jit-access icon indicating copy to clipboard operation
jit-access copied to clipboard

Published 20 hours ago verified publisher icon GoogleCloudPlatform

ability to reject an approval request

Open rojomisin opened this issue 2 years ago • 3 comments
trafficstars

The current MPA workflow allows anyone in the list to approve, however there was a question to be able to add a button in the email, to deny the request too. Without knowing the level of effort on this feature add, I could imagine a subset of the recipients being named in a list maybe [email protected] (terrible var name perhaps, apologies), and as long as that is a nested group within the group of [email protected] eligible for JIT roles, their email would include a red deny button?

rojomisin avatar Mar 15 '23 04:03 rojomisin

Suppose you request approval for some role and pick Alice and Bob as reviewer. Alice rejects the request. Would Bob be allowed to approve anyway?

The challenge with implementing a rejection feature is that the app is stateless and doesn't really "track" the state of an approval request. Instead, the approval request is represented by the activation token, and as long as that token is valid, a reviewer that's listed in the token can approve the request (with immediate effect).

What we could do is add a "Reject" button that sends out a notification saying Alice rejected the request... (maybe along with her justification). But that notification would only be informative, and Bob could choose to ignore it and approve anyway.

The stricter variant, where Alice's rejection terminates the entire process would require the app to somehow "revoke" the activation token. I could think of a few ways do do that, but it requires the app to become stateful -- somewhere outside IAM, it now needs to track which activation requests are valid or have been revoked.

I'm not too keen on making the app stateful, so if the first option is good enough, I'd favor that.

jpassing avatar Mar 23 '23 01:03 jpassing

Yes thanks for the explanation around state, I agree that is a bit more complex, and probably wont add enough value for the complexity. In our use-case, there is an implicit trust thankfully, but yes a communication of a deny via email/slack would at least stoke conversation within the team about why requesting that privilege should not be approved. In our case we really want to avoid someone being able to terraform apply any IAM resources relating to authoritative policy binding.

rojomisin avatar Mar 23 '23 17:03 rojomisin

Great, then let's focus on the option where we send out a notification, but don't terminate the process.

jpassing avatar Mar 23 '23 22:03 jpassing