Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fixes #24872: Rework api authorization models #5669

Draft
wants to merge 1 commit into
base: master
Choose a base branch
from
Draft

Fixes #24872: Rework api authorization models #5669

wants to merge 1 commit into from

Conversation

VinceMacBuche
Copy link
Member

@VinceMacBuche VinceMacBuche requested a review from fanf May 16, 2024 21:44
@VinceMacBuche VinceMacBuche added the WIP Use that label for a Work In Progress PR that must not be merged yet label May 16, 2024
@VinceMacBuche VinceMacBuche marked this pull request as draft May 16, 2024 21:46
@VinceMacBuche VinceMacBuche removed the WIP Use that label for a Work In Progress PR that must not be merged yet label May 16, 2024
@VinceMacBuche
Copy link
Member Author

Commit modified

@VinceMacBuche VinceMacBuche force-pushed the arch_24872/rework_api_authorization_models branch from 16e81d3 to 7703cc9 Compare May 17, 2024 10:39
@VinceMacBuche VinceMacBuche changed the base branch from branches/rudder/8.0 to master May 17, 2024 10:39
@VinceMacBuche
Copy link
Member Author

Commit modified

@VinceMacBuche VinceMacBuche force-pushed the arch_24872/rework_api_authorization_models branch from 7703cc9 to 56e1117 Compare May 17, 2024 12:21
fanf
fanf reviewed May 17, 2024
View reviewed changes
Copy link
Member

@fanf fanf left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK, seems great. I think it needs at least a third pair of eyes to match the API dispatching - cc @clarkenciel perhaps?

.../sources/rudder/rudder-rest/src/main/scala/com/normation/rudder/rest/ApiDatastructures.scala
@@ -226,8 +226,8 @@ trait EndpointSchema {
// data container name: the expected object key in answer
def dataContainer: Option[String]

// any authorization that allows to access that API - by default, admin.write
def authz: List[AuthorizationType] = List(AuthorizationType.Administration.Write)
// any authorization that allows to access that API
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Perhaps add "Nil mean special any_righs, ie admin role, is needed"

clarktsiory
clarktsiory reviewed Jun 13, 2024
View reviewed changes
Copy link
Contributor

@clarktsiory clarktsiory left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I double-checked the authz in the endpoints, I found a few that could be changed/are not consistent

...ources/rudder/rudder-rest/src/main/scala/com/normation/rudder/rest/EndpointsDefinition.scala
}
case object DeleteCampaignEvent extends CampaignApi with OneParam with StartsAtVersion16 with SortIndex {
val z: Int = implicitly[Line].value
val description = "Delete a campaign event"
val (action, path) = DELETE / "campaigns" / "events" / "{id}"
val dataContainer: Option[String] = None
val dataContainer: Option[String] = None
val authz: List[AuthorizationType] = AuthorizationType.Configuration.Read :: Nil
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

DeleteCampaignEvent here should require Write

...ources/rudder/rudder-rest/src/main/scala/com/normation/rudder/rest/EndpointsDefinition.scala
Comment on lines 278 to 283
case object ReloadGroup extends GroupApi with GeneralApi with OneParam with StartsAtVersion2 with SortIndex {
val z: Int = implicitly[Line].value
val description = "Update given dynamic group node list"
val (action, path) = GET / "groups" / "{id}" / "reload"
val authz: List[AuthorizationType] = AuthorizationType.Group.Read :: Nil
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It could change the list of nodes in the group, so is it safe with Read instead of Write + Edit ?

...ources/rudder/rudder-rest/src/main/scala/com/normation/rudder/rest/EndpointsDefinition.scala
Comment on lines 801 to 806
case object CheckTechnique extends TechniqueApiPub with ZeroParam with StartsAtVersion16 with SortIndex {
val z: Int = implicitly[Line].value
val description = "Check if a techniques is valid yaml, with rudderc compilation, with various output (json ? yaml ?)"
val (action, path) = POST / "techniques" / "check"
val authz: List[AuthorizationType] = AuthorizationType.Technique.Write :: AuthorizationType.Technique.Edit :: Nil
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure if it's just a check (in which case maybe it should be Read), or it does something else behind...
I saw it being used in Elm technique editor, shouldn't we allow them to just check the yaml ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@clarktsiory clarktsiory clarktsiory left review comments

@fanf fanf fanf left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@VinceMacBuche @fanf @clarktsiory