search

screwdriver-cd / screwdriver

An open source build platform designed for continuous delivery.
http://screwdriver.cd
Other
1.01k stars 170 forks source link

Enhance RBAC to allow for default to be overridden for pipeline or individual jobs #2934

Open rmcalhoun63 opened 11 months ago

rmcalhoun63 commented 11 months ago

What happened: The Access Control is currently hard code and only covers 3 of the 5 supported GH roles. There is currently no way to override the Access Control model and require higher level of access to start/stop a build or a job.

What you expected to happen: The Access Control should support an override setting for an entire pipeline and/or individual job such that the minimum role required to start and stop a job can be raised or lowered as desired. Additionally, all 5 supported GH roles (pull, triage, push, maintain, admin) should be supported.

this enhancement should also allow an override to lower privilege of 'triage' which would resolve issue 2551

use cases: 1) for Governance, pipeline owner may need to restrict manual pipeline execution to someone with "maintain" or "admin" role. 2) per issue 2551, pipeline owner may desire to allow users with "triage" role the ability to start/stop the pipeline

DekusDenial commented 2 months ago

Team is going to re-evaluate the feasibility with the github API.

DekusDenial commented 2 months ago

@tkyi what do you think of this endpoint? https://docs.github.com/en/enterprise-server@3.10/rest/teams/teams?apiVersion=2022-11-28#check-team-permissions-for-a-repository

tkyi commented 2 months ago

Seems reasonable. How will we get the team_slug? Also looks like there is the option of creating custom roles in Github Enterprise. Will we support those as well?

rmcalhoun63 commented 2 months ago

on the support of Custom roles, if the check for allowing someone to start a job was looking for permissions to a specific endpoint instead of by role, then it could be very simple to support custom roles.

As example i have the custom role "bots_bypass" in all of the DSP Ads orgs. It is based on the "Write" access and adds the ability to override branch protection. in the past we were giving screwdriver admin so that it could merge changes directly to master. Primary use case was we maintained files that had the current deployed version of various components.

Giving this further thought, that might complicate the configuration for overrides to the default setting. custom role always requires to be based off a default role. so maybe not straight forward. At the moment, I don't have a custom role that we assign to humans. Been waiting quite a while to get this enhancement so we can stop our developers from shooting us in the foot. Don't want to delay it further by requiring support for custom roles.

DekusDenial commented 2 months ago

Another use case for a different kind of RBAC (not necessarily this one here) that I just run into today:

A pipeline was changed from an org repo to a forked personal repo. Then that individual was either OOO or account was suspended, which prevents that pipeline from switching back to the original repo. If a pipeline was using a different RBAC based on org/team level, that pipeline would not have been bricked.