andrewmusselman opened a new issue, #539:
URL: https://github.com/apache/tooling-trusted-releases/issues/539
## Summary
Admin users are hardcoded in source code, requiring code deployment for
changes and creating risk that former users retain access.
## ASVS Requirements
- 6.3.2 - Default account controls
- 8.1.1 - Authorization rules documented
## Related Audit Reports
- [Internal Access #402](ASVS/internal-access-402.md) - Section 3.2
- [Brute Force #405](ASVS/brute-force-identification-405.md) - Section 6.3.2
- [Documentation #408](ASVS/documentation-408.md) - Issue 3.1
## Affected Files
- `atr/config.py:86-101`
## Current Behavior
```python
# FIXME: retrieve the list of admin users from LDAP
ADMIN_USERS = frozenset({
"cwells", "dfoulks", "fluxo", "gmcdonald",
"humbedooh", "sbp", "akm", "arm", "wave",
})
```
## Risk
- Admin changes require code deployment
- Former employees may retain access if list not updated
- No dynamic admin management
- No audit logging for admin list changes
## Recommended Fix
```python
async def get_admin_users() -> frozenset[str]:
"""Retrieve admin users from LDAP groups."""
# Query LDAP for members of 'atr-admins' group
# or use ASF's infrastructure admin group
pass
# Or use external configuration file
ADMIN_USERS_FILE = "/etc/atr/admin-users.json"
```
## Acceptance Criteria
- [ ] Admin users retrieved from LDAP or external configuration
- [ ] FIXME comment addressed
- [ ] Admin changes don't require code deployment
- [ ] Admin access audit logging implemented
- [ ] Documentation updated
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
