Closed Bug 813987 Opened 8 years ago Closed 6 years ago

Enable Persona login for some (all?) groups of users (remove them from the "no-browser-id" group)

Categories

(bugzilla.mozilla.org :: Administration, task)

Production
task
Not set
normal

Tracking

()

RESOLVED WONTFIX

People

(Reporter: gerv, Unassigned)

References

Details

The BrowserID/Persona integration in Bugzilla has now been in production for some time, with no security problems reported. It would be nice to roll this login type out to a greater proportion of Bugzilla users.

Currently, anyone who is a member of any of the following groups is prohibited from using BrowserID:

admin
bz_sudoers
addons-security
autoland
bugzilla-security
bugzilla-security-team
client-services-security
client-services-security-team
core-security
generic-assignees
hr
infrasec
legal
mozilla-services-security
payments-confidential
privacy-team
security-group
security-release-team
tamarin-security
tamarin-security-team
websites-security
websites-security-team
webtools-security
webtools-security-team

Is there a particular reason to retain any of these groups in no-browser-id?

If we as Mozilla are now confident in the BrowserID infrastructure, then it seems to me that the risk profile is very similar to the current email-based logins. Loss of a password (Bugzilla or BrowserID) leads to compromise in either case. Loss of control of email account leads to compromise in either case. But with BrowserID, at least theoretically, people can use an ID with 2-factor auth or whatever security they want.

People who are individually concerned can, of course, request that their account be added to the no-browser-id group directly.

Gerv
Summary: Remove some (all?) groups from the "no-browser-id" group → Enable Persona login for some (all?) groups of users (remove them from the "no-browser-id" group)
Mozilla is now using BrowserID for controlling access to MoCo monthly meetings on Air Mozilla, which is another endorsement of it from elsewhere in the organization.

dkl, glob: what do you think?

Gerv
(In reply to Gervase Markham [:gerv] from comment #1)
> Mozilla is now using BrowserID for controlling access to MoCo monthly
> meetings on Air Mozilla, which is another endorsement of it from elsewhere
> in the organization.
> 
> dkl, glob: what do you think?
> 
> Gerv

I am fine except it still may be good to keep admin, editusers, and editgroups in the no-browser-id group since those can get you access to everything if compromised. Maybe even Legal as well which you may want to verify with them first.

dkl
I'll talk to Harvey about the legal group at our next status meeting.

Gerv
I haven't had a chance to talk to Harvey yet, but we don't have to do this all at once. I suggest we go ahead and remove all groups from no-browser-id except admin, editusers, editgroups and legal. We can remove legal later once I get the OK.

Gerv
(In reply to Gervase Markham [:gerv] from comment #4)
> I haven't had a chance to talk to Harvey yet, but we don't have to do this
> all at once. I suggest we go ahead and remove all groups from no-browser-id
> except admin, editusers, editgroups and legal. We can remove legal later
> once I get the OK.
> 
> Gerv

Done. Will close this as I am pretty sure what Legals answer will be. Ping me/glob in irc/email if you need to have Legal removed from the group. 

dkl
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
It probably would have been good to engage the security teams before this decision was made.  Please reverse the change as Persona does not yet have all of the features we want in place before using it for high risk data.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
And did you ever figure out why fetching Persona files makes Bugzilla crawl? Clearly it's (Persona or the integration) not yet up to the challenge of wide spread usage. Personally, I'd like to remain in the no-browser-id group until such problems get fixed.
:wicked: being in the group or not has no effect on the markup Bugzilla sends you or the files it downloads.

If you think Persona's server has a performance problem, I would highly encourage you to file a bug about it.

Gerv
(In reply to Yvan Boily [:ygjb][:yvan] from comment #6)
> It probably would have been good to engage the security teams before this
> decision was made.  Please reverse the change as Persona does not yet have
> all of the features we want in place before using it for high risk data.

Security groups added back. Sorry for moving on this before proper verification.

dkl
This request was not just for the security groups; all of the groups should be reverted.

I am adding an additional comment that will only be visible to security group members with my rationale.
(In reply to Yvan Boily [:ygjb][:yvan] from comment #10)
> This request was not just for the security groups; all of the groups should
> be reverted.

I added back the other groups into no-browser-id.
Yvan: that makes sense. We'll wait for the Persona team to make the enhancements you request before flipping the switch again. Sorry for any confusion.

Gerv
I've updated my blog post and followed-up my s-g message.

Gerv
I checked with Harvey; when we get to the stage of doing this again, we should keep "legal" in the "no-browser-id" group.

Gerv
(In reply to Gervase Markham [:gerv] from comment #15)
> I checked with Harvey; when we get to the stage of doing this again, we
> should keep "legal" in the "no-browser-id" group.
> 
> Gerv

Should we close this then for now and file a new bug when we are ready to make another go at it or leave this bug open for the time being?

dkl
I don't see any need for another bug; this one will be fine.

Gerv
Nominating bug 759452 as a blocker for this. Now that my Persona password is not "BenAdida" I cannot remember it, just like I cannot remember my bmo password. It seems like a good idea to allow (if not require) at least security-group to use non-memorable passwords for Persona.
Depends on: 759452
Yvan: any news on the issues you mention in comment 11?

Gerv
Yvan: ping?

gerv
Flags: needinfo?(yboily)
Yvan: is Persona now in a state where you would be more comfortable enabling more users to log in to BMO with it?

Gerv
Yes.  I advocated this a long time ago!
Flags: needinfo?(yboily)
OK... so if Mozilla security are no longer objecting, it seems to me that we are back on with the plan to "remove all groups from no-browser-id except admin, editusers, editgroups and legal."

Gerv
We plan to make this change soon after Portland.

Gerv
Curious, what's has improved that's allowed this change?

(I was under the impression that there were some risks involved in doing this, but I don't know if any risk review or security review was performed)
Flags: needinfo?(yboily)
(In reply to Joe Stevensen [:joe] from comment #25)
> Curious, what's has improved that's allowed this change?
> 
> (I was under the impression that there were some risks involved in doing
> this, but I don't know if any risk review or security review was performed)

Plus is it no longer actively maintained or at least not a tier1 service? We may still need
to exclude members of security related groups in Bugzilla from using it.

dkl
There is still a community maintaining it and Mozilla has guaranteed support and SLAs for its servers for the next 9 months at least. Callahad is the man most involved.

Given that the service is the same and the same people are still running the servers, I don't think it's got less secure since it got signed off on.

Gerv
Comment 11 contains the two requirements that we would like to see resolved before enabling this for secure groups.  This still hasn't been met, so our position hasn't really changed.
Flags: needinfo?(yboily)
(In reply to Yvan Boily [:ygjb][:yvan] from comment #28)
> Comment 11 contains the two requirements that we would like to see resolved
> before enabling this for secure groups.  This still hasn't been met, so our
> position hasn't really changed.

ah, i suspect the confusion stems from:

(Gervase Markham [:gerv] from comment #21)
> Yvan: is Persona now in a state where you would be more comfortable enabling
> more users to log in to BMO with it?

(Yvan Boily [:ygjb][:yvan] from comment #22)
> Yes.  I advocated this a long time ago!
Indeed. I took comment #22 as a "yes, go ahead"! Yvan: I'm sure you can understand that it really does read like that.

If Persona is not currently in a state where this expansion can go ahead, I agree that we should WONTFIX this bug until that changes.

Gerv
Status: REOPENED → RESOLVED
Closed: 8 years ago6 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.