Establish policy for providing console R/W access to Support Team
With Teleport, the need for access to the rails console has diminished. There are still cases where the Support team requires this access but it is limited in terms of how often and who within their team executes these sorts of requests. This is being discussed in another issue here: gitlab-com/support/support-team-meta#4271 (closed)
For this issue, we need to establish a policy by which we provide this access to as small number of folks. Additionally we need to establish a procedure for auditing the list of those who have access on some sort of regular basis. To start, we should do some research to understand the usage and Support's needs.
Tasks
- Understand compliance requirements around write access
- Establish a list of Support users who currently have write access to production
- Gain insight into how often the access is used
- Gain insight into what the access is used for to establish if there are any patterns (common operations that we can build tools for).
- Gain insight into what auditing currently exists for when Support accesses production.
- Understand what training Support might have for working in production compared to the training our SREs have.
-
Propose a new access process. Options include:
- Teleport (Adds auditing, session recording, documentation since we require an issue with each request)
- Revoking access and moving to CRs
- Building tools for common operations (such as deleting a certain type of "stuck" record from the DB).
- Edit the tech stack to make it clear that teleport is not used to gain write access to the console.