule CI jobs in the trusted environment.

Noting that 2fa is currently mandated for all members of /repos. (Not, however, /toolforge-repos and /cloudvps-repos.) In general, we also check the 2fa box for project groups under /repos when creating them.

The intent on that one was always that contributors to officially hosted projects would have mandated 2fa, but re-reading the docs here, I noticed the "Allow subgroups to set up their own two-factor authentication rule" setting for groups, which was turned on for /repos:

2023-09-25-17:17:56.png (272×1 px, 35 KB)

I've unchecked that box.

I'm less sure than I would like to be how these settings behave in practice.

cc: @thcipriani

thcipriani edited projects, added cloud-services-team, Release-Engineering-Team (Priority Backlog 📥); removed Release-Engineering-Team.Sep 27 2023, 4:51 PM

Things to confirm:

  • Every individual under any project in /repos should already be required to have 2fa (it would be terrible if didn't work that way: let's confirm)
  • What about groups added to groups under /repos—although we should discourage this pattern (don't think it's in use currently)

Open questions:

  • Should this be enforced for other top-level groups—maybe cloud-services-team could chime-in on that one? (tagging for this question)

Once we've confirmed and resolved the above, I think we can call this resolved.

brennen moved this task from Backlog to Radar on the User-brennen board.Oct 16 2023, 10:33 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL