RFC: Nest Teams

[polypixeldev]

While Nest was originally made and designed for personal use, it is also very useful for organizational use, especially in things like Hack Clubs that might want to host a website or backend for the whole club to manage. Therefore, I propose a feature on Nest that allows for the creation of teams: shared accounts meant to be accessed by different people.

Nest teams would be stored in a new table in the Nest Bot database, and would consist of a username, description, and list of members. At least for the MVP, there will be no permissions, so each member would be able to modify the team. The Authentik password would be DM'ed to the team creator upon approval.

Nest teams would be setup in the same way as normal user accounts on Nest, except that they would use a special AuthorizedKeysCommand for SSH which will output the combination of all members' authorized_keys files.

There will be no limit as to how many teams a user can create or be a part of, but like user accounts, all teams will have to be approved by the Nest admin team to ensure that teams are not being abused to bypass resource limits on personal projects. They may also be subject to additional auditing for the same purpose.

[Ssmidge]

This seems like a great idea, however the point of Authentik is to remove the need of using multiple accounts, so needing to login to another Authentik account seems to be counterintuitive, wouldn't adding the users to a group be a better option?

[polypixeldev]

Having a shared user on Nest makes sense so that it can be separate from personal accounts and have it's own systemd daemon for team projects. Having it be a completely new Authentik account isn't ideal, but since accounts are managed through LDAP it's the only option.

[ajhalili2006]

Replied via Slack: Interested to test Nest teams once implemented since I plan to run some Docker containers for my open-source organization (@recaptime-dev), although it may not be qualified due to being one-man team (a.k.a me).

For the application process when this is implemented, does the organization required to be fiscally hosted on HCB, and only who signed the fiscal sponsorship agreement can request for a Nest team?

Speaking of autogenerated organizational admin account at Authentik side when approved, maybe we can generate a blank or some random password but block from signing in for SSO/SAML (other than being shell-only LDAP account).

[taciturnaxolotl]

A shell only account makes sense. Its probably also a good idea to attach a label or something to the account to denot that its a team account. An HCB requirement might make it easier on the approval side but harder for clubs. Maybe a hybrid system where hcb makes it faster to apply would work.

[polypixeldev]

Yeah I guess we could just create the account locally on Nest VM using Nest Bot. I agree w/ kieran, HCB wouldn't be required but would definitely help out. If there is no HCB account i'd say that it would have to either be a club or a github organization (but members would have to be teens).

[Jake-Schuler]

I would love for teams to be a thing I want to host a internal app for my FIRST team (I have reached out to nest admins, they said they would create a account but haven't yet).

[berke-volkan]

Overall this feature should be added but there is some problems.
A) Shared Account
In my opinion this feature can create security issueses on system.As Nest is a service where you need to enter HC Slack but in this way you can share this password with non-hackclubbers which doesnt makes any sense & İt will be hard to handle malicious software/Aı.Soo we need a system Like a user group.However if we really do this as shared accounts there must be a IP/Mac address limitation & ip/mac address and Slack name Match

B) Application Process
Ok we all agree we can boost HCB organizations approval speed but here is the catch as Hack Club is club-centric i suppose we need to find a solution to onboard Club's easily to this.As i know there was a question about "what is your Slack name" on club opening form if Jared has a DB of this answers we can use them or as hackclub.com sub-domain are available only for Club's we can fetch peoples who committed in hack-club/dns (As they are probably a leader if not a HC staff etc.) and has a hack-club.com sub-domain we can boost them too (We can have 3 options at signup for staying in the API limits of Github,Slack etc.)