Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Create security model for torque-sites #62

Closed
frankduncan opened this issue Apr 23, 2020 · 3 comments
Closed

Create security model for torque-sites #62

frankduncan opened this issue Apr 23, 2020 · 3 comments

Comments

@frankduncan
Copy link
Collaborator

Right now each site is haphazardly doing secure things based on however that was configured at startup. This needs to be formalized and organized.

We need to create a list of groups that users must go into, and then disable permissions for the standard mediawiki groups (user, bureaucrat, *, sysop, etc). Then we need to enable some permissions for the groups we set up, and make sure that all users are getting assigned at least one of them. We may want to keep user around in order to get some base permissions in case someone is not assigned a group by the admins.

The groups we want to set up include things like DecisionMaker (such as donors), Admins (LFC Staff, OTS Staff), PseudoDecisionMaker (liaisons to donors), etc. See https://github.com/OpenTechStrategies/torque/wiki/Meeting-Notes#2020-03-17-frankkarl-discussion-re-eo-and-usergroup-permissions for more information.

Then these need to be placed in their own files instead of just hacked into LocalSettings by ansible, so that we get better source control on them. They should also be centralized a la #53
@kfogel
Copy link
Member

kfogel commented May 22, 2020

I believe the new "LFC Research Partner" group (see, e.g., commit 6859c64) will need to map to a top-level "Research Partners" access category, one not contemplated in our 2020-03-17 meeting.

(It's not so surprising that we wouldn't have thought of everything in the initial meeting. Probably there will be some other generic access groups that we need to add later too.)

kfogel added a commit that referenced this issue Aug 4, 2020
@kfogel
Document the shared authz groups (issue #62)
ff67c78 
As promised in today's meeting with LFC, create a canonical place
where we will maintain documentation for the access groups.
@kfogel
Copy link
Member

kfogel commented Aug 4, 2020

PR #73 is related to this issue.

frankduncan added a commit that referenced this issue Aug 11, 2020
@frankduncan
Merge pull request #73 from OpenTechStrategies/62-document-shared-aut…
85036a8 
…hz-groups

Document the shared authz groups (issue #62)
@kfogel kfogel mentioned this issue Sep 29, 2020
Closed
@frankduncan
Copy link
Collaborator Author

Slight change to this issue, instead of disabling sysop/bureaucrat/interface-admin, we've made the decision to map incoming users to those groups directly. This is more future proof than attempting to duplicate the permissions into a newly created group.

@frankduncan frankduncan mentioned this issue Nov 4, 2020
Merged
frankduncan pushed a commit that referenced this issue Apr 7, 2021
Fix #62, Fix #64: Refactor permissions file
aca7b30 
Clean it up so things are a bit more declarative, as well as moving the
simpelsaml group config code over to the permissions, so that the
separation of concerns is a bit more straightforward.

Issue #62: Create security model for torque-sites
Issue #64: Pluralize the names of the abstract user groups
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kfogel @frankduncan