mogul
commented
8 years ago Note this PR which makes Concourse work with generic OAuth providers, not just GitHub.
Closed mogul closed 7 years ago
mogul
commented
8 years ago Note this PR which makes Concourse work with generic OAuth providers, not just GitHub.
mogul
commented
8 years ago Note also that the switchover should coincide with development of a formal process for gaining access.
dlapiduz
commented
8 years ago I created a request but we need to create an endpoint for admin uaa.
brittag
commented
8 years ago Ideally there should be some sort of auditable log of access requests, creations, removals, etc., like for other types of privileged access.
LinuxBozo
commented
8 years ago UAA on tooling BOSH updated, and fronted with an ELB just for UAA access. uaa: https://opauaa.fr.cloud.gov login: https://opslogin.fr.cloud.gov saml metadata: https://opslogin.fr.cloud.gov/saml/metadata
Things to note currently:
mogul
commented
8 years ago Marking blocked based on the GSA dependency
LinuxBozo
commented
7 years ago Integrated now with SecureAuth. Still waiting on https://github.com/concourse/concourse/pull/658 for ability to authorize by scope.
mogul
commented
7 years ago Leave it blocked for that reason, then?
LinuxBozo
commented
7 years ago Blocked on waiting on newest Grafana release so we can migrate metrics to using UAA over github.
We have a current workaround for Concourse/scope issue by just not auto-creating shadow accounts in UAA. Script for creating accounts: https://github.com/18F/cg-scripts/blob/master/make-ops-admin.sh Documentation updated: https://docs.cloud.gov/ops/managing-users/#managing-admins
LinuxBozo
commented
7 years ago Splitting out metrics so this can be closed..
In order to ensure that people outside of the cloud.gov team cannot grant or gain administrator access to our deployment, we want Concourse to refer to an in-boundary MFA-enabled IDP for authn+authz rather than GitHub teams.
Acceptance criteria
Implementation sketch