1643c525dSBrad Bishop# Continuous integration and authorization for OpenBMC 2643c525dSBrad Bishop 3643c525dSBrad BishopAuthor: 4643c525dSBrad Bishop Brad Bishop !radsquirrel 5*e25a54b6SGunnar Mills 6643c525dSBrad BishopPrimary assignee: 7643c525dSBrad Bishop Brad Bishop !radsquirrel 8*e25a54b6SGunnar Mills 9643c525dSBrad BishopOther contributors: 10643c525dSBrad Bishop None 11*e25a54b6SGunnar Mills 12643c525dSBrad BishopCreated: 13643c525dSBrad Bishop 2019-01-30 14643c525dSBrad Bishop 15643c525dSBrad Bishop## Problem Description 16643c525dSBrad BishopThe OpenBMC project maintains a number of Jenkins CI jobs to ensure incoming 17643c525dSBrad Bishopcontributions to the project source code meet a level of quality. Incoming 18643c525dSBrad Bishopcontributions can be made by the general public - anyone with a GitHub account. 19643c525dSBrad BishopHowever unlikely, it is possible for a bad actor to make code submissions that 20643c525dSBrad Bishopattempt to compromise project resources, e.g. build systems, and as such some 21643c525dSBrad Bishopamount of authorization of contributors must occur to provide some level of 22643c525dSBrad Bishopprotection from potential bad actors. 23643c525dSBrad Bishop 24643c525dSBrad Bishop 25643c525dSBrad BishopThe project already has contributor authorization for CI. This proposal serves 26643c525dSBrad Bishopto describe the drawbacks of the current solution and propose an alternative 27643c525dSBrad Bishopthat addresses those drawbacks. 28643c525dSBrad Bishop 29643c525dSBrad Bishop## Background and References 30643c525dSBrad BishopThe current authorization solution checks the user for membership in the 31643c525dSBrad Bishopopenbmc/general-developers GitHub team. If the contributor is a member of the 32643c525dSBrad Bishopteam (or a general-developers sub-team), the automated CI processes are 33643c525dSBrad Bishoptriggered without any human intervention. If the contributor is not a member of 34643c525dSBrad Bishopthe general-developers team, manual intervention (ok-to-test) is required by a 35643c525dSBrad Bishopproject maintainer to trigger the automated CI processes. 36643c525dSBrad Bishop 37643c525dSBrad Bishop 38643c525dSBrad BishopAdditonal reading: 39643c525dSBrad Bishophttps://en.wikipedia.org/wiki/Continuous_integration 40643c525dSBrad Bishophttps://jenkins.io/ 41643c525dSBrad Bishophttps://help.github.com/articles/about-organizations/ 42643c525dSBrad Bishop 43643c525dSBrad Bishop## Requirements 44643c525dSBrad BishopThe existing method for authorization has a singular problem - the GitHub 45643c525dSBrad Bishoporganization owner role. In order for contributors to be added to the 46643c525dSBrad Bishopopenbmc/general-developers GitHub team, the contributor must first be a member 47643c525dSBrad Bishopof the openbmc GitHub organization. Only organization owners can invite GitHub 48643c525dSBrad Bishopusers to become members of an organization. Organization owners have 49643c525dSBrad Bishopunrestricted access to all aspects of the project - it would be unwise to bestow 50643c525dSBrad Bishoporganization ownership for the sole purpose of enabling 51643c525dSBrad Bishopopenbmc/general-developers group membership administrative capability. 52643c525dSBrad Bishop 53643c525dSBrad Bishop 54643c525dSBrad BishopAn alternative authorization method for CI should: 55643c525dSBrad Bishop - Not require the GitHub organization owner role to administer the list of 56643c525dSBrad Bishop users authorized for CI. 57643c525dSBrad Bishop - Enable a hierarchical trust model for user authorization (groups nested 58643c525dSBrad Bishop within groups). 59643c525dSBrad Bishop 60643c525dSBrad Bishop## Proposed Design 61643c525dSBrad BishopThe proposal is to simply migrate the current openbmc/general-developers GitHub 62643c525dSBrad Bishopteam, and all subordinate teams, to Gerrit groups: 63643c525dSBrad Bishop 64643c525dSBrad Bishopgroup: `openbmc/ci-authorized` 65643c525dSBrad Bishop 66643c525dSBrad Bishopgroup: `xyzcorp/ci-authorized` 67643c525dSBrad Bishop 68643c525dSBrad Bishopgroup: `abccorp/ci-authorized` 69643c525dSBrad Bishop 70643c525dSBrad BishopThe openbmc/ci-authorized group can contain users that are not associated with 71643c525dSBrad Bishopany specific organization, as well as organizational groups: 72643c525dSBrad Bishop 73643c525dSBrad Bishopgroup: `openbmc/ci-authorized` contains -> 74643c525dSBrad Bishop 75643c525dSBrad Bishop group `xyzcorp/ci-authorized` 76643c525dSBrad Bishop 77643c525dSBrad Bishop group `abccorp/ci-authorized` 78643c525dSBrad Bishop 79643c525dSBrad Bishop user `nancy` 80643c525dSBrad Bishop 81643c525dSBrad Bishop user `joe` 82643c525dSBrad Bishop 83643c525dSBrad BishopThis proposal also specifies a convention for administration of organizational 84643c525dSBrad Bishopgroups: 85643c525dSBrad Bishop 86643c525dSBrad Bishopgroup: `xyzcorp/ci-authorized-owners` administers -> `xyzcorp/ci-authorized` 87643c525dSBrad Bishop 88643c525dSBrad Bishopgroup: `abccorp/ci-authorized-owners` administers -> `abccorp/ci-authorized` 89643c525dSBrad Bishop 90643c525dSBrad Bishopgroup: `openbmc/ci-authorized` administers -> `openbmc/ci-authorized` 91643c525dSBrad Bishop 92643c525dSBrad BishopFinally, any Jenkins CI jobs must be updated to test for membership of the 93643c525dSBrad BishopGerrit group instead of the GitHub team. 94643c525dSBrad Bishop 95643c525dSBrad BishopNew organizational groups (and associated owner groups) will be created when a 96643c525dSBrad BishopCCLA is signed and accepted by the project. 97643c525dSBrad Bishop 98643c525dSBrad Bishop## Alternatives Considered 99643c525dSBrad BishopAssigning GitHub organization owner roles to organizational group administrators 100643c525dSBrad Bishopwas considered but is a major violation of the least-privilege-required 101643c525dSBrad Bishopprinciple. 102643c525dSBrad Bishop 103643c525dSBrad Bishop## Impacts 104643c525dSBrad BishopGitHub has vastly superior load balancing and backup capability so there is a 105643c525dSBrad Bishoppotential for decreased service availability and data loss. 106643c525dSBrad Bishop 107643c525dSBrad Bishop## Testing 108643c525dSBrad BishopDeploy on a live production server 109