Re-Evaluate Okta ASA for rails console access and auditing

Summary

Integrates with Okta and allows us to manage access using Okta groups
Issues short lived certificates with expirations, signed by the server

sequenceDiagram
  participant Client
  participant Okta ASA
  participant SSHD
  participant Server

  Client->>Okta ASA: Request creds

  opt Refresh 2FA
    Okta ASA->>Client: Request 2FA
    Client->>Okta ASA: Open browser, perform 2FA
  end

  Okta ASA->>Client: Temporary creds
  Client->> SSHD: Login with temporary creds
  SSHD ->> SSHD: validate creds against CA public key
  SSHD ->> Client: Accept connection, setup session
  Server->>Okta ASA: Send activity log

Highlights

Group based sudo restrictions
Similar architecture and workflow to Teleport
"Just works" with knife and scp

Lowlights

Audit logs include only authentication activity
SSH Agent forwarding does not work
Relies on Okta always being up
User mapping is one to one
No nested groups. Everything individual
Hosts can't be a member of multiple groups
No shared sessions
No approval workflows in slack

Criteria

We will use the criteria established here: https://gitlab.com/gitlab-com/gl-infra/infrastructure/-/issues/11729

Infra group or security group can approve access without much friction
Full session audit record with session playback
Time based access - No developer entitlements by role
No Chef data bags

Edited Dec 05, 2020 by Devin Sylva