Open Bug 1685143 Opened 5 years ago Updated 9 hours ago

automate revoking access

Categories

(Socorro :: Webapp, task, P1)

Product:
Socorro
Component:
Webapp
Type:
task

Tracking

(Not tracked)

Status:
ASSIGNED

People

(Reporter: willkg, Assigned: hafzal)

References

Details

(Whiteboard: [cringe])

Attachments

(3 files)

[mozilla-services/socorro] bug-1685143: automate revoke access (#7182Edit title)
53 bytes, text/x-github-pull-request
Details | Review
[mozilla/webservices-infra] chore(socorro): add auth0 users api endpoint to config (#11011)
91 bytes, text/x-github-pull-request
Details
[mozilla-services/socorro] bug-1685143: Changed Auth0 Audience URL (#7202Edit title)
53 bytes, text/x-github-pull-request
Details | Review

A while back, we added an auditgroups job that ran once a week and audited the protected data group removing users who hadn't logged in for a while or didn't meet certain criteria.

We want to enhance that by revoking access and expiring API tokens for users with protected data access who are no longer with Mozilla.

Jason suggests we can use the PersonAPI to do this:

https://github.com/mozilla-iam/cis/blob/master/docs/PersonAPI.md

This bug covers looking into that and if it's viable, doing it.

We might even be able to skip the whole auto-verification thing and implement a webhook that CIS can hit that triggers revoking:

https://github.com/mozilla-iam/cis/blob/master/docs/Hooks.md

Once we figure this out for Socorro, we should open up a bug and do the same thing for Tecken.

Grabbing this to do this quarter.

Assignee: nobody → willkg
Status: NEW → ASSIGNED

Bumping bugs off my queue because I'm not going to get to them any time soon.

Assignee: willkg → nobody
Status: ASSIGNED → NEW
Assignee: nobody → hafzal
Status: NEW → ASSIGNED

See also: bug-1895320 and bug-1480858 as they show extra context about the problem.

Whiteboard: [cringe]
See Also: → 1895320

Once we have a finalized plan for the work, we should make sure bug 1480858 and bug 1895320 are updated accordingly (e.g. marked as duplicates or otherwise), and we should ensure that the JIRA analog is associated with an epic for tracking purposed.

Attachment #9586851 - Attachment is patch: true
Attachment #9586851 - Attachment description: PR to add the Auth0 management API endpoint → [mozilla/webservices-infra] chore(socorro): add auth0 users api endpoint to config (#11011)
Attachment #9586851 - Attachment is patch: false
Attachment #9586851 - Attachment mime type: text/plain → text/x-github-pull-request

I have verified that the new AUTH0_MANAGEMENT_API_ENDPOINT env variable is in the Socorro environment.

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: