Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ATLAS-10930: log which RBAC check (rbac/entitlement) failed authz #12

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

ATLAS-10930: log which RBAC check (rbac/entitlement) failed authz #12

wants to merge 1 commit into from

Conversation

rchowinfoblox
Copy link
Collaborator 

$ make test
go vet ./...
go test ./...
ok      github.com/infobloxopen/atlas-authz-middleware/grpc_opa (cached)
ok      github.com/infobloxopen/atlas-authz-middleware/pkg/opa_client   (cached)

drewwells
drewwells reviewed Aug 24, 2021
View reviewed changes
Copy link
Contributor

@drewwells drewwells left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think obligation logs need to be more targeted and opt-in. We will get complaints that middleware is logging errors that people can not turn off.

grpc_opa/authorizer.go
@@ -252,6 +258,8 @@ func (a *DefaultAuthorizer) Evaluate(ctx context.Context, fullMethod string, grp
}

if !opaResp.Allow() {
forbidReason := opaResp.rbacForbiddenReason()
logger.Infof("Request forbidden because these RBAC checks failed:%s", forbidReason)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this will make it easier to find in kibana

Suggested change
logger.Infof("Request forbidden because these RBAC checks failed:%s", forbidReason)
logger.WithField("msg", forbidReason).Info("obligation_forbidden msg")

grpc_opa/authorizer.go
@@ -252,6 +258,8 @@ func (a *DefaultAuthorizer) Evaluate(ctx context.Context, fullMethod string, grp
}

if !opaResp.Allow() {
forbidReason := opaResp.rbacForbiddenReason()
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't we first check that an obligation was expected? This is going to be triggered and have no message for 100% of authz failures today.

grpc_opa/authorizer.go
@@ -353,6 +361,32 @@ func (o OPAResponse) Allow() bool {
return allow
}

// If reason is available, returns reason RBAC was forbidden
func (o OPAResponse) rbacForbiddenReason() string {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the signature needs work here. We should distinguish lack of obligations from a specific obligation denial. You could also do that by emitting an error instead of a string. err == nil nothing about obligations to report.

Also, how do services turn these logs off if they don't want them? Perhaps, don't log at all and return wrapped errors is a better way to enable implementation to choose behavior.

grpc_opa/authorizer.go
@@ -252,6 +258,8 @@ func (a *DefaultAuthorizer) Evaluate(ctx context.Context, fullMethod string, grp
}

if !opaResp.Allow() {
forbidReason := opaResp.rbacForbiddenReason()
logger.Infof("Request forbidden because these RBAC checks failed:%s", forbidReason)
return false, ctx, ErrForbidden
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Another way to surface error messages is to wrap them in the error being returned.

Suggested change
return false, ctx, ErrForbidden
return false, ctx, fmt.Errorf("%w: %s", ErrForbidden, forbidReason)

Caller verifies type of error with errors.Is(err, grpc_opa.ErrForbidden)

@rchowinfoblox
Copy link
Collaborator Author

Labeled DO-NOT-MERGE as plan is now to use new print() rego function in more recent OPA versions to improve logging of request/response details in OPA log.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@drewwells drewwells drewwells left review comments

@daniel-garcia daniel-garcia Awaiting requested review from daniel-garcia

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
DO-NOT-MERGE
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@rchowinfoblox @drewwells