15.2 Planning for Manage::Authentication and Authorization

• Board link: https://gitlab.com/groups/gitlab-org/-/boards/1305005?scope=all&milestone_title=15.2&label_name%5B%5D=group::authentication+and+authorization&not%5Blabel_name%5D%5B%5D=security&milestone_title=Started
• Workflow Board: https://gitlab.com/gitlab-org/gitlab/-/boards/4374016?not[label_name][]=Quality&label_name[]=group%3A%3Aauthentication%20and%20authorization&milestone_title=15.2

---

Internal Milestone %15.2 Review & Discussion 🚀

Milestone: 2022-06-18 to 2022-07-17

Capacity

Please order by From date

Team	Weight
frontend	5
backend	18

Objectives & Themes

1. Security issues past SLO, in priority order.

2. Roadmap Items:

   • Custom Roles and Permissions - Next Step (Determined after Technical Discovery is complete)
   • Domain Verification using domains already verified in Pages to manually claim Enterprise Users

3. Corrective Action Followup

4. SUSImpacting items (tied to OKR-FY24Q2)

5. High priority bugs

6. Pajamas Migration

Security Issue Summary

• Original plan was to fix 2 security issues per milestone
• As of 06/02, during planning, we have had 1 more security issues come in that are higher priority than the ones originally planned for %15.2 :
  • gitlab-org/gitlab#364110 (closed)
• This is blocked by gitlab-org/gitlab#363525 (closed), which was scheduled into %15.1
• %15.2 will have one more security issue than anticipated
• Within one week, we got 3 new security bugvulnerability :

• https://gitlab.com/gitlab-org/gitlab/-/issues/340395+
• Group Maintainers can toggle package and regist... (gitlab-org/gitlab#364441 - closed)
• https://gitlab.com/gitlab-org/gitlab/-/issues/364507+

This puts us behind our initial estimate of 2 per milestone (month)

Themes

• 🏎 Performance
• 🔒 Security
• 💼 GitLab.com Enterprise Readiness
• 🔽 Workspace Settings Inheritance
• 😍 Usability
• 📈 Customer Requests
• 🛠 Engineering Allocation
• 🏃🏾‍♀️ Rapid Action
• 🏆 OKR
• 👋 Deprecation/Removal
• 🐛 Bug
• 💡 Keeps the lights on

15.2 Issues

Title	Weight	Theme	Assignee	Priority	Notes
Disable OAuth access token reuse feature (gitlab-org/gitlab#363525 - closed)	1		@ifarkas	high	severity1 Deliverable
Introduce new PBKDF2 SHA512 devise encryptor (gitlab-org/gitlab#360658 - closed)	3	🔒	@dblessing	high	FIPS, slipped from 15.1 Deliverable
Hash/Encrypt OAuth tokens (gitlab-org/gitlab#364110 - closed)	3	🔒	@dblessing	high	Security, new, P2/S2 Deliverable
Enforced group MFA can be bypassed with OAuth t... (gitlab-org/gitlab#355028 - closed)	3	🔒	@bdenkovych	high	Security, new(er), P3/S3, past-due SLO Deliverable
Maintainer can change the visibility of Project... (gitlab-org/gitlab#359910 - closed)	2	🔒	@bdenkovych	high	security P3/S3, SLO June 26 Deliverable
Create a gem to support Microsoft Graph API ema... (gitlab-org/gitlab#365523 - closed)	5	💡		high	Needs to be done before Microsoft stops supporting plain SMTP, Need to be split into subtasks
Introduce new models for customizable roles (gitlab-org/gitlab#364128 - closed)	timebox capacity	💼	@ifarkas	high	Next step for Customizable Roles and Permissions Deliverable
SAML Linking Experience (gitlab-org/gitlab#271631 - closed)	2	😍	@eduardosanz	medium	Deliverable SUSImpacting, workflowin review
Invite new user and sign in via SSO returns 404... (gitlab-org/gitlab#351441 - closed)	2	🐛		medium	priority2 severity2 bug, slipped from 15.1 Deliverable
Expose SCIM identity in Admin GUI (gitlab-org/gitlab#294608 - closed)	2	😍	@eduardosanz	medium	Deliverable frontend, workflowin dev
Add setting to Disable Resource Owner Password ... (gitlab-org/gitlab#323615 - closed)	3	💡		medium	Needs to be deprecated early on in 15.x and removed in %16.0
Popover info showing for blocked users (gitlab-org/gitlab#356432 - closed)		🐛		medium	P2/S2 missed SLO bug frontend Deliverable
Minimal Access role missing from Invite Members... (gitlab-org/gitlab#356357 - closed)	2	🐛		medium	frontend
External users are initially invited to create ... (gitlab-org/gitlab#334121 - closed)	1	😍	@eduardosanz	low	Deliverable SUSImpacting
admins get misleading error message while creat... (gitlab-org/gitlab#34411 - closed)	2	🐛	@eduardosanz	low	NO SUSImpacting
Notification email contains wrong email address... (gitlab-org/gitlab#361370 - closed)		🐛		low	low hanging fruit
Cleanup for Group Managed accounts post-EoL (gitlab-org/gitlab#296544 - closed)		👋		low	typemaintenance
Add offset-based pagination to list personal/gr... (gitlab-org/gitlab#364543 - closed)		😍		low	good start for a new joiner

Known Community Contributions

keep capacity for review

1. gitlab-org/gitlab!86310 (merged) - workflowblocked , needs some backend help. Pick up if capacity allows.

Release Post Items

Status	Issue	Release Post MR
didn't make RP cutoff, will merge in %15.3	link
feature pushed to %15.3	Expose SCIM identity in Admin GUI (gitlab-org/gitlab#294608 - closed)	link
merged	Add admin option to remove 2FA on /users API en... (gitlab-org/gitlab#295260 - closed)	link
merged	SAML should fall back to Default role if not in... (gitlab-org/gitlab#351955 - closed)	link