-
Notifications
You must be signed in to change notification settings - Fork 188
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add actions to group/scope auth #2147
Conversation
@@ -4,5 +4,6 @@ | |||
READ, | |||
WRITE, | |||
ADMIN, | |||
DEPLOY | |||
DEPLOY, | |||
EXEC // run, bounce, kill, pause, scale |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since we are adding granularity, would it be too much harder to actually make each of these their own separate scope? Would let us much more easily divide things up later if needed
@@ -211,6 +144,19 @@ public boolean isAuthorizedForRequest( | |||
} | |||
} | |||
|
|||
private void warnJita( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
just FYI that this will have some merge conflicts with #2141
return Sets.union(scopesConfiguration.getRead(), scopesConfiguration.getWrite()); | ||
case WRITE: | ||
return scopesConfiguration.getWrite(); | ||
case DEPLOY: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If it makes it simpler in the overall implementation, I'm fine with having the DEPLOY scope behave similar to the new ones (i.e. falls under WRITE unless otherwise overriden by a request). I had originally separated out DEPLOY for future use with our internal automation, but it isn't turned on or enforced by default
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do you mean change DEPLOY to not fall back to use WRITE? I set up EXEC so that it doesn't fall back to write, but that the request group gets EXEC privs unless explicitly removed by the overrides.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We're going to have to add all these scopes for all the appropriate people anyways, it would be easy to add DEPLOY for them too
@@ -13,20 +15,25 @@ | |||
private final Optional<String> group; | |||
private final Set<String> readWriteGroups; | |||
private final Set<String> readOnlyGroups; | |||
private final Optional<Map<String, Set<SingularityAuthorizationScope>>> groupScopeOverrides; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
should this also be renamed/updated to actionPermissions?
@@ -14,6 +14,9 @@ | |||
@NotEmpty | |||
private Set<String> read = Collections.singleton("SINGULARITY_READONLY"); | |||
|
|||
@NotEmpty | |||
private Set<String> exec = Collections.singleton("SINGULARITY_EXEC"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can probably remove this since we went with the actions strategy instead
package com.hubspot.singularity; | ||
|
||
public enum SingularityUserFacingAction { | ||
RUN_REQUEST, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
naming nits:
- Not sure we need the _REQUEST on each of these. Will likely be easier for users to remember in their configs without it
- Maybe RUN -> EXEC/EXECUTE?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agreed on dropping _REQUEST.
I feel like RUN matches up with the ui ("Run Now"), where EXEC/EXECUTE isn't a term users typically use, so it may be easier to remember.
PAUSE_REQUEST, | ||
SCALE_REQUEST, | ||
KILL_TASK, | ||
BOUNCE_TASK, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is bounce task any different from KILL_TASK? I don't see it used anywhere
|
||
if (request.getActionPermissions().isPresent()) { | ||
request | ||
.getActionPermissions() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is this needed here still? I think the action permissions are all write-based (and also not SingularityAuthorizationScope objects)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good catch - missed this one
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Overall I like the actions strategy, seems a lot cleaner. One open question is if a write-jita should allow a user to bypass not being the proper action group. I think the answer should be yes there, but open to opinions. Definitely +1 for unit tests here. It's much easier to tell that all the authorizer bits are working with those than by reading the code alone
re: write-jita — Could we disallow jita action bypass by default, and leave it up to the user to add the jita group to the action permissions if that should be allowed? It's less obvious for users, but more protective and explicit. If not, then I would assume that write-jita should allow bypassing the action permissions. |
I think the fact that we have the audit events that Aditya added should be enough on the jita front to just allow jita through to everything. One of the main requirements on this was that any actions normally not allowed would at least be logged/audited |
Added tests that validate JITA support for actions |
🚢 |
Some requests need to be runnable ONLY by someone other than the group owner for compliance purposes. For example, Team A would write and deploy a sensitive request, and only Team B could run it (or bounce, scale, kill tasks, or pause).
This provides a more generic solution in the form of an action permissions override map.