Closed mogul closed 7 years ago
Note this PR which makes Concourse work with generic OAuth providers, not just GitHub.
Note also that the switchover should coincide with development of a formal process for gaining access.
I created a request but we need to create an endpoint for admin uaa.
Ideally there should be some sort of auditable log of access requests, creations, removals, etc., like for other types of privileged access.
UAA on tooling BOSH updated, and fronted with an ELB just for UAA access. uaa: https://opauaa.fr.cloud.gov login: https://opslogin.fr.cloud.gov saml metadata: https://opslogin.fr.cloud.gov/saml/metadata
Things to note currently:
Marking blocked based on the GSA dependency
Integrated now with SecureAuth. Still waiting on https://github.com/concourse/concourse/pull/658 for ability to authorize by scope.
Leave it blocked for that reason, then?
Blocked on waiting on newest Grafana release so we can migrate metrics to using UAA over github.
We have a current workaround for Concourse/scope issue by just not auto-creating shadow accounts in UAA. Script for creating accounts: https://github.com/18F/cg-scripts/blob/master/make-ops-admin.sh Documentation updated: https://docs.cloud.gov/ops/managing-users/#managing-admins
Splitting out metrics so this can be closed..
In order to ensure that people outside of the cloud.gov team cannot grant or gain administrator access to our deployment, we want Concourse to refer to an in-boundary MFA-enabled IDP for authn+authz rather than GitHub teams.
Acceptance criteria
Implementation sketch