-
Notifications
You must be signed in to change notification settings - Fork 933
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Effective project handling #13886
Effective project handling #13886
Conversation
e21d4c4
to
5f08719
Compare
5f08719
to
c2bab53
Compare
Heads up @mionaalex - the "Documentation" label was applied to this issue. |
I've created this issue to refactor the image database methods. For now there is an extra database call in image and image alias handlers to resolve the effective project and set it in the request context before the access check. Edit: Whoops I forgot to add the link - #13896 |
bcbf3be
to
0b04458
Compare
6f634ea
to
9b516bf
Compare
Missing link? |
9b516bf
to
6cec579
Compare
Whoops, I've added it to the original comment. |
6cec579
to
4133401
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So in general 2 questions:
- Can we avoid passing *Daemon to
addFooDetailsToRequestContext
? - Why are the not found errors from
project.FooRecord()
being masked, and if there is a reason, we should have a comment explaining it, as its non-obvious.
@markylaing please can you look at whether |
The events socket is doing the right thing WRT This breaks down for effective projects of course. If an event occurs in the default project because the feature is not enabled in another project, we can't resolve the original request project because there may be more than one project with that feature disabled. |
Mmm yeah that is what I was getting at. So this would mean that specifying a specific project which has certain features disabled would mean missing events for entities related to those features ? But it wouldn't mean seeing events that one shouldnt? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we should decouple this PR from the 404 not found discussion so as not to prevent this from being merged. Can you rework this PR to not do any error masking and then we can revisit the discussion as a separate issue?
415df26
to
d137df1
Compare
Adds the effective project to the request context for all profile related requests. This follows the pattern in storage volumes and storage buckets, whereby details about the profile that are needed for the access check are added to the request context so that they do not need to be recalculated. Signed-off-by: Mark Laing <[email protected]>
Signed-off-by: Mark Laing <[email protected]>
Signed-off-by: Mark Laing <[email protected]>
Signed-off-by: Mark Laing <[email protected]>
Signed-off-by: Mark Laing <[email protected]>
Signed-off-by: Mark Laing <[email protected]>
Signed-off-by: Mark Laing <[email protected]>
Additionally, ensure that the effective project is always set in the request context before calling `GetPermissionChecker` Signed-off-by: Mark Laing <[email protected]>
The current usage of effective project in the TLS authorizer checks that the project in the given entity URL is the same as the effective project. But since the effective project is always set (for entity type with feature flags), this means we're not checking that the entity is in identities' project list. (This is ok, because the caller cannot list entities in a project that they do not have access to, but is not correct). We now expect that all URLs passed into the PermissionChecker returned by this function will contain the request project, so we can just check it against the project list. Signed-off-by: Mark Laing <[email protected]>
The OpenFGA driver will not allow "punching through" to the default project. Instead we will re-write the given entity URL to use the effective project when performing the auth check. An administrator can allow individual permissions against resources in the effective project if necessary. Signed-off-by: Mark Laing <[email protected]>
Signed-off-by: Mark Laing <[email protected]>
Signed-off-by: Mark Laing <[email protected]>
Signed-off-by: Mark Laing <[email protected]>
Signed-off-by: Mark Laing <[email protected]>
This commit copies the majority of the updated `tls_restrictions` test and asserts the behaviour of the fine-grained authorization driver. Signed-off-by: Mark Laing <[email protected]>
Signed-off-by: Mark Laing <[email protected]>
Signed-off-by: Mark Laing <[email protected]>
Signed-off-by: Mark Laing <[email protected]>
Signed-off-by: Mark Laing <[email protected]>
…ive projects. Signed-off-by: Mark Laing <[email protected]>
d137df1
to
8674666
Compare
@@ -3001,7 +3081,13 @@ func imageGet(d *Daemon, r *http.Request) response.Response { | |||
// Get the image. We need to do this before the permission check because the URL in the permission check will not | |||
// work with partial fingerprints. | |||
var info *api.Image | |||
effectiveProjectName := projectName |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
var effectiveProjectName string
would be clearer here no? Showing that its empty until its loaded from the DB below, rather than defaulting to the request project? (infact you seem to have switched to that pattern further down in this file).
Implements the following:
features.*
project config. This includes:i. Adding network, network zone, image, and profile specific access handlers.
ii. For each entity type above, setting details in the request context to avoid repeated calculation (same pattern as for storage buckets and volumes).
(Authorizer).CheckPermission
and in calls to theauth.PermissionChecker
returned by(Authorizer).GetPermissionChecker
.Closes #13863