Page MenuHomePhabricator
Create Task
Maniphest T361277

gitlab: enforce 2fa for admins
Closed, ResolvedPublic
Actions

Description

gitlab 16.8 release notes say:

You can now enforce whether GitLab administrators are required to use two-factor authentication (2FA) in their self-managed instance. It is good security practice to use 2FA for all accounts, especially for privileged accounts like administrators. If this setting is enforced, and an administrator does not already use 2FA, they must set up 2FA on their next sign-in.

It felt like we already do that but since this is advertised as a new feature since our upgrade yesterday/today we should check and enable it.

Details

TitleReferenceAuthorSource BranchDest Branch
require 2fa for adminsrepos/releng/gitlab-settings!60brennenwork/admin-2famain
Customize query in GitLab

Related Objects
Search...

StatusSubtypeAssignedTask
Restricted Task
 ResolvedeoghanT361277 gitlab: enforce 2fa for admins

Event Timeline

Dzahn created this task.Mar 28 2024, 6:32 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 28 2024, 6:32 PM
Dzahn added a parent task: Restricted Task.Mar 28 2024, 6:32 PM
LSobanski added subscribers: brennen, LSobanski.Mon, Apr 8, 3:22 PM

@brennen Any thoughts?

eoghan subscribed.Mon, Apr 8, 3:25 PM

https://docs.gitlab.com/ee/security/two_factor_authentication.html#enforce-2fa-for-administrator-users is the docs for this setting

Aklapper added a comment.Tue, Apr 9, 10:47 AM

yes please because data

brennen edited projects, added Release-Engineering-Team, User-brennen, GitLab (Administration, Settings & Policy); removed GitLab.Thu, Apr 11, 5:34 PM

No objections here. In practice all current admins are probably already required to use 2fa due to membership in one or more groups that require it, but there's no harm in enabling the setting.

I don't see a key for this mentioned in https://docs.gitlab.com/ee/api/settings.html - digging a bit.

bd808 subscribed.Thu, Apr 11, 5:46 PM

I thought that was part of {T316419}, but apparently I was mistaken. +1 from me.

CodeReviewBot added a project: Patch-For-Review.Thu, Apr 11, 5:51 PM

brennen opened https://gitlab.wikimedia.org/repos/releng/gitlab-settings/-/merge_requests/60

Draft: require 2fa for admins

brennen added a comment.Thu, Apr 11, 5:52 PM

Although currently undocumented, it looks like it's require_admin_two_factor_authentication in the API, based on:

🌑 11:52:17 brennen@inertia:~/code/wmf/releng/gitlab-settings (work/admin-2fa *$%) ☼ ./settings --instance https://gitlab.wikimedia.org/ view|grep two
    "require_admin_two_factor_authentication": false,
    "require_two_factor_authentication": false,
    "two_factor_grace_period": 48,
Dzahn added a comment.Thu, Apr 11, 5:52 PM

Eoghan found out all existing admins already had 2fa enabled individually - but there are also some bot accounts that might need the admin rights. He mentioned testing if password login can be disabled for those bot accounts. Other than that we are all for this, ack!

brennen moved this task from Backlog to Needs/Waiting Review on the User-brennen board.Thu, Apr 11, 10:55 PM
LSobanski assigned this task to eoghan.Mon, Apr 15, 3:32 PM
LSobanski triaged this task as High priority.
LSobanski moved this task from Incoming to Work in Progress on the collaboration-services board.
eoghan closed this task as Resolved.Tue, Apr 23, 12:26 PM

I've enabled this setting, and approved @brennen's change to include this into the settings file.

gerritbot added a comment.Tue, Apr 23, 6:38 PM

Change #1012350 had a related patch set uploaded (by Dzahn; author: Aklapper):

[operations/puppet@production] phabricator: MFA status check: Exclude bot accounts

https://gerrit.wikimedia.org/r/1012350

CodeReviewBot added a comment.Wed, Apr 24, 10:07 PM

brennen merged https://gitlab.wikimedia.org/repos/releng/gitlab-settings/-/merge_requests/60

require 2fa for admins

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL