Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add docs for user management and invitations #3837

Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 9 additions & 5 deletions docs/docs/how-to/artifact_signatures.md
Original file line number Diff line number Diff line change
Expand Up @@ -10,14 +10,17 @@ repositories are built from trusted sources and using trusted workflows based
on their cryptographically signed provenance.

This is done by creating a profile which utilizes the `artifact_signature`
`rule_type`.
`rule_type`.

## Prerequisites

* The `minder` CLI application
* A Stacklok account
* An enrolled Provider (e.g., GitHub)
* A repository that produces container images. At the moment Minder's artifact signature checks are only available for container images and only the `ghcr.io` registry is supported.
- The `minder` CLI application
- A Minder account with
[at least `editor` permission](../user_management/user_roles.md)
- An enrolled Provider (e.g., GitHub)
- A repository that produces container images. At the moment Minder's artifact
signature checks are only available for container images and only the
`ghcr.io` registry is supported.

## Create the artifact provenance rule type

Expand Down Expand Up @@ -80,6 +83,7 @@ and the policy status will be updated accordingly. If the artifact is not matchi
violation is presented via the profile status and an alert is raised.

## Define a more advanced profile that checks artifact provenance

As the next step, let's create a profile that checks the provenance of the artifact.
Create a new file called `profile-artifact-provenance.yaml`.

Expand Down
33 changes: 20 additions & 13 deletions docs/docs/how-to/create_profile.md
Original file line number Diff line number Diff line change
Expand Up @@ -5,16 +5,19 @@ sidebar_position: 10

## Prerequisites

* The `minder` CLI application
* A Stacklok account
- The `minder` CLI application
- A Minder account with
[at least `editor` permission](../user_management/user_roles.md)

## Use a reference rule

The first step to creating a profile is to create the rules that your profile will apply.

The Minder team has provided several reference rules for common use cases. To get started quickly, create a rule from
the set of references.

Fetch all the reference rules by cloning the [minder-rules-and-profiles repository](https://github.com/stacklok/minder-rules-and-profiles).

```
git clone https://github.com/stacklok/minder-rules-and-profiles.git
```
Expand All @@ -30,14 +33,15 @@ minder ruletype create -f rule-types/github/secret_scanning.yaml
```

## Write your own rule

This section describes how to write your own rule, using the existing rule `secret_scanning` as a reference. If you've
already created the `secret_scanning` rule, you may choose to skip this section.

Start by creating a rule that checks if secret scanning is enabled.
Start by creating a rule that checks if secret scanning is enabled.

Create a new file called `secret_scanning.yaml`.

Add some basic information about the rule to the new file, such as the version, type, name, context, description and
Add some basic information about the rule to the new file, such as the version, type, name, context, description and
guidance.

```yaml
Expand All @@ -60,6 +64,7 @@ guidance: |
Next, add the rule definition to the `secret_scanning.yaml` file.
Set `in_entity` to be `repository`, since secret scanning is enabled on the repository.

```yaml
def:
in_entity: repository
Expand Down Expand Up @@ -106,7 +111,7 @@ def:
def: ".enabled"
```
Set up the remediation action that will be taken if this rule is not satisfied
Set up the remediation action that will be taken if this rule is not satisfied
(and the profile has turned on remediation). The remediation action in this case is to make a PATCH request to the
repository and enable secret scanning.
```yaml
Expand Down Expand Up @@ -220,6 +225,7 @@ repository:
```

Putting it all together, you get the following content if `profile.yaml`:

```yaml
version: v1
type: profile
Expand Down Expand Up @@ -260,7 +266,7 @@ In Minder profiles, rules are identified by their type and, optionally, a unique

### Rule Types vs Rule Names

Rule types are mandatory and refer to the kind of rule being applied. Rule names, on the other hand, are optional
Rule types are mandatory and refer to the kind of rule being applied. Rule names, on the other hand, are optional
identifiers that become crucial when multiple rules of the same type exist under an entity.

```yaml
Expand All @@ -270,11 +276,12 @@ repository:
def:
enabled: true
```

In this example, `secret_scanning` is the rule type and `secret_scanning_github` is the rule name.

### When are Rule Names Mandatory?

If you're using multiple rules of the same type under an entity, each rule must have a unique name. This helps
If you're using multiple rules of the same type under an entity, each rule must have a unique name. This helps
distinguish between rules and understand their specific purpose.

```yaml
Expand All @@ -292,7 +299,7 @@ Here, we have two rules of the same type `secret_scanning` under the `repository

### Uniqueness of Rule Names

No two rules, whether of the same type or different types, can have the same name under an entity. This avoids
No two rules, whether of the same type or different types, can have the same name under an entity. This avoids
confusion and ensures each rule can be individually managed.

```yaml
Expand All @@ -306,8 +313,8 @@ repository: # Would return an error while creating
def:
enabled: false
```
In the above used example, even though the rules are of different types (`secret_scanning` and `secret_push_protection`),
Minder will return an error while creating this profile as rule names are same under the same entity.
In the above used example, even though the rules are of different types (`secret_scanning` and `secret_push_protection`),
Minder will return an error while creating this profile as rule names are same under the same entity.
You may use same rule names under different entities (repository, artifacts, etc.)

Rule name should not match any rule type, except its own rule type. If a rule name matches its own rule type, it should
Expand All @@ -334,8 +341,8 @@ the explicit name of the `gomod` rule.

### Example

Consider a profile with two `dependabot_configured` rules under the `repository` entity. The first rule has a unique
name, "Dependabot Configured for GoLang". The second rule doesn't have a name, which is acceptable as Minder would
Consider a profile with two `dependabot_configured` rules under the `repository` entity. The first rule has a unique
name, "Dependabot Configured for GoLang". The second rule doesn't have a name, which is acceptable as Minder would
add rule type as the default name for the rule.

```yaml
Expand All @@ -353,5 +360,5 @@ repository:
apply_if_file: docs/package.json
```

You can find the rule definitions used above and many profile examples at
You can find the rule definitions used above and many profile examples at
[minder-rules-and-profiles](https://github.com/stacklok/minder-rules-and-profiles) repository.
31 changes: 31 additions & 0 deletions docs/docs/how-to/create_project.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
---
title: Creating a New Project
sidebar_position: 90
---

When you log in to Minder without a project, Minder will automatically create a
new project to manage your entities (repositories, artifacts, etc). It is also
possible to create additional projects after you have created your Minder
profile, for example, to create different projects for different organizations
or teams you are a part of. Note that
[Minder Projects](../understand/projects.md) can collect resources from several
upstream resource providers such as different GitHub organizations, so you can
register several [entity providers](../understand/providers.md) within a
project.

## Prerequisites

- A Minder account
- A GitHub organization you are an administrator for which does not have the
Minder app installed on.

## Creating a New Project

To create a new project, enable the Minder GitHub application
([Minder by Stacklok](https://github.com/apps/minder-by-stacklok) for the
cloud-hosted application) on a new GitHub organization. If the GitHub App is
installed on a GitHub organization which is not already registered in Minder,
Minder will create a new project to manage those resources. Using
[`minder provider enroll`](../ref/cli/minder_provider_enroll.md) within a
project to add a new GitHub provider will _not_ create a new project and will
add the selected organization to an existing project.
11 changes: 6 additions & 5 deletions docs/docs/how-to/pr_reviews.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,9 +7,10 @@ import TabItem from '@theme/TabItem';

## Prerequisites

* The `minder` CLI application
* A Minder account
* An enrolled Provider (e.g., GitHub) and registered repositories
- The `minder` CLI application
- A Minder account with
[at least `editor` permission](../user_management/user_roles.md)
- An enrolled Provider (e.g., GitHub) and registered repositories

## Create the PR vulnerability check rule
Start by creating a rule that checks if a pull request adds a new dependency with known vulnerabilities. If it does,
Expand Down Expand Up @@ -130,10 +131,10 @@ Create the profile in Minder:
minder profile create -f profile.yaml
```

Once the profile is created, Minder will monitor any pull requests to the registered repositories. If a pull
Once the profile is created, Minder will monitor any pull requests to the registered repositories. If a pull
request brings in a dependency with a known vulnerability, then Minder will add a review to the pull request and
suggest changes.

Alerts are complementary to the remediation feature. If you have both `alert` and `remediation` enabled for a profile,
Minder will attempt to remediate it first. If the remediation fails, Minder will create an alert. If the remediation
succeeds, Minder will close any previously opened alerts related to that rule.
succeeds, Minder will close any previously opened alerts related to that rule.
13 changes: 7 additions & 6 deletions docs/docs/how-to/remediate-pullrequest.md
Original file line number Diff line number Diff line change
Expand Up @@ -10,13 +10,14 @@ import TabItem from '@theme/TabItem';

## Prerequisites

* The `minder` CLI application
* A Minder account
* An enrolled Provider (e.g., GitHub) and registered repositories
- The `minder` CLI application
- A Minder account with
[at least `editor` permission](../user_management/user_roles.md)
- An enrolled Provider (e.g., GitHub) and registered repositories

## Create a rule type that has support for pull request automatic remediation

The pull request automatic remediation feature provides the functionality to fix a failed rule type by creating a pull request.
The pull request automatic remediation feature provides the functionality to fix a failed rule type by creating a pull request.

This feature is only available for rule types that support it. To find out if a rule type supports it, check the
`remediate` section in their `<alert-type>.yaml` file. It should have the `pull_request` section defined like below:
Expand All @@ -31,8 +32,8 @@ type: rule-type
```

In this example, we will use a rule type that checks if a repository has Dependabot enabled. If it's not enabled, Minder
will create a pull request that enables Dependabot. The rule type is called `dependabot_configured.yaml` and is one of
the reference rule types provided by the Minder team.
will create a pull request that enables Dependabot. The rule type is called `dependabot_configured.yaml` and is
one of the reference rule types provided by the Minder team.

Fetch all the reference rules by cloning the [minder-rules-and-profiles repository](https://github.com/stacklok/minder-rules-and-profiles).

Expand Down
10 changes: 6 additions & 4 deletions docs/docs/how-to/setup-alerts.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,15 +7,17 @@ sidebar_position: 70

## Prerequisites

* The `minder` CLI application
* A Minder account
* An enrolled Provider (e.g., GitHub) and registered repositories
- The `minder` CLI application
- A Minder account with
[at least `editor` permission](../user_management/user_roles.md)
- An enrolled Provider (e.g., GitHub) and registered repositories

## Create a rule type that you want to be alerted on

The `alert` feature is available for all rule types that have the `alert` section defined in their `<alert-type>.yaml`
file. Alerts are a core feature of Minder providing you with notifications about the status of your registered
repositories using GitHub Security Advisories. These Security Advisories automatically open and close based on the evaluation of the rules defined in your profiles.
repositories using GitHub Security Advisories. These Security Advisories automatically open and close based on the evaluation of the rules
defined in your profiles.

When a rule fails, Minder opens an alert to bring your attention to the non-compliance issue. Conversely, when the
rule evaluation passes, Minder will automatically close any previously opened alerts related to that rule.
Expand Down
10 changes: 6 additions & 4 deletions docs/docs/how-to/setup-autoremediation.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,9 +7,10 @@ sidebar_position: 60

## Prerequisites

* The `minder` CLI application
* A Minder account
* An enrolled Provider (e.g., GitHub) and registered repositories
- The `minder` CLI application
- A Minder account with
[at least `editor` permission](../user_management/user_roles.md)
- An enrolled Provider (e.g., GitHub) and registered repositories

## Create a rule type that you want to use auto-remediation on

Expand All @@ -20,7 +21,7 @@ creating a pull request with a proposed fix.

In this example, we will use a rule type that checks if a repository allows having force pushes on their main branch,
which is considered a security risk. If their setting allows for force pushes, Minder will automatically remediate it
and disable it.
and disable it.

The rule type is called `branch_protection_allow_force_pushes.yaml` and is one of the reference rule types provided by
the Minder team.
Expand All @@ -44,6 +45,7 @@ minder ruletype create -f rule-types/github/branch_protection_allow_force_pushes
```

## Create a profile

Next, create a profile that applies the rule to all registered repositories.

Create a new file called `profile.yaml` using the following profile definition and enable automatic remediation by setting
Expand Down
24 changes: 20 additions & 4 deletions docs/docs/understand/projects.md
Original file line number Diff line number Diff line change
Expand Up @@ -5,8 +5,24 @@ sidebar_position: 20

# Projects in Minder

Projects in Minder are a way to group entities together. They are a way to organize your entities (repositories, artifacts,
etc.) based on the policy you want to enforce or the team that owns them.
Projects in Minder are a way to group entities together, and to share access
with other people in your organization. They are a way to organize your entities
(repositories, artifacts, etc.) based on the policy you want to enforce or the
team that owns them.

When creating an account, Minder will automatically create a default project for you. You can create additional projects as
a way to organize and secure your entities, and manage access for your team members.
Each user in an project is [assigned a role](../user_management/user_roles.md),
such as `editor` or `admin`. Projects must have at least one administrator, who
has permission to
[invite other users to the project](../user_management/adding_users.md) and
change users roles within the project.

When creating an account, Minder will automatically create a default project for
you, unless you are accepting an invitation to an existing project. You can
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unfortunately this is not like that right now. We still create a project, we just don't go through the onboarding flow and also show by default the oldest project in the UI (which is the one the user accepted the invite for).

We had a discussion with @jhrozek that we should separate the project creation part from the user creation part, ref. #3826 (implying changes on the client's side - UI and CLI)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ethomson -- are we okay shipping invitations with this change from the PRD & tech design, or do we need to address it before release?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Another note - if the user accepted an invite, but then selects their default project from the drop down menu they will be taken through the onboarding flow for it since it's what the front end does for every new project.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  • I think it's really surprising that we new up a secret project behind the scenes that nobody asked for.
  • We have a metric around project creation and how many have rules and profiles associated with them (versus not), and this will annihilate that metric. 🙃
  • The UI should show the most recent project, not the oldest project. (Again, the FE needs a data store for its own business logic, and doesn't have one.)

Can you give me a rough cost on separating user creation from project creation?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we need to figure out what the API call is that creates the user without the project. I need to look and see if it makes sense for ResolveInvitation to potentially set up a new user if it's called by someone who is known to Keycloak but not to Minder. If so, the flow for getting a Minder account would be either:

ResolveInvitation -> ...

OR

CreateUser -> ...

Right now we're measuring projects primarily, so we probably wouldn't really "see" the additional users on a project from a metrics PoV, which may be okay in general.

The interesting question is what middleware and other plumbing might break by making ResolveInvitation not require a User object already stored in the database.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this will be a small change, if I'm right, I'm about 2/3rds done now (plus tests, so really 40% done).

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I made it a medium-size change, and it will need a client release: #3909

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also @kantord for a heads-up; I commented on #3909, but the frontend should not call CreateUser before calling ResolveInvitation -- ResolveInvitation will take care of any bookkeeping needed in terms of getting user information. Note that before calling ResolveInvitation, the GetUser call will also fail.

[create additional projects](../how-to/create_project.md) as a way to organize
and secure your entities, and manage access for your team members.

If you are a member (have a role in) more than one project, you can use
[the `MINDER_PROJECT` environment variable](../ref/cli_configuration.md) or the
`--project` flag to select a specific project to operate on with the CLI. If you
have access to multiple projects and no project is selected, Minder will report
an error asking you to select a project.
Loading