Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Sudo Plugin Model #340

Open
wants to merge 14 commits into
base: master
from

Conversation

Projects
None yet
4 participants
@amitlimaye
Copy link

commented Jun 11, 2019

This PR is part of a project that bring the following changes:

  • A new policy named UserAccessPolicy allows to define who can sudo where.
    Example: user=amit (subject) is allowed to do sudo mysql and sudo docker (sudo users) in host where $enforcerid=X (object)

  • Rendered new ingress policy rules :

Example:

    "ingressPolicies": {
      "filePolicyRules": null,
      "isolationPolicyRules": null,
      "networkPolicyRules": [
        ...
      ],
      "userAccessRules": [
        {
          "ID": "5d0045296eb576bfc0b70426",
          "action": {
            "action=user-access-info": {
              "allowedSudoUsers": [
                "root"
              ]
            }
          },
          "name": "chris-test",
          "policyNamespace": "/",
          "policyUpdateTime": "2019-06-12T00:20:01.769Z",
          "propagated": false,
          "relation": [],
          "tagClauses": [
            [
              "$identity=enforcer"
            ]
          ]
        }
      ]
    },
  • Added a policy renderer for UserAccess policies:
% apoctl api create policyrenderer -k type UserAccess -k tags '["$identity=enforcer"]' -o json -k processMode Object
{
  "policies": [
    {
      "ID": "5d014e3b6eb5762e67f76899",
      "action": {
        "action=user-access-info": {
          "allowedSudoUsers": [
            "root"
          ]
        }
      },
      "name": "chris-test",
      "policyNamespace": "/apomux",
      "policyUpdateTime": "2019-06-12T19:10:51.492Z",
      "propagated": false,
      "relation": [],
      "tagClauses": [
        [
          "test=chris"
        ]
      ]
    }
  ],
  "processMode": "Object",
  "tags": [
    "$identity=enforcer"
  ],
  "type": "UserAccess"
}

Part of project https://github.com/orgs/aporeto-inc/projects/475

@amitlimaye amitlimaye requested a review from t00f Jun 11, 2019

t00f added some commits Jun 11, 2019

@t00f t00f changed the title Initial gaia spec Sudo Plugin Model Jun 11, 2019

@t00f t00f requested a review from primalmotion Jun 11, 2019

t00f added some commits Jun 11, 2019

Show resolved Hide resolved specs/useraccesspolicy.spec Outdated
Show resolved Hide resolved specs/useraccesspolicy.spec Outdated
@t00f

This comment has been minimized.

Copy link
Member

commented Jun 11, 2019

I also added the default_value of AllowedSudoUsers to be []string{"root"}.

@primalmotion

This comment has been minimized.

Copy link
Member

commented Jun 11, 2019

If you give that default value, you will not be able to reset to nothing. Plus maximum power by default is not vey aporeto-esque

@t00f

This comment has been minimized.

Copy link
Member

commented Jun 11, 2019

Ok so you would prefer not having it. I will set it as an example value then

t00f added some commits Jun 11, 2019

@t00f

This comment has been minimized.

Copy link
Member

commented Jun 12, 2019

/build - automatically fired by gogo with following PRs and commit SHAs v1.0.0

[
  {
    "project": "sudopolicy",
    "component": "gaia",
    "pr-id": "340",
    "commit-sha": "d524f145ddd575fc839fb9e7fe2a16ada4f46bdc"
  },
  {
    "project": "sudopolicy",
    "component": "backend",
    "pr-id": "428",
    "commit-sha": "84e5c13fd2721054d93971e03931c0ceab3fb4bb"
  },
  {
    "project": "sudopolicy",
    "component": "underwater",
    "pr-id": "65",
    "commit-sha": "bf8b1717c6280c9f3a0f50aad497bfcea68b1d80"
  }
]
@t00f

This comment has been minimized.

Copy link
Member

commented Jun 12, 2019

/build - automatically fired by gogo with following PRs and commit SHAs v1.0.0

[
  {
    "project": "sudopolicy",
    "component": "backend",
    "pr-id": "428",
    "commit-sha": "84e5c13fd2721054d93971e03931c0ceab3fb4bb"
  },
  {
    "project": "sudopolicy",
    "component": "underwater",
    "pr-id": "65",
    "commit-sha": "bf8b1717c6280c9f3a0f50aad497bfcea68b1d80"
  },
  {
    "project": "sudopolicy",
    "component": "gaia",
    "pr-id": "340",
    "commit-sha": "545b46717f918a80d2da6fb428bdb1bde1e9482e"
  }
]

t00f added some commits Jun 12, 2019

@t00f

This comment has been minimized.

Copy link
Member

commented Jun 12, 2019

/build - automatically fired by gogo with following PRs and commit SHAs v1.0.0

[
  {
    "project": "sudopolicy",
    "component": "gaia",
    "pr-id": "340",
    "commit-sha": "b01f66611a23d5ece12b202b2cf2f3b2d814031e"
  },
  {
    "project": "sudopolicy",
    "component": "backend",
    "pr-id": "428",
    "commit-sha": "8b63105319067cf7930f25c7d193a5bdb5795bc6"
  },
  {
    "project": "sudopolicy",
    "component": "underwater",
    "pr-id": "65",
    "commit-sha": "f499ac72c11bf3824d8df884cbb235738037c24d"
  }
]
@t00f

This comment has been minimized.

Copy link
Member

commented Jun 12, 2019

/build - automatically fired by gogo with following PRs and commit SHAs v1.0.0

[
  {
    "project": "sudopolicy",
    "component": "backend",
    "pr-id": "428",
    "commit-sha": "8b63105319067cf7930f25c7d193a5bdb5795bc6"
  },
  {
    "project": "sudopolicy",
    "component": "underwater",
    "pr-id": "65",
    "commit-sha": "f499ac72c11bf3824d8df884cbb235738037c24d"
  },
  {
    "project": "sudopolicy",
    "component": "gaia",
    "pr-id": "340",
    "commit-sha": "2be8e4fbd68acd4fc6afab1b46dbfe30b42c64ba"
  }
]
@t00f

This comment has been minimized.

Copy link
Member

commented Jun 12, 2019

Quick note on default value

Integration test of backend was failing because of :

Iteration [1] log after 0s
  create a useraccesspolicy
  - [PASS] connecting to events channel for 'create' event for 'useraccesspolicy' should work
  - [PASS] associatedTags should contain tag=a
  - [PASS] normalizedTags should contain tag=a
  - [PASS] normalizedTags should contain the $identity tag
  - [PASS] normalizedTags should contain the $namespace tag
  - [PASS] namespace should be correct
  - [PASS] annotations should be correct
  - [PASS] pushed object and returned object should be identical
  - [PASS] name is correct
  - [PASS] description is correct
  - [PASS] object is correct
  - [PASS] subject is correct
  - [PASS] propagate is correct
  
  error: [FAIL] allowedSudoUsers is correct: expected: '[root]', actual '[root]'
@dstiliadis

This comment has been minimized.

Copy link
Member

commented Jun 13, 2019

An empty list means everyone for the sudousers .. That would be my interpretation to increase usability rather than defaults.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.