[Feature flag] Enable blocking weak passwords
.com
FF status
Current - Dev: Enabled
- Staging: Enabled
- Prod: Enabled fully (see specific proposal for timeframe below)
Summary
This issue is to rollout blocking weak passwords on production,
that will be behind the default-disabled block_weak_passwords
feature flag when Blocks weak passwords on sign up or password ch... (!86310 - merged) is merged.
Prevent users from choosing weak passwords (#23610 - closed) provides an overview, but in short when block_weak_passwords
is enabled a user cannot register with a weak password nor can they change their password to a weak one. Same applies to admins creating/updating users via the API or rails console commands.
Weak is defined as:
- Matching, case-insensitive, one of statically defined set of 4500 weak passwords (
config/weak_passwords.yml
) - Containing, case-insensitive, a static set of forbidden words (!86310 (diffs))
-
Containing, case-insensitive, elements of the following which are
>= 4
characters long:- The user's name
- The user's username
- The user's email address
This feature flag SHOULD NOT be enabled until all the issues in "Is blocked by" below have been closed.
High level plan
- Enable the feature flag on .com
- Measure impact for
X time
- Ship a release which enables the feature flag for self-managed
- Add a release post notes on how to disable it, and our intention to remove the ability to disable it
- Will cause a "brown out", i.e. self-managed deployments that have automation creating users with weak passwords will start exploding
- Avoid a scenario like #340848 (comment 1085667027)
- Self-managed admins can toggle the feature flag off if needed
- Ship a release with the feature flag code removed
- TBC what release this is, and whether it needs to wait for %16.0.
- https://docs.gitlab.com/ee/development/deprecation_guidelines/
Owners
- Team: ~"group::authentication and authorization"
- Most appropriate slack channel to reach out to:
#g_manage_auth
- Best individual to reach out to: @nmalcolm
- PM: @hsutor
Stakeholders
- devopsgrowth as changes to signup flows may impact conversion
- AppSec
Expectations
What are we expecting to happen?
Users, or administrators creating & updating users, can no longer choose a weak password.
When is the feature viable?
When the "Is blocked by" issues below are resolved.
What might happen if this goes wrong?
It is easy and non-destructive to DISABLE the feature flag if needed.
-
User registration metrics may decrease
- Potential Prevention: identify how many new users currently choose weak passwords, to gauge impact
- Potential Prevention: warn users beforehand
- Potential Detection: implement metrics
- Potential Mitigation: inform stakeholders at GitLab
-
Automations which create users / bots and give them weak passwords will break
- Potential Prevention: The best bet here is comms, before and after rollout
- If there is a bug
- e.g. User registrations may be blocked, even those using social sign ons
- e.g. User updates may be blocked, even those where they aren't changing their password
- Potential Detection: monitor error rates
- Potential Remediation: Disabling the feature flag should resolve this until the bug is better understood
What can we monitor to detect problems with this?
Snowplow metrics: Add metrics to track impact of blocking weak pa... (#363535 - closed)
Visit https://app.periscopedata.com/app/gitlab/539181/Snowplow-Event-Exploration---last-30-days and filter for action = track_weak_password_error
or category = Gitlab::Tracking::Helpers::WeakPasswordErrorEvent
.
What can we check for monitoring production after rollouts?
As above
Rollout Steps
Rollout on non-production environments
- Ensure that the feature MRs have been deployed to non-production environments.
-
/chatops run auto_deploy status <merge-commit-of-your-feature>
-
-
Enable the feature globally on non-production environments. -
/chatops run feature set block_weak_passwords true --dev
-
/chatops run feature set block_weak_passwords true --staging
-
-
Verify that the feature works as expected. Posting the QA result in this issue is preferable. The best environment to validate the feature in is staging-canary as this is the first environment deployed to. Note you will need to make sure you are configured to use canary as outlined here when accessing the staging environment in order to make sure you are testing appropriately.
Specific rollout on production
we can skip the
Specific rollout on production
because the feature flag does not have any actor.
Checklist
- Ensure that the feature MRs have been deployed to both production and canary.
-
/chatops run auto_deploy status <merge-commit-of-your-feature>
-
- If you're using project-actor, you must enable the feature on these entries:
-
/chatops run feature set --project=gitlab-org/gitlab,gitlab-org/gitlab-foss,gitlab-com/www-gitlab-com block_weak_passwords true
-
- If you're using group-actor, you must enable the feature on these entries:
-
/chatops run feature set --group=gitlab-org,gitlab-com block_weak_passwords true
-
- If you're using user-actor, you must enable the feature on these entries:
-
/chatops run feature set --user=<your-username> block_weak_passwords true
-
-
Verify that the feature works on the specific entries. Posting the QA result in this issue is preferable.
Preparation before global rollout
-
Check if the feature flag change needs to be accompanied with a change management issue. Cross link the issue here if it does. -
Ensure that you or a representative in development can be available for at least 2 hours after feature flag updates in production. If a different developer will be covering, or an exception is needed, please inform the oncall SRE by using the @sre-oncall
Slack alias. -
Ensure that documentation has been updated (More info). -
Announce on the feature issue an estimated time this will be enabled on GitLab.com. -
Ensure that any breaking changes have been announced following the release post process to ensure GitLab customers are aware. -
Notify #support_gitlab-com
and your team channel (more guidance when this is necessary in the dev docs).
Global rollout on production
For visibility, all /chatops
commands that target production should be executed in the #production
slack channel and cross-posted (with the command results) to the responsible team's slack channel (#g_TEAM_NAME
).
-
Incrementally roll out the feature. - If the feature flag in code has an actor, perform actor-based rollout.
-
/chatops run feature set block_weak_passwords <rollout-percentage> --actors
-
- If the feature flag in code does NOT have an actor, perform time-based rollout (random rollout).
-
/chatops run feature set block_weak_passwords <rollout-percentage> --random
-
- Enable the feature globally on production environment.
-
/chatops run feature set block_weak_passwords true
-
- If the feature flag in code has an actor, perform actor-based rollout.
-
Announce on the feature issue that the feature has been globally enabled. -
Wait for at least one day for the verification term.
📆 🕙 ▶ Specific proposal ◀ 🕙 📆
-
2022-11-08T0200Z
(or earlier)@nmalcolm
post to#support_gitlab-com
to give 24hrs notice, linking to this issue. Also create a documentation MR about the FF state. -
2022-11-10T0130Z
@nmalcolm
enable 10% random rollout. Monitor SiSense. -
2022-11-10T1100Z
(ish)@ifarkas
or ~"group::authentication and authorization" enable 50% random rollout. Monitor SiSense. -
2022-11-11T0000Z
@nmalcolm
enable 100% production rollout. Monitor SiSense. Ask for the FF doc MR to be merged.- Docs MR was already merged
- Slack message: https://gitlab.slack.com/archives/C101F3796/p1668124977960969
(Optional) Release the feature with the feature flag
We won't be doing this step. See gitlab-com/www-gitlab-com!110858 (comment 1166106827)
Checklist
If you're still unsure whether the feature is deemed stable but want to release it in the current milestone, you can change the default state of the feature flag to be enabled. To do so, follow these steps:
-
Create a merge request with the following changes. Ask for review and merge it. -
Set the default_enabled
attribute in the feature flag definition totrue
. -
Create a changelog entry.
-
-
Ensure that the default-enabling MR has been included in the release package. If the merge request was deployed before the monthly release was tagged, the feature can be officially announced in a release blog post. -
/chatops run release check <merge-request-url> <milestone>
-
-
Consider cleaning up the feature flag from all environments by running these chatops command in #production
channel. Otherwise these settings may override the default enabled.-
/chatops run feature delete block_weak_passwords --dev
-
/chatops run feature delete block_weak_passwords --staging
-
/chatops run feature delete block_weak_passwords
-
-
Close the feature issue to indicate the feature will be released in the current milestone. -
Set the next milestone to this rollout issue for scheduling the flag removal. -
(Optional) You can create a separate issue for scheduling the steps below to Release the feature. -
Set the title to "[Feature flag] Cleanup block_weak_passwords
". -
Execute the /copy_metadata <this-rollout-issue-link>
quick action to copy the labels from this rollout issue. -
Link this rollout issue as a related issue. -
Close this rollout issue.
-
WARNING: This approach has the downside that it makes it difficult for us to clean up the flag. For example, on-premise users could disable the feature on their GitLab instance. But when you remove the flag at some point, they suddenly see the feature as enabled and they can't roll it back to the previous behavior. To avoid this potential breaking change, use this approach only for urgent matters.
Release the feature
After the feature has been deemed stable, the clean up should be done as soon as possible to permanently enable the feature and reduce complexity in the codebase.
You can either create a follow-up issue for Feature Flag Cleanup or use the checklist below in this same issue.
-
Create a merge request to remove block_weak_passwords
feature flag. Ask for review and merge it.-
Remove all references to the feature flag from the codebase. -
Remove the YAML definitions for the feature from the repository. -
Create a changelog entry. - Block weak passwords by default by removing the... (!103702 - merged)
-
-
Ensure that the cleanup MR has been included in the release package. If the merge request was deployed before the monthly release was tagged, the feature can be officially announced in a release blog post. -
/chatops run release check <merge-request-url> <milestone>
- https://gitlab.slack.com/archives/C101F3796/p1669951297059539
-
-
Close the feature issue to indicate the feature will be released in the current milestone. -
If not already done, clean up the feature flag from all environments by running these chatops command in #production
channel:-
/chatops run feature delete block_weak_passwords --dev
-
/chatops run feature delete block_weak_passwords --staging
-
/chatops run feature delete block_weak_passwords
-
-
Close this rollout issue.
Rollback Steps
-
This feature can be disabled by running the following Chatops command:
/chatops run feature set block_weak_passwords false
Customer Support
If a customer is experiencing the error message Password must not contain commonly used combinations of words and letters
, then they are attempting to choose a weak or breached password. We should encourage them to choose a unique password.
https://docs.gitlab.com/ee/user/profile/user_passwords.html#block-weak-passwords