Open RafaelGSS opened 1 month ago
ping @nodejs/build @nodejs/releasers for visibility
What is the difference between infra/admin in "Build - Test/Infra/Admin"?
What is the difference between infra/admin in "Build - Test/Infra/Admin"?
Perhaps "Admin" is supposed to encompass the two Jenkins admins groups (one for the test CI and one for the release CI)? But in that case it would only apply to the CI servers (and not the test/release machines themselves or any other resource on the list).
"Website Infra" needs to be clarified, or probably split. The Build WG in general doesn't have access to the Vercel set up.
Re. ² - Releasers has access to run CI during CI Embargo (Security Release)
the whole "Jenkins CI - test" row is different for CI Embargo (e.g. external and collaborators lose read access during the Embargo (but TSC and security triage retain read access)).
What is the difference between infra/admin in "Build - Test/Infra/Admin"?
Perhaps "Admin" is supposed to encompass the two Jenkins admins groups (one for the test CI and one for the release CI)? But in that case it would only apply to the CI servers (and not the test/release machines themselves or any other resource on the list).
Yes, that's my understanding. cc: @UlisesGascon
"Website Infra" needs to be clarified, or probably split. The Build WG in general doesn't have access to the Vercel set up.
Right, when we were discussing it we weren't aware of the roles and resources for nodejs.org, so we put Website Infra. Maybe @nodejs/web-infra can help us splitting it.
Re. ² - Releasers has access to run CI during CI Embargo (Security Release) the whole "Jenkins CI - test" row is different for CI Embargo (e.g. external and collaborators lose read access during the Embargo (but TSC and security triage retain read access)).
Would make sense to add an additional row for Embargo CI?
What is the difference between infra/admin in "Build - Test/Infra/Admin"?
We actually have
I can't quite remember but I think as a simplification we grouped all of the non-infra admins together. It might make more sense to have
test admins (test, github bot admins, test jenkins admins) infra admins release admins (release jenkins, release admins)
which I would shorten to test/release/infra
@richardlau what do you think?
What is the difference between infra/admin in "Build - Test/Infra/Admin"?
We actually have
* test * infra admins * jenkins admins * release jenkins admin * release admins * github bot admins
I can't quite remember but I think as a simplification we grouped all of the non-infra admins together. It might make more sense to have
test admins (test, github bot admins, test jenkins admins) infra admins release admins (release jenkins, release admins)
which I would shorten to test/release/infra
@richardlau what do you think?
If it makes it easier to summarise, sure. But e.g. test, github bot admins, test jenkins admins are three separate groups and being in one of those groups does not imply being in one of the others.
test/release/infra definitely makes more sense than test/infra/admin.
@richardlau understood about them being different groups, in a number of cases we've combined to make the table/assessment feasible.
That means that we may estimate the risk. If that leads to risks that are highlighted as the top risk being not quite right we might adjust but if the results are risks that even with the overestimate are acceptable the simplication is worth it and we'll leave as is.
@RafaelGSS
Resource | External People | web-infra/nodejs-website | Other teams |
---|---|---|---|
nodejs/release-cloudflare-worker1 | r | wr | r |
nodejs/api-doc-tooling2 | r | ww | r |
nodejs/nodejs.org | r | ww | r |
Sentry | - | aa | - |
Cloudflare Account | - | --3 |
1 The release worker isn't deployed yet (nodejs/build#3461) 2 Not being used yet (nodejs/node#52343) 3 Some have read access to parts of the Cloudflare account. Members of web-infra can deploy the release-cloudflare-worker via Github actions which writes to the Cloudflare account.
Blank for ones already included in the table above. Omitted archived repositories (nodejs/nodejs.org-archive, nodejs/node.js.org, nodejs/nodejs.dev)
Can't get the table to format but,
1 When the release worker gets deployed 2 No packages are being published yet but will be in the future (nodejs/api-docs-tooling#10)
@ovflowd can you comment on access to Vercel?
Hi folks, as part of Node.js Security initiative we have created a table of access per group based on available roles under Node.js org. We'd like to get some feedback/review. Feel free to edit the table if you think something is wrong (I can read the history and update our hackmd table).
The idea is to have a table of permissions and then look at the threats each role has and its impact on the nodejs organization.
Access per Group
Levels: (
-
) none, (r
) read, (w
) write, (a
) admin/owner (inspiration from https://mason.gmu.edu/~montecin/UNIXpermiss.htm)Additional notes:
secrets
, they might have different access level internally based on sub-groups.Repos under nodejs which do not include code, are not covered as they cannot lead to the threats listed. pkgjs.org is excluded as it does not include code/repos that make it into Node.js binaries