Closed Bug 1805991 Opened 3 years ago Closed 3 years ago

Assess use of external addon Atlassian Cloud / Github for Jira in Mozilla's GitHub organization mozilla-mobile

Categories

(mozilla.org :: Github: Administration, task)

Product:
mozilla.org
Component:
Github: Administration
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: sarah, Assigned: cknowles)

Details

Attachments

(2 files)

Atlassian Cloud App
126.75 KB, image/png
Details
approve_github-for-jira-app_repos.png
313.43 KB, image/png
Details

I want to use the Atlassian Cloud (which I believe connects to Github for Jira in our Jira instance) addon in mozilla-mobile organization for the following reasons:

Below are my answers to your stock questions:

** Which repositories do you want to have access? (all or list)
mozilla-vpn-client

** Are any of those repositories private?
no

** Provide link to vendor's description of permissions needed and why
this is should be the same github app that a number of orgs at mozilla already use e.g. FxA (github.com/mozilla/fxa) I want the thing that allows us to link PRs between Github and Jira that other Jira projects are already integrating with. I'm not intentionally asking for something different.

so, AFAIK, there are two different apps that the jira team uses to link GitHub repos to Jira - the Jira app from Atlassian https://github.com/marketplace/jira-software-github and the Unito app.

Normally we get these requests from the Jira support team, specifically :jdirx, as there's apparently some level of setup/help needed to make things go through.

So I'm setting a needinfo for them, so they can weigh in, and help you with any needed setup.

Flags: needinfo?(jdirks)

Ah. Apologies. This is utterly different. This is for a different OAuth app altogether. (Got the bug before I got your email)

Since this is OAuth, I'm NI'ing Secops, as they'll have to look at things and figure out recommendations.

Secops - https://github.com/orgs/mozilla-mobile/policies/applications/1029093 is the request, and It's more an omni-app - rather than just Jira or things, it appears to cover ALL of the atlassian cloud integration.

Flags: needinfo?(jdirks) → needinfo?(asargent)

For our part (Jira/Atlassian admins) the GitHub for Jira app is the one we use with the Mozilla Jira instance:https://marketplace.atlassian.com/apps/1219592/github-for-jira?tab=overview&hosting=cloud and is the one approved already that we recommend.

Attached image Atlassian Cloud App

:jdirks has linked to the atlassian app that's already approved in our Jira instance.

When I go into our Jira project, under toolchains I see Github for Jira.

From there I need to add the github repo. When I do that I am linked through to Github and need to authorize the Atlassian Cloud app - screenshot above.

It seems like this app must be already approved somehow for other mozilla repos because other Jira projects have this connection setup e.g. github.com/mozilla/fxa and one that James Dirks was showing me.

I'm attaching a screenshot of what I see as Jira admin. I discussed further with Sarah and for some reason, when the app is requested from the Jira project side under project settings, it points to the "Atlassian Cloud" app, but we've confirmed that the 'GitHub for Jira' app is what is needed and as we mentioned, it's already in use/approved on other specific repos, so this request will be to have it approved/enabled on the mozilla-mobile/mozilla-vpn-client repo.

I now see a request for the Jira app for that repo - which is what I would have expected - so I'm guessing the problem is one of who's making the request, and what their permissions in the org/repo are.

However, We're in a moratorium on adding jira app permissions to new repos, due to a secops concern with some recent changes that atlassian has made to the app (per bug 1799054) As part of that bug, I'm now setting a needinfo for Hal to weigh in.

Hal - The Jira app is in the mozilla-mobile org, and it's requesting the same updated permissions, and we have a request to add it to a new repo in that org - please advise.

Flags: needinfo?(hwine)

:cknowles -- I think the "unusual screens" is a function of jdirks & birdsarah approaching the connection from the Atlassian side, and we operate from the GitHub side. We also have a terminology problem, because GitHub. Let's see if I can simplify.

The business need is to allow Jira to interact with mozilla-mobile/mozilla-vpn-client. <== easy peasy

This requires coordinated action by both a GitHub admin (cknowles) and a Jira (jdirks) admin, so neither Atlassian nor GitHub provide a reasonable request form. Thus, every such request from someone who just wants it to work (birdsarah) is doomed to cause confusion. Which is to say, of course we're staring at a Gordian Knot.

The good news is that this knot has already been untied, as both James & Chris mention.
The bad news is that GitHub terminology & complexity have blown stinging smoke into our eyes via their poor app permission structure.

Fortunately, A Mighty Wind just blew through, and I can see the path forward!!!!

Next steps (needinfo set on actors):

  • :cknowles this boils down to approving the request :jdirks recently opened, to add a repo to an already approved GitHub App. Adding an additional repo does not update the GitHub App itself, so you're not actually blocked by bug 1799054. Go ahead and add the repo. (You're 100% right that if this was the first repo to be added to the GitHub App in the org, it would be blocked.)

  • :birdsarah from attachment 9308592 [details], it looks like you (personally) granted the Atlassian OAuth App permissions to your account. Please return to that page and click the "Revoke access" button. (OAuth apps are signed blank checks - the app can do anything it wants as you to any private repo you have access to, even those in your own, personal, GitHub account.)

Clearly, I've had too much sugar today, so excuse the tone -- I'm 97% sure I got the technical stuff right!

Flags: needinfo?(hwine)
Flags: needinfo?(cknowles)
Flags: needinfo?(birdsarah)
Flags: needinfo?(asargent)

Loving this response. Thanks :hwine

I agree that we now have a complete and entertaining understanding of the situation.

Flags: needinfo?(birdsarah)

:jdirks I think that after :cknowles approves the request you submitted from the github side you will need to update the config for the VPN Jira project.

Alright, I'll update bug 1799054 to reflect that the update refers to NEW orgs only. (bug 1799054 comment 5 does have me stating the "any" adds for confirmation ... which I didn't have in the bug yet, but out of an abundance of caution... etc.)

Also, I still have the atlassian cloud approval hanging out for the org - I've denied that.

And finally, I've hit the button to approve the app for the mozilla-vpn-client, so I think we're done with the GitHub side here.

Obviously, if I'm incorrect or there's other bugaboos that raise their heads, please let me know.

Assignee: nobody → cknowles
Status: NEW → RESOLVED
Closed: 3 years ago
Flags: needinfo?(cknowles)
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: