Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
GitLab / Release Group / 16 Sep 2021
GitLab / Release Group / 16 Sep 2021
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: Group-level Protected Environments | Segregation of Duties

Description

This video explains the Group-level Protected Environments feature that will be released in GitLab 14.3.

See the documentation for more information. https://docs.gitlab.com/ee/ci/environments/protected_environments.html#group-level-protected-environments

00:00 Intro
00:52 Admin | Preparation
03:49 Developer | Create a new project and pipeline
06:44 Admin | Set up Group-level Protected Environments
08:57 Admin | Reporter setup
10:23 Operator | Execute a production deployment

A

Hi everyone- and this is shinya- a senior backend engineer from release group today. I would like to talk about this group level protected environment feature which will be released in 40.3.

A

um So simply this feature is about segregation of duties between operators and the developers. So, typically in large organizations, they want developers to only write code and they they shouldn't touch production environments, whereas operators they shouldn't, touch code base, but they have an access to the production environments and the managing infrastructure.

A

So basically, this feature helps this authorization scheme in enterprise organization. So um let's get started the quick demonstration so at first we're going to create a new group. It's called demo orgy.

A

Okay, um so I just created a demo rg. This is a root group um that typically represents a company name or an organization name, and then we're going to create the two groups. One is a developer group and then the other one is operator group. So I click a new subgroup, create a group developer group like.

A

Okay, the other one is um operator group public credit group. Okay. So we now see these two groups under the root group and we're going to add uh users to each group. uh We need to assign developers to developer group and the operator still operator group, so I'm gonna go into the operator group and then members.

A

So.

A

I already created a user.

A

Okay, got it and the assign is maintainer and invite.

A

Now I, as an organizational administrator, assign this user kumiko takashi, who is an operator raw operator role to this operator group and then we're going to similar thing to and develop, develop a group as well go into members.

A

And then.

A

By the demo user, um this takashista is a developer in this world uh developer, developer role in this demonstration, then I just assigned to developer group as a maintainer. So, let's, um let's talk about a hypothetical situation that the one of the developers is going to create a new project and a developer group and then create a ci cd pipeline that deploys to production environment. So I'm going to switch my user account.

A

Okay, now I'm signed in as a developer.

A

Please uh keep in mind that I'm not administrator, I'm just pretending as a developer and then as a developer, I'm going to create a new project, and that is the developer group, create a brown project. Let's say all sum up in public.

A

Okay and then we're going to set up.

A

The pipeline say ccd pipeline, so in this demo I'm going to clear.

A

This one up, I'm going to create the two jobs in this pipeline. One is review job stage, test environments.

A

Let's see left slack, so this job means um the review job is going to deploy um the application to a demonstration server.

A

It's also called review app, it's not production and then we're going to create a similar job, but it's going to deploy to production, server um and then production, and then we set production since we don't want to um do continuous, uh continuous deployment, but we do continuous daily value, which means the manual process to deploy.

A

uh We're gonna. Add this web manual keyword. This means that pipeline drop won't be executed automatically, but the users have to click it play button. So I'm gonna commit this change.

A

Okay, okay, so um as I as a developer, I just created a new pipeline um which has a test java and a deploy drop and then looking at this deploy drop.

A

Actually, I can trigger this manual action to regard this production deployment. So this is a problematic in larger enterprise organization, because um they're they basically want developers not to touch production environment at all, but um as a developer.

A

I can do this right now, so um this is a problem uh to solve and then uh group level protected environments can solve this situation. So what we're going to do is basically.

A

Create a new configuration at this root variable that only uh like all production environments uh under this group can be deployed by people in operator group. So to do so, we have to execute uh this um api to create an entry, and this is a like. I create a new rule at this root level that what I just said, so um I'm we're going to execute this call we're going to create a new entry that the request was successful.

A

We said, let's switch back to the developer,.

A

Let's see the pipelines now, um as I sign in as a developer, impersonate developer um checking the deployment drop. Now the play button is gone. um I cannot trigger this job.

A

So that's uh the point of this feature that um now, uh since we created a rule that only production deployment jobs can be deployed can be executed by operator group.

A

I cannot do this as a developer, let's sign in as the operator and then what they're going to see. Okay, so um I just signed in as operator um I impersonate operator in right now.

A

um So um as an operator I want to deploy, I want to execute the production uh deployment job, so I'm going to pipeline page and then clicking the production job, but still um it's not executable, even I'm operator. So there's a there's. An additional configuration is needed that, in order to execute a pipeline job in this project in this developer project, um this operator uh has to at least be a reporter role or above to do so. We are going to.

A

This developer group and then subjection from members. So what are we going to do is basically add operator people into debug book loop as reporter so operator. Operators do not have a permission to write code under developer group, but they only can audit pipeline jobs and then execute deployment jobs to the production.

A

So to do so, we're going to visit the developer group group members, invite group and then operator group.

A

Demo and then reporter invite okay. Now uh people in operator group are ready to develop a group as reporter, which means now I'm impersonating as operator.

A

I can execute the production job which wasn't uh available uh previously so um now, as an operator as I said, I cannot edit the code base um like, even if I try to edit uh that's disallowed, but I can only execute the production job.

A

And now it's running so um that's the whole point of this feature. I hope uh hope it worked well in your organizations. um So thank you for watching see you.