Credentials Management

[smlambert]

We have hit several cases recently where a broader set of team members would like to assist in testing/fixing infrastructure issues and there is not a standardized approach of sharing credentials securely. Not exactly sure how to address this, but definitely feel we need to introduce a way of dealing with credentials management.

This would allow us to:

• offload issues to a larger set of people who can assist with infrastructure (including EF infra team)
• reduce delays to fixes that are currently bottlenecked because only one or 2 people have access to some machines
• ensure that when credentials are shared, it is done is a sanctioned way

In the past, I believe we had LastPass or something like that set up. Not suggesting it be reintroduced, but created this issue to discuss what options we have available to us to improve the situation.

[aahlenst]

We have two kinds of secret material: Stuff we have to place on machines (like certificates, keys), and stuff needed by humans to manage those things. From my POV, the latter is where something needs to be done. First point of action would probably be organizational decisions:

• We, as a project, need to acknowledge that a lot of people invovled in this project need credentials for various tasks and for a varying amount of time (permanent vs. temporal access).
• We need to acknowledge that copy & pasting credentials into Slack is poor practice and does not scale.
• Organizational oversight is needed to ensure that secrets are properly stored, accessible to the relevant people and that good security practices (2FA, long passwords, audit trails) are in place.

From my POV, the minimal feature set for a password manager would be:

• 2FA login
• TOTP (one-time code generation)
• Group sharing with folders
• Ad-hoc sharing
• Secure notes/attachments
• User impersonation (admins can salvage credentials that haven't been properly shared)
• Audit trails for access, mutation

The general expectation should be that every person joining AdoptOpenJDK can and should get an account the first time they need a credential. So there shouldn't be any incentive (like monthly cost) to deny members an account.

For the moment, I do not think that discussing specific products would be beneficial. I'd rather discuss the organizational aspects and functional requirements.