Closed Bug 1199086 Opened 10 years ago Closed 9 years ago

add ability for groups to require their members use 2fa, and generate a report to group owners

Categories

(bugzilla.mozilla.org :: General, defect, P3)

Product:
bugzilla.mozilla.org
Component:
General
Version:
Production
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1364233

People

(Reporter: glob, Unassigned)

References

Details

add the ability for groups to require their members use 2fa.
If possible, I would like to make use of this ability when 2FA is made mandatory for security groups in a couple weeks.
Priority: -- → P3
An interim workaround is to view the account history for each group member from the group administration page. Since MFA is a new feature, the log entry for enabling easy to spot. NOTE: there are some users you may not be able to view.
https://bugzilla.mozilla.org/page.cgi?id=group_members.html also shows if 2fa is enabled (if you have the required bits set on your account).
this has sat untouched for a while because it's hard - eg. what happens when a user without 2fa enabled is added to a group that requires 2fa? following discussions with security we can be served by creating a report for group owners to action instead of system-level enforcement. - add boolean to each group: "Notify group owner if members do not have MFA enabled" - requires a group owner who isn't nobody@mozilla.org - execute a nightly script that generates the report - the report should show all group members, direct and inherited - for indirect group members, the report should show the group the user is a member of that caused them to be included, as well as that group's owner
Assignee: glob → nobody
Summary: add ability for groups to require their members use 2fa → add ability for groups to require their members use 2fa, and generate a report to group owners
(In reply to Byron Jones ‹:glob› from comment #4) > this has sat untouched for a while because it's hard - eg. what happens when > a user without 2fa enabled is added to a group that requires 2fa? Why would it permit them to be added?
(In reply to Richard Soderberg [:atoll] from comment #5) > (In reply to Byron Jones ‹:glob› from comment #4) > > this has sat untouched for a while because it's hard - eg. what happens when > > a user without 2fa enabled is added to a group that requires 2fa? > > Why would it permit them to be added? If group regexp changes, for instance. Or the group-group membership changes, is what I suspect glob means here (we had a chat about it). The following things would have to be guarded to prevent it from happening: 1) group regexp changes to include users that don't have 2fa 2) group A contains N users without 2fa, group B requires 2fa. Group A is added to Group B. What happens here? Do we remove the users from group A that do not have 2fa? Do we prevent Group A from being added to Group B? Either of these situations requires examining the group inheritance tree. 3) a combination of 1 and 2 happens. Code-wise this is a medium challenge. UI-wise it would probably require lots of changes.
In bug 1364233 I'm suggesting a new approach to doing this which reduces the amount of changes needed. Closing this.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → INCOMPLETE
Resolution: INCOMPLETE → DUPLICATE
You need to log in before you can comment on or make changes to this bug.