Add support for git access control via SSH certificates on the top-level group
Problem to solve
On GitLab.com customers obtain their own top-level group (later organization). In comparison to self-managed, they have to manage organization-wide settings at this level.
Currently, the provided git access control options on SaaS (SSH, HTTPS) rely on credentials (access tokens, SSH keys) setup in the user profile. As the user profile is out of control of the organization, there is no way for a customer to assess that the key is kept confidential nor whether the expiry date is meeting policies. Also, there's very little that can be done for damage control in case the keys are leaked as well as a customer cannot enforce MFA on Git access flows.
Customers may have processes in place, where developers on a daily basis can, via MFA, request a temporary SSH certificate which gives them access to internal systems. To enable the same way of working on SaaS, we would need a way to share public CA certificates with Gitlab.com SaaS for the purpose of Git access control.
Proposal
This spike aims to addresses
- the first two bullets of this plan, i.e.
- Prototype how difficult it would be to deal with the authorization questions above. Maybe for a given certificate, we can restrict access for projects in a specific top-level namespace, and check if the user has access to the project in question in that namespace.
- Document/design the authorization flow with top-level SSH certificates.
- creates issues for addressing the epic,
- estimates these, and
- considers which group should address them (probably most of the work is for groupsource code but some of the work including UX design can probably be done by ~"group::authentication and authorization" as suggested here.)
This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.