1643c525dSBrad Bishop# Continuous integration and authorization for OpenBMC 2643c525dSBrad Bishop 3*f4febd00SPatrick WilliamsAuthor: Brad Bishop !radsquirrel 4e25a54b6SGunnar Mills 5*f4febd00SPatrick WilliamsOther contributors: None 6e25a54b6SGunnar Mills 7*f4febd00SPatrick WilliamsCreated: 2019-01-30 8643c525dSBrad Bishop 9643c525dSBrad Bishop## Problem Description 10*f4febd00SPatrick Williams 11643c525dSBrad BishopThe OpenBMC project maintains a number of Jenkins CI jobs to ensure incoming 12643c525dSBrad Bishopcontributions to the project source code meet a level of quality. Incoming 13643c525dSBrad Bishopcontributions can be made by the general public - anyone with a GitHub account. 14643c525dSBrad BishopHowever unlikely, it is possible for a bad actor to make code submissions that 15643c525dSBrad Bishopattempt to compromise project resources, e.g. build systems, and as such some 16643c525dSBrad Bishopamount of authorization of contributors must occur to provide some level of 17643c525dSBrad Bishopprotection from potential bad actors. 18643c525dSBrad Bishop 19643c525dSBrad BishopThe project already has contributor authorization for CI. This proposal serves 20643c525dSBrad Bishopto describe the drawbacks of the current solution and propose an alternative 21643c525dSBrad Bishopthat addresses those drawbacks. 22643c525dSBrad Bishop 23643c525dSBrad Bishop## Background and References 24*f4febd00SPatrick Williams 25643c525dSBrad BishopThe current authorization solution checks the user for membership in the 26643c525dSBrad Bishopopenbmc/general-developers GitHub team. If the contributor is a member of the 27643c525dSBrad Bishopteam (or a general-developers sub-team), the automated CI processes are 28643c525dSBrad Bishoptriggered without any human intervention. If the contributor is not a member of 29643c525dSBrad Bishopthe general-developers team, manual intervention (ok-to-test) is required by a 30643c525dSBrad Bishopproject maintainer to trigger the automated CI processes. 31643c525dSBrad Bishop 32*f4febd00SPatrick WilliamsAdditional reading: https://en.wikipedia.org/wiki/Continuous_integration 33*f4febd00SPatrick Williamshttps://jenkins.io/ https://help.github.com/articles/about-organizations/ 34643c525dSBrad Bishop 35643c525dSBrad Bishop## Requirements 36*f4febd00SPatrick Williams 37643c525dSBrad BishopThe existing method for authorization has a singular problem - the GitHub 38643c525dSBrad Bishoporganization owner role. In order for contributors to be added to the 39643c525dSBrad Bishopopenbmc/general-developers GitHub team, the contributor must first be a member 40643c525dSBrad Bishopof the openbmc GitHub organization. Only organization owners can invite GitHub 41643c525dSBrad Bishopusers to become members of an organization. Organization owners have 42643c525dSBrad Bishopunrestricted access to all aspects of the project - it would be unwise to bestow 43643c525dSBrad Bishoporganization ownership for the sole purpose of enabling 44643c525dSBrad Bishopopenbmc/general-developers group membership administrative capability. 45643c525dSBrad Bishop 46643c525dSBrad BishopAn alternative authorization method for CI should: 47*f4febd00SPatrick Williams 48*f4febd00SPatrick Williams- Not require the GitHub organization owner role to administer the list of users 49*f4febd00SPatrick Williams authorized for CI. 50*f4febd00SPatrick Williams- Enable a hierarchical trust model for user authorization (groups nested within 51*f4febd00SPatrick Williams groups). 52643c525dSBrad Bishop 53643c525dSBrad Bishop## Proposed Design 54*f4febd00SPatrick Williams 55643c525dSBrad BishopThe proposal is to simply migrate the current openbmc/general-developers GitHub 56643c525dSBrad Bishopteam, and all subordinate teams, to Gerrit groups: 57643c525dSBrad Bishop 58643c525dSBrad Bishopgroup: `openbmc/ci-authorized` 59643c525dSBrad Bishop 60643c525dSBrad Bishopgroup: `xyzcorp/ci-authorized` 61643c525dSBrad Bishop 62643c525dSBrad Bishopgroup: `abccorp/ci-authorized` 63643c525dSBrad Bishop 64643c525dSBrad BishopThe openbmc/ci-authorized group can contain users that are not associated with 65643c525dSBrad Bishopany specific organization, as well as organizational groups: 66643c525dSBrad Bishop 67643c525dSBrad Bishopgroup: `openbmc/ci-authorized` contains -> 68643c525dSBrad Bishop 69643c525dSBrad Bishopgroup `xyzcorp/ci-authorized` 70643c525dSBrad Bishop 71643c525dSBrad Bishopgroup `abccorp/ci-authorized` 72643c525dSBrad Bishop 73643c525dSBrad Bishopuser `nancy` 74643c525dSBrad Bishop 75643c525dSBrad Bishopuser `joe` 76643c525dSBrad Bishop 77643c525dSBrad BishopThis proposal also specifies a convention for administration of organizational 78643c525dSBrad Bishopgroups: 79643c525dSBrad Bishop 80643c525dSBrad Bishopgroup: `xyzcorp/ci-authorized-owners` administers -> `xyzcorp/ci-authorized` 81643c525dSBrad Bishop 82643c525dSBrad Bishopgroup: `abccorp/ci-authorized-owners` administers -> `abccorp/ci-authorized` 83643c525dSBrad Bishop 84643c525dSBrad Bishopgroup: `openbmc/ci-authorized` administers -> `openbmc/ci-authorized` 85643c525dSBrad Bishop 86643c525dSBrad BishopFinally, any Jenkins CI jobs must be updated to test for membership of the 87643c525dSBrad BishopGerrit group instead of the GitHub team. 88643c525dSBrad Bishop 89643c525dSBrad BishopNew organizational groups (and associated owner groups) will be created when a 90643c525dSBrad BishopCCLA is signed and accepted by the project. 91643c525dSBrad Bishop 92643c525dSBrad Bishop## Alternatives Considered 93*f4febd00SPatrick Williams 94643c525dSBrad BishopAssigning GitHub organization owner roles to organizational group administrators 95643c525dSBrad Bishopwas considered but is a major violation of the least-privilege-required 96643c525dSBrad Bishopprinciple. 97643c525dSBrad Bishop 98643c525dSBrad Bishop## Impacts 99*f4febd00SPatrick Williams 100643c525dSBrad BishopGitHub has vastly superior load balancing and backup capability so there is a 101643c525dSBrad Bishoppotential for decreased service availability and data loss. 102643c525dSBrad Bishop 103643c525dSBrad Bishop## Testing 104*f4febd00SPatrick Williams 105643c525dSBrad BishopDeploy on a live production server 106