Sentry: Improve session security around superusers
- [x] Add secondary session for superuser authentication (somewhat similar to how sudo works)
- [ ] Add optional MFA requirements for superuser authentication (e.g. we dont have to re-log you in, just confirm your U2F key)
- [x] Tight expiration on superuser (revoke on browser close, revoke after idle time, revoke after fixed window)
- [x] Log all requests made by superusers
- [ ] Visual indicator that you are in superuser mode
- [ ] A way to 'logout' of superuser mode (but not of your account)
- [ ] Add optional password requirements for superuser access (potentially expose this beyond just superuser from an API standpoint)
- [ ] Password expiration for superusers (similar to password requirements, standard API to implement it)
- [ ] [Nice to have] Utility to logout all superusers
We've also talked about adding the ability for organizations to enforce things (2fa for example), and this might be a good time to link this up. For example, we could say "superuser requires the enforcement of the default organization", and then we could configure e.g. sentry to require 2fa for access. Then authentication checks simply say "are you successfully authenticated against the Sentry org".
dcramer
All 15 comments
a bunch of this is to satisfy HIPAA requirements, while some of it is just good practice
dcramer
on 22 Nov 2017
I would also say we should have a clear UI indication that you are in superuser mode and a way to easily turn it off again.
mitsuhiko
on 22 Nov 2017
@mitsuhiko agreed, @ckj could we change the header color?
dcramer
on 22 Nov 2017
For context, this is also moving towards a goal of moving Sentry to "Beyond Corp" security practices in all facets, and superuser is one that we currently have VPN locked.
dcramer
on 23 Nov 2017
It would be nice to extend the UI indicator to do something for development mode as well. There's definitely been times before I've had to pay extra attention to make sure I'm doing things on my localhost tab, not sentry.io tab (disabling SSO auth)
EvanPurkhiser
on 23 Nov 2017
@EvanPurkhiser agreed!
(also for when you're authenticated as a different user using the 'login as' functionality)
dcramer
on 23 Nov 2017
favicon color 鈿狅笍
and sidebar color
MaxBittker
on 23 Nov 2017
@MaxBittker not obvious enough IMO, but could be a nice addition
dcramer
on 23 Nov 2017
favicon is crucial because i usually have local & prod tabs open, and the mistakes I make are always when switching
MaxBittker
on 23 Nov 2017
something subtle like this + favicon? clicking the off state could trigger a sudo prompt
ckj
on 23 Nov 2017
@ckj imo it needs to be drastic -- e.g. change the sidebar to be a completely different color or add a giant banner at the top of the site
scenarios:
- staging
- development
- superuser
- impersonated user
dcramer
on 23 Nov 2017
@dcramer I think drastic would be taxing on the dev experience personally. maybe something subtle + sticky if you're worried people wouldn't see it?
ckj
on 23 Nov 2017
@ckj it doesnt have to make the whole site red, but e.g. a 20px high banner (or border?) at the top I think is acceptable
we want to avoid the mistake of someone doing something in prod and thinking its another environment
dcramer
on 23 Nov 2017
Favicon done here for development mode: https://github.com/getsentry/sentry/pull/7699
EvanPurkhiser
on 20 Mar 2018
Closing this issue due to staleness. Feel free to comment here if you think we should still work on this.
BYK
on 21 Oct 2020
Related issues
campbellita
路
3Comments
phiresky
路
3Comments
dmnd
路
4Comments
dcramer
路
4Comments
jiankunking
路
3Comments
Most helpful comment
favicon color 鈿狅笍
and sidebar color