API to manage group memberships

pietroalbini · November 25, 2019, 5:36pm

The Rust Team uses a git repository to define all our subteams and the permissions each user/team has. We then have cronjobs synchronizing the information in that team with most of our services requiring authentication (GitHub Teams, bots, code reviews…).

The Rust Infrastructure Team might need to manage some groups on Mozillians/people.mozilla.org in the future, and it would be nice to have an API to automatically synchronize them with the contents of that git repository.

The only API we’d need is some way to synchronize the group membership with GitHub IDs/usernames. We’re fine with either a single API call to override the full members list, or an API to get the current members and an API to add/delete single members (with the synchronization code on our client).

Is this something that could be implemented?

kang · November 25, 2019, 7:01pm

Hi Pietro!

The way the system works, the group system is the source of truth for access information. This means GitHub cannot be the source of truth (there cannot be 2 sources of truth for the same information).

In other words, this means the IAM/CIS API would sync to GitHub rather than the opposite in the current model.

Note: I understand that this is not necessarily what you were looking for - there could be other alternatives where GitHub publishes user’s organizations or team as attributes that can be used to create groups, but not directly driving the groups. That said, it can get very complicated from a UX standpoint.

pietroalbini · November 26, 2019, 8:46am

So, the main reason I was interested in this was the effort to add SSO with Mozilla IAM to the AWS accounts owned by Mozilla, including Rust’s one. As far as I know if we enroll our account in it we’d have to manage permissions through Mozillians/p.m.o, but I see little reason adding SSO if the permissions are not fetched from Rust’s git repo.