Add actions to group/scope auth #2147
Conversation
| @@ -4,5 +4,6 @@ | |||
| READ, | |||
| WRITE, | |||
| ADMIN, | |||
| DEPLOY | |||
| DEPLOY, | |||
| EXEC // run, bounce, kill, pause, scale | |||
There was a problem hiding this comment.
Since we are adding granularity, would it be too much harder to actually make each of these their own separate scope? Would let us much more easily divide things up later if needed
| @@ -211,6 +144,19 @@ public boolean isAuthorizedForRequest( | |||
| } | |||
| } | |||
|
|
|||
| private void warnJita( | |||
There was a problem hiding this comment.
just FYI that this will have some merge conflicts with #2141
| return Sets.union(scopesConfiguration.getRead(), scopesConfiguration.getWrite()); | ||
| case WRITE: | ||
| return scopesConfiguration.getWrite(); | ||
| case DEPLOY: |
There was a problem hiding this comment.
If it makes it simpler in the overall implementation, I'm fine with having the DEPLOY scope behave similar to the new ones (i.e. falls under WRITE unless otherwise overriden by a request). I had originally separated out DEPLOY for future use with our internal automation, but it isn't turned on or enforced by default
There was a problem hiding this comment.
Do you mean change DEPLOY to not fall back to use WRITE? I set up EXEC so that it doesn't fall back to write, but that the request group gets EXEC privs unless explicitly removed by the overrides.
There was a problem hiding this comment.
We're going to have to add all these scopes for all the appropriate people anyways, it would be easy to add DEPLOY for them too
| @@ -13,20 +15,25 @@ | |||
| private final Optional<String> group; | |||
| private final Set<String> readWriteGroups; | |||
| private final Set<String> readOnlyGroups; | |||
| private final Optional<Map<String, Set<SingularityAuthorizationScope>>> groupScopeOverrides; | |||
There was a problem hiding this comment.
should this also be renamed/updated to actionPermissions?
| @@ -14,6 +14,9 @@ | |||
| @NotEmpty | |||
| private Set<String> read = Collections.singleton("SINGULARITY_READONLY"); | |||
|
|
|||
| @NotEmpty | |||
| private Set<String> exec = Collections.singleton("SINGULARITY_EXEC"); | |||
There was a problem hiding this comment.
can probably remove this since we went with the actions strategy instead
| package com.hubspot.singularity; | ||
|
|
||
| public enum SingularityUserFacingAction { | ||
| RUN_REQUEST, |
There was a problem hiding this comment.
naming nits:
- Not sure we need the _REQUEST on each of these. Will likely be easier for users to remember in their configs without it
- Maybe RUN -> EXEC/EXECUTE?
There was a problem hiding this comment.
Agreed on dropping _REQUEST.
I feel like RUN matches up with the ui ("Run Now"), where EXEC/EXECUTE isn't a term users typically use, so it may be easier to remember.
| PAUSE_REQUEST, | ||
| SCALE_REQUEST, | ||
| KILL_TASK, | ||
| BOUNCE_TASK, |
There was a problem hiding this comment.
Is bounce task any different from KILL_TASK? I don't see it used anywhere
|
|
||
| if (request.getActionPermissions().isPresent()) { | ||
| request | ||
| .getActionPermissions() |
There was a problem hiding this comment.
is this needed here still? I think the action permissions are all write-based (and also not SingularityAuthorizationScope objects)
There was a problem hiding this comment.
Good catch - missed this one
There was a problem hiding this comment.
Overall I like the actions strategy, seems a lot cleaner. One open question is if a write-jita should allow a user to bypass not being the proper action group. I think the answer should be yes there, but open to opinions. Definitely +1 for unit tests here. It's much easier to tell that all the authorizer bits are working with those than by reading the code alone
|
re: write-jita — Could we disallow jita action bypass by default, and leave it up to the user to add the jita group to the action permissions if that should be allowed? It's less obvious for users, but more protective and explicit. If not, then I would assume that write-jita should allow bypassing the action permissions. |
|
I think the fact that we have the audit events that Aditya added should be enough on the jita front to just allow jita through to everything. One of the main requirements on this was that any actions normally not allowed would at least be logged/audited |
|
Added tests that validate JITA support for actions |
|
🚢 |
Some requests need to be runnable ONLY by someone other than the group owner for compliance purposes. For example, Team A would write and deploy a sensitive request, and only Team B could run it (or bounce, scale, kill tasks, or pause).
This provides a more generic solution in the form of an action permissions override map.