Node.js Maintainers Threat Model: Access per Group table #1618
Description
Hi folks, as part of Node.js Security initiative we have created a table of access per group based on available roles under Node.js org. We'd like to get some feedback/review. Feel free to edit the table if you think something is wrong (I can read the history and update our hackmd table).
The idea is to have a table of permissions and then look at the threats each role has and its impact on the nodejs organization.
Access per Group
Levels: (-) none, (r) read, (w) write, (a) admin/owner (inspiration from https://mason.gmu.edu/~montecin/UNIXpermiss.htm)
Additional notes:
- While some teams can have access to a resource, like the
secrets, they might have different access level internally based on sub-groups. - Some individuals and team have access such write in different GitHub repositories in the org, like Working groups or subteams.
Note
¹ - All repositories with code that get published or has some impact on nodejs/core
² - Releasers has access to run CI during CI Embargo (Security Release)
| Resource | External people | Contributors - Core/Triagers/WG | Build - Test/Infra/Admin | Admin - TSC/Releasers/Moderation | Security Stewards/Triagers/External | GitHub - Actions/Plugins |
|---|---|---|---|---|---|---|
| HackerOne | - | --- | --- | aw- | www | -- |
| MITRE | - | --- | --- | a-- | w-- | -- |
| private/node-private | - | --- | www | aw- | w-w | -- |
| private/security-release | - | --- | --- | a-- | ww- | -- |
| private/secrets | - | --- | www | a-- | --- | -- |
| nodejs/node | r | wrr | rrw | awa | rrr | wr |
| nodejs/deps¹ | r | rrr | rrw | arr | rrr | wr |
| nodejs/build (GH) | r | rrr | rrw | awa | rrr | wr |
| nodejs/node-core-utils | r | rrr | rrw | awa | rrr | wr |
| npm account | - | - | -a- | a-- | --- | -- |
| Jenkins CI - test | r | ww- | wwa | -w²- | --- | ww |
| Jenkins CI - release | - | --- | -ww | -w- | --- | -- |
| Infra - test | - | w-- | aaa | ww- | -w- | ww |
| Infra - release | - | --- | -ww | -w- | --- | -- |
| Build infra | - | --- | -a- | --- | --- | -- |
| Website Infra | - | --- | -a- | a-- | --- | -- |
| Youtube | - | --w | --- | a-- | --- | -- |
| Zoom | r | rrw | --- | a-- | --- | -- |
| 1Password | - | --r | --- | a-- | --- | -- |
| Social media accounts | - | --- | --- | --- | --- | -- |
| Email (nodejs-sec) | r | rrr | rrr | awr | wrr | rr |
| Email (io.js aliases) | r | --- | -a- | w-- | --- | -- |
Repos under nodejs which do not include code, are not covered as they cannot lead to the threats listed.
pkgjs.org is excluded as it does not include code/repos that make it into Node.js binaries