GitHub/GHE Project

From MozillaWiki
Jump to: navigation, search

IT GitHub Project Overview

Purpose

IT will be managing and supporting GitHub (GH) Organizations (Orgs) in order to better provide consistent support, security posture, and grow the capabilities.  (e.g. SAML)

This is primarily accomplished via an IT team (ghe-admins@mozilla.com) having ownership rites in the org. 

IT Involvement in KTLO (Keeping The Lights On)

IT admins will be involved in the following, plus other things, as needed:

  • Membership maintenance (on-boarding and off-boarding.)
  • Private repository creation/recording
    • Private repositories are a cost concern, a privacy/security concern, and due to their being hidden, often go orphaned, so we record them so SOMEONE knows about them.
    • If the GitHub organization is small and/or task focused, this may be relaxed, reach out to the ghe-admins@m.c for more information.
  • Interfacing with GitHub support if needed
  • Working with IR (Incident Response) and CPG (Community Participation Guidelines) teams around issues that concern them

Managing Org Ownership permissions

One of the known security changes we're working to implement is to limit the number of people with org owner permissions wherever possible.  As part of induction, we'll be reaching out to the people with owner permissions and asking if they need this (at all, and in light of the duties that IT is now taking on)

  • Owners in GitHub have complete "root" level rights to every repository and to all setting in the org, so limiting this to "definitely needed" cases is the desire.
  • There are elements that are owner level access, that require security review - limiting who has ownership is a way to make sure that the workflows are followed
    • Transferring repos out of the org - specifically to non-Mozilla spaces
    • Adding Apps & Actions to the org.
    • Others
  • There are auth0, and duo and GHE costs related to keeping them, and various bits of upkeep - so we would like to remove them where feasible. 
  • Any remaining org owners will be required to have a "root" account, separate from their "daily driver" or "mortal" account.

For more information on what ownership vs membership roles are, this link from GitHub outlines that. Note that if the desire is simply to have full access to all repositories in the org, we can do that without ownership rights. Also, other workarounds exist for many of the rights - we're happy to discuss.

Ways to Reach IT

Unifying Secops Posture

Secops has been involved in the day to day maintenance in several orgs, but with IT admins taking that over they are able to focus on policy and procedure and trying to make sure that while there may be several policies to follow, they're documented and standardized (or as similar as is reasonable) and documented in some form.

GHE/SAML

One of the goals of this is to make on-boarding/off-boarding more consistent.  In that vein, we're migrating organizations to GitHub Enterprise (GHE) and working to enable SAML linkages to help us identify and communicate with them

More information on the specific GHE/SAML process, and questions around it can be found here.