[Feature flag] Rollout of `increase_password_storage_stretches`
Summary
This issue is to roll out the feature on production, that is currently behind the increase_password_storage_stretches
feature flag.
Owners
- Most appropriate Slack channel to reach out to:
#security-datasec
or#g_sscs_authentication
- Best individual to reach out to: @boconnor
Expectations
What are we expecting to happen?
As non-Okta users log into GitLab, their stored password hashes should be upgraded; this would be visible in the database encrypted_password
field by switching the preamble from $2a$10$
to $2a$13$
.
Note that this is not an actor-based feature flag; rollout is all or nothing. (Discussion is in the MR as to why we went this way.) Turning the flag off doesn't roll back the password rehash for users who have been rehashed while it was enabled, but this is expected.
What can go wrong and how would we detect it?
Increasing the work factor from 10 to 13 will take more CPU time for each login (which is intended, and is what provides the security benefit of the work). If this is starting to go wrong, the most likely indicator will be steadily rising CPU loads (eventually leading to other load-dependent things going wrong, e.g., error rate).
Gitlab Gprd is likely to be the most relevant dashboard.
Rollout Steps
Note: Please make sure to run the chatops commands in the Slack channel that gets impacted by the command.
Rollout on non-production environments
Merge commit of the feature: da12da26
-
Verify the MR with the feature flag is merged to
master
and has been deployed to non-production environments with/chatops run auto_deploy status <merge-commit-of-your-feature>
-
Enable the feature globally on non-production environments with
/chatops run feature set increase_password_storage_stretches true --dev --pre --staging --staging-ref
-
Verify that the feature works as expected. The best environment to validate the feature in is
staging-canary
as this is the first environment deployed to. Make sure you are configured to use canary.- Resolve the issue in #511397 (comment 2354650952)
-
If the feature flag causes end-to-end tests to fail, disable the feature flag on staging to avoid blocking deployments.
- See
#e2e-run-staging
Slack channel and look for the following messages:- test kicked off:
Feature flag increase_password_storage_stretches has been set to true on **gstg**
- test result:
This pipeline was triggered due to toggling of increase_password_storage_stretches feature flag
- test kicked off:
- See
For assistance with end-to-end test failures, please reach out via the #test-platform
Slack channel. Note that end-to-end test failures on staging-ref
don't block deployments.
Specific rollout on production
For visibility, all /chatops
commands that target production must be executed in the #production
Slack channel and cross-posted (with the command results) to the responsible team's Slack channel.
-
Ensure that the feature MRs have been deployed to both production and canary with
/chatops run auto_deploy status <merge-commit-of-your-feature>
-
Depending on the type of actor you are using, pick one of these options:
For project-actor:/chatops run feature set --project=gitlab-org/gitlab,gitlab-org/gitlab-foss,gitlab-com/www-gitlab-com increase_password_storage_stretches true
For group-actor:/chatops run feature set --group=gitlab-org,gitlab-com increase_password_storage_stretches true
For user-actor:/chatops run feature set --user=boconnor increase_password_storage_stretches true
For all internal users:/chatops run feature set --feature-group=gitlab_team_members increase_password_storage_stretches true
-
This is not an actor-based feature flag, so the command is likely
-
-
/chatops run feature set increase_password_storage_stretches true
-
-
-
Verify that the feature works
for the specific actors.
Preparation before global rollout
- Set a milestone to this rollout issue to signal for enabling and removing the feature flag when it is stable.
- Check if the feature flag change needs to be accompanied with a change management issue. Cross link the issue here if it does. N/A
-
Ensure that you or a representative in development can be available for at least 2 hours after feature flag updates in production. If a different developer will be covering, or an exception is needed, please inform the oncall SRE by using the
@sre-oncall
Slack alias. - Ensure that documentation exists for the feature, and the version history text has been updated.
- Ensure that any breaking changes have been announced following the release post process to ensure GitLab customers are aware. N/A, not a breaking change
-
Notify the
#support_gitlab-com
Slack channel and your team channel (more guidance when this is necessary in the dev docs).
Global rollout on production
For visibility, all /chatops
commands that target production must be executed in the #production
Slack channel and cross-posted (with the command results) to the responsible team's Slack channel.
-
Incrementally roll out the feature on production.
- Example:
/chatops run feature set increase_password_storage_stretches <rollout-percentage> --actors
. - Between every step wait for at least 15 minutes and monitor the appropriate graphs on https://dashboards.gitlab.net.
- Example:
- After the feature has been 100% enabled, wait for at least one day before releasing the feature.
(Optional) Release the feature with the feature flag
WARNING: This approach has the downside that it makes it difficult for us to clean up the flag. For example, on-premise users could disable the feature on their GitLab instance. But when you remove the flag at some point, they suddenly see the feature as enabled and they can't roll it back to the previous behavior. To avoid this potential breaking change, use this approach only for urgent matters.
See instructions if you're sure about enabling the feature globally through the feature flag definition
If you're still unsure whether the feature is deemed stable but want to release it in the current milestone, you can change the default state of the feature flag to be enabled. To do so, follow these steps:
-
Create a merge request with the following changes.
-
If feature was enabled for various actors, ensure the feature has been enabled globally on production
/chatops run feature get increase_password_storage_stretches
. If the feature has not been globally enabled then enable the feature globally using:/chatops run feature set increase_password_storage_stretches true
-
Set the
default_enabled
attribute in the feature flag definition totrue
. - Decide which changelog entry is needed.
-
If feature was enabled for various actors, ensure the feature has been enabled globally on production
-
Ensure that the default-enabling MR has been included in the release package. If the merge request was deployed before the monthly release was tagged, the feature can be officially announced in a release blog post:
/chatops run release check <merge-request-url> 17.8
-
After the default-enabling MR has been deployed, clean up the feature flag from all environments by running these chatops command in the
#production
channel:/chatops run feature delete increase_password_storage_stretches --dev --pre --staging --staging-ref --production
- Close [the feature issue][#222481\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\] to indicate the feature will be released in the current milestone.
- Set the next milestone to this rollout issue for scheduling the flag removal.
-
(Optional) You can create a separate issue for scheduling the steps below to Release the feature.
-
Set the title to "[Feature flag] Cleanup
increase_password_storage_stretches
". -
Execute the
/copy_metadata <this-rollout-issue-link>
quick action to copy the labels from this rollout issue. - Link this rollout issue as a related issue.
- Close this rollout issue.
-
Set the title to "[Feature flag] Cleanup
Release the feature
After the feature has been deemed stable, the clean up should be done as soon as possible to permanently enable the feature and reduce complexity in the codebase.
You can either create a follow-up issue for Feature Flag Cleanup or use the checklist below in this same issue.
-
Create a merge request to remove the
increase_password_storage_stretches
feature flag. Ask for review/approval/merge as usual. The MR should include the following changes:- Remove all references to the feature flag from the codebase.
- Remove the YAML definitions for the feature from the repository.
-
Remove the monkeypatching of the Stretches config from the
encrypted_user_password
concern, and ensure that Stretches are set correctly in8_devise
. See !177154 (comment 2337758429) .- Actually, leave the monkeypatching even as we set it correctly in the initializer; see !177154 (comment 2345022679) .
-
Ensure that the cleanup MR has been included in the release package. If the merge request was deployed before the monthly release was tagged, the feature can be officially announced in a release blog post:
/chatops run release check <merge-request-url> 17.8
- Close [the feature issue][#222481\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\] to indicate the feature will be released in the current milestone.
-
Once the cleanup MR has been deployed to production, clean up the feature flag from all environments by running these chatops command in
#production
channel:/chatops run feature delete increase_password_storage_stretches --dev --pre --staging --staging-ref --production
- Close this rollout issue.
Rollback Steps
- This feature can be disabled on production by running the following Chatops command:
/chatops run feature set increase_password_storage_stretches false
- Disable the feature flag on non-production environments:
/chatops run feature set increase_password_storage_stretches false --dev --pre --staging --staging-ref
- Delete feature flag from all environments:
/chatops run feature delete increase_password_storage_stretches --dev --pre --staging --staging-ref --production