[Feature flag] Enable `strict_ip_enforcement`
Issues Involved | |
---|---|
Main | https://gitlab.com/gitlab-org/gitlab/-/issues/364075+s |
Secondary | https://gitlab.com/gitlab-org/gitlab/-/issues/363745+s |
Summary
This issue is to rollout the feature https://gitlab.com/gitlab-org/gitlab/-/issues/364075 on production,
that is currently behind the strict_ip_enforcement
feature flag.
Owners
- Team: ~"group::authentication and authorization" for most general concerns, or @drew for specific ones.
- Most appropriate slack channel to reach out to:
#g_manage_auth
- Best individual to reach out to: @drew, who wrote this, but is not part of ~"group::authentication and authorization"
- PM: ?
Expectations
What are we expecting to happen?
We're expecting no noticable changes from out customers. The specific vulnerabilities that we'd discovered have been previously closed in past security issues, and this is a follow-up to define our permissions more completely to prevent new gaps from appearing.
When is the feature viable?
15.10
- Deliver change with feature flag defaulted to off (this MR, done), test new restrictions on SaaS
15.11
- Get all the testing done on SaaS and get confidence in the change
- Enable feature flag by default !112756 (merged)
- At this point the change will be considered viable and enabled for all customers, SaaS and Self-Managed, by default.
- A full release with the better permissions coming with an opt out for anyone having transition trouble. Being as gentle as possible here.
16.00
- 16.0: Pull the feature flag and old permissions. At this point, the new way is the only way and it's a hard breaking change.
What might happen if this goes wrong?
It's possible that customers could be using permissions gaps as features. For instance, there might be a bot that doesn't send requests from an address on the IP allowlist but a team relies on it for kicking off CI at specific times.
This example is from a past vulnerability that's been closed, but is an example of how a permission gap might be used as a "feature"
What can we monitor to detect problems with this?
@drew will be announcing this change in Slack and working with SaaS support to validate the new permission set. We expect problems to surface in either our own testing or support issues.
We do not have automatic logging that would track response codes that might be different under the older IP-restriction permissions. However we can look at overall breakdowns of response codes and try to notice any significant change in the proportion of allowed and disallowed requests. If we can restrict the sample to requests from projects known to use IP restriction, any accidental effects should be more pronounced.
What can we check for monitoring production after rollouts?
If we set up a Kibana chart to monitor the response code proportion described above, I will link to it here.
Rollout Steps
Steps specific to this change!
From @drew:
A good way to validate this would be:
- teleport into a Rails console session for a group on staging.
- Pick some permission that's not explicitly prevented in the old permissions list.
- Execute
Ability.can?(some_user, :some_action, project)
or whatever, and see that it returns true.:create_pipeline
is a good candidate action for this, since it was detailed here. If not that, some other action that could beprevent
ed but isn't. - Enable the
:strict_ip_enforcement
feature flag - Start a new console session (to avoid a cached-ability thing) and try again. See that it returns false.
- Enable for all of staging, and stare at it for awhile to make sure nothing terrible happens. People can still use an IP restricted group from an allowed IP address. #support_gitlab-com can probably help out with this if there are questions.
- Repeat steps 1-6 on production.
- Enable the feature flag by default in %15.11: Enable strict ip enforcement by default (!112756 - merged)
Record all of these steps, as they are completed, in Enable strict ip enforcement by default (!112756 - merged)
Note: Please make sure to run the chatops commands in the slack channel that gets impacted by the command.
Rollout on non-production environments
-
Verify the MR with the feature flag is merged to master. - Verify that the feature MRs have been deployed to non-production environments with:
-
/chatops run auto_deploy status <merge-commit-of-your-feature>
-
-
Enable the feature globally on non-production environments. -
/chatops run feature set <feature-flag-name> true --dev --staging --staging-ref
-
-
Verify that the feature works as expected. Posting the QA result in this issue is preferable. The best environment to validate the feature in is staging-canary as this is the first environment deployed to. Note you will need to make sure you are configured to use canary as outlined here when accessing the staging environment in order to make sure you are testing appropriately.
Specific rollout on production
For visibility, all /chatops
commands that target production should be executed in the #production
slack channel and cross-posted (with the command results) to the responsible team's slack channel (#g_TEAM_NAME
).
- Ensure that the feature MRs have been deployed to both production and canary.
-
/chatops run auto_deploy status <merge-commit-of-your-feature>
-
- Depending on the type of actor you are using, pick one of these options:
- If you're using project-actor, you must enable the feature on these entries:
-
/chatops run feature set --project=gitlab-org/gitlab,gitlab-org/gitlab-foss,gitlab-com/www-gitlab-com <feature-flag-name> true
-
- If you're using group-actor, you must enable the feature on these entries:
-
/chatops run feature set --group=gitlab-org,gitlab-com <feature-flag-name> true
-
- If you're using user-actor, you must enable the feature on these entries:
-
/chatops run feature set --user=<your-username> <feature-flag-name> true
-
- If you're using project-actor, you must enable the feature on these entries:
-
Verify that the feature works on the specific entries. Posting the QA result in this issue is preferable.
Preparation before global rollout
-
Set a milestone to the rollout issue to signal for enabling and removing the feature flag when it is stable. -
Check if the feature flag change needs to be accompanied with a change management issue. Cross link the issue here if it does. -
Ensure that you or a representative in development can be available for at least 2 hours after feature flag updates in production. If a different developer will be covering, or an exception is needed, please inform the oncall SRE by using the @sre-oncall
Slack alias. -
Ensure that documentation has been updated (More info). -
Leave a comment on [the feature issue][main-issue] announcing estimated time when this feature flag will be enabled on GitLab.com. -
Ensure that any breaking changes have been announced following the release post process to ensure GitLab customers are aware. -
Notify #support_gitlab-com
and your team channel (more guidance when this is necessary in the dev docs). -
Ensure that the feature flag rollout plan is reviewed by another developer familiar with the domain.
Global rollout on production
For visibility, all /chatops
commands that target production should be executed in the #production
slack channel and cross-posted (with the command results) to the responsible team's slack channel (#g_TEAM_NAME
).
-
Incrementally roll out the feature. -
Between every step wait for at least 15 minutes and monitor the appropriate graphs on https://dashboards.gitlab.net. - If the feature flag in code has an actor, perform actor-based rollout.
-
/chatops run feature set <feature-flag-name> <rollout-percentage> --actors
-
- If the feature flag in code does NOT have an actor, perform time-based rollout (random rollout).
-
/chatops run feature set <feature-flag-name> <rollout-percentage> --random
-
- Enable the feature globally on production environment.
-
/chatops run feature set <feature-flag-name> true
-
-
-
Observe appropriate graphs on https://dashboards.gitlab.net and verify that services are not affected. -
Leave a comment on [the feature issue][main-issue] announcing that the feature has been globally enabled. -
Wait for at least one day for the verification term.
(Optional) Release the feature with the feature flag
If you're still unsure whether the feature is deemed stable but want to release it in the current milestone, you can change the default state of the feature flag to be enabled. To do so, follow these steps:
-
Create a merge request with the following changes. Ask for review and merge it. -
Set the default_enabled
attribute in the feature flag definition totrue
. -
Review what warrants a changelog entry and decide if a changelog entry is needed.
-
-
Ensure that the default-enabling MR has been included in the release package. If the merge request was deployed before the monthly release was tagged, the feature can be officially announced in a release blog post. -
/chatops run release check <merge-request-url> <milestone>
-
-
Consider cleaning up the feature flag from all environments by running these chatops command in #production
channel. Otherwise these settings may override the default enabled.-
/chatops run feature delete <feature-flag-name> --dev --staging --staging-ref --production
-
-
Close [the feature issue][main-issue] to indicate the feature will be released in the current milestone. -
Set the next milestone to this rollout issue for scheduling the flag removal. -
(Optional) You can create a separate issue for scheduling the steps below to Release the feature. -
Set the title to "[Feature flag] Cleanup <feature-flag-name>
". -
Execute the /copy_metadata <this-rollout-issue-link>
quick action to copy the labels from this rollout issue. -
Link this rollout issue as a related issue. -
Close this rollout issue.
-
WARNING: This approach has the downside that it makes it difficult for us to clean up the flag. For example, on-premise users could disable the feature on their GitLab instance. But when you remove the flag at some point, they suddenly see the feature as enabled and they can't roll it back to the previous behavior. To avoid this potential breaking change, use this approach only for urgent matters.
Release the feature
After the feature has been deemed stable, the clean up should be done as soon as possible to permanently enable the feature and reduce complexity in the codebase.
You can either create a follow-up issue for Feature Flag Cleanup or use the checklist below in this same issue.
-
Create a merge request to remove <feature-flag-name>
feature flag. Ask for review and merge it.-
Remove all references to the feature flag from the codebase. -
Remove the YAML definitions for the feature from the repository. -
Create a changelog entry.
-
-
Ensure that the cleanup MR has been included in the release package. If the merge request was deployed before the monthly release was tagged, the feature can be officially announced in a release blog post. -
/chatops run release check <merge-request-url> <milestone>
-
-
Close [the feature issue][main-issue] to indicate the feature will be released in the current milestone. -
Clean up the feature flag from all environments by running these chatops command in #production
channel:-
/chatops run feature delete <feature-flag-name> --dev --staging --staging-ref --production
-
-
Close this rollout issue.
Rollback Steps
-
This feature can be disabled by running the following Chatops command:
/chatops run feature set <feature-flag-name> false