Open shiragoodman opened 1 year ago
shiragoodman
commented
1 year ago @BillChapmanUSDS @humancompanion-usds FYI this came up in the Governance roadmap planning. We need to discuss the level of access we are giving VFS and Platform team members.
andreahewitt-odd
commented
10 months ago I want to call out a couple things:
shiragoodman
commented
10 months ago @andreahewitt-odd please see my responses:
- The write access also controls folks ability to edit and move tickets in Zenhub -- we need to discover what would happen if we changed the permissions for the repos in regards to that.
- Interesting thought. I had assumed Zenhub permissions were separate?
- Anything that is mission critical to VA.gov has checks before code is pushed -- so a designer can make updates to the read me with no oversight but not to the actual code without automated and manual checks. I think before we make any changes, we'd want to do discovery about the the journey for code to go from a contributor to production for all the repos. Some have internal team review on top of Platform reviews.
- Fair points. I think it also would be valuable to evaluate the repos we manage through the vets.gov-write gh team. Many look like they're no longer in use.
- Is this a security vulnerability that a security engineer/PO has defined or validate?
- Chelen was previously involved. I have informed Matt Dingee too. If you're asking if a security SME or OCTO PO has actually declared this a problem we need to solve? No. Just little old me raising what looks like it could be a security concern.
andreahewitt-odd
commented
10 months ago @shiragoodman Thanks for the responses! Zenhub invitation is separate but write access is what drives Zenhub permissions too and I'm not sure what repos VFS teams use for Zenhub. I would definitely suggest more discovery around this because if we do it the wrong way, we could slow down VFS teams.
I would chat with our security team to help determine if it is a security vulnerability -- that will also help you all determine priority. Ken would be a good resource!
little-oddball
commented
10 months ago @andreahewitt-odd - one security argument would be "blanket" access to so many repos and folks should have access to the least amount possible. I believe one challenge here is with the evolution of the permissions, etc. untangling is gonna be a tedious climb.
patrickvinograd
commented
10 months ago Some other random comments:
patrickvinograd
commented
10 months ago (I don't need to be involved in any decision making just providing some extra input as I've thought about the best way to structure this and helped teams figure out why they do/don't have access to things)
kenmayo
commented
10 months ago There's an argument to be made that this is a vulnerability, since we're not really following the principles of least privilege, but the counter to that is 1) Is Github capable of handling a more complex privilege structure? and 2) Does the Platform team want to manage a more complex privilege structure?
If the answers to both questions are yes, then it's just a matter of deciding how we want to break up privileges and manage them. If either is no, then we accept the risk and move on.
shiragoodman
commented
10 months ago Thanks for your input, @kenmayo . I can't answer your 1st question, but I can make an attempt to answer the 2nd.
For some context, we haven't always done things this way... If you look at the tickets linked in the lower part of the Problem Statement (#35154 and #39321), you can get an idea of when things changed. When I first joined Platform team in 2020, the vets.gov-write team was used for individual Platform team members only. However, VFS teams were still managed under the Teams tab... ie VFS teams were children of the parent team vets.gov-write. This was nice because:
I suppose that could be considered a more complex privilege structure. It's somewhat inline with what former Platform crew chief, Mike Chelen, had proposed in this comment.
@andreahewitt-odd I'll let you and Platform leadership make the call here. We're transitioning the tasks associated with granting vets.gov-write access over to @alyssagallion's team, Platform Support, so it seemed like a good time to raise these concerns, again. It sort of feels like we've been kicking the can down the road for a while now with this one, and it would be nice to have some closure.
andreahewitt-odd
commented
9 months ago @shiragoodman I think for now we just keep working as we have been and OCTODE can prioritize it if they see fit but I don't think it's higher priority than some of the other work in progress and in the backlog.
shiragoodman
commented
9 months ago Thanks @andreahewitt-odd . FYSA @alyssagallion
Problem Statement
VFS team members rely on Platform crew (through the Platform Orientation process) to add them to the vets.gov-write Github team so that they can get access to the common Github repositories used across VA.gov teams. The vets.gov-write github team was a carry over from the Vets.gov contract. It predates VSP, which has since been re-contracted as VA.gov Platform. It was decided that VSP, and then VA.gov Platform, would utilize vets.gov-write as the Platform github team. It was initially designed to support the read/write repo access that Platform teams need.
vets.gov-write gh team grants access to the following repositories within the VA Github Organization:
There are several problems with this current process, including the following:
Follow your problem description up with a "How might we... ___" statement re-framing that challenge as an opportunity. Don't hint too much at what the solution might be, you should have enough of a focal point here to guide your ideas, but plenty of freedom to think laterally and innovatively as you experiment and prototype later.
Hypothesis or Bet
How will this initiative impact the quality of VFS or Platform teams' work? How will this initiative be easy for VFS or Platform teams? Or how will it be easier than what they did before?
We will know we're done when... ("Definition of Done")
What requirements does this project need to meet for you to finish this initiative?
Known Blockers/Dependencies
List any blockers or dependencies for this work to be completed
Projected Launch Date
OCTO Objective and OKR:
Objective: Our digital experiences are the best way to access VA health care and benefits. OKR All new products have a faster transaction time than those they replaced.
Launch Checklist
Guidance (delete before posting)
This checklist is intended to be used to help answer, "is my Platform initiative ready for launch?". All of the items in this checklist should be completed, with artifacts linked---or have a brief explanation of why they've been skipped---before launching a given Platforminitiative. All links or explanations can be provided in Required Artifacts sections. The items that can be skipped are marked as such.
Keep in mind the distinction between Product and Initiative --- each Product needs specific supporting documentation, but Initiatives to improve existing Products should reuse existing documentation for that Product. VSP Product Terminology for details.
Is this service / tool / feature...
... tested?
... documented?
... measurable
When you're ready to launch...
Required Artifacts
Documentation
PRODUCT_NAME: directory name used for your product documentationTesting
Measurement
TODOs