-
Notifications
You must be signed in to change notification settings - Fork 39.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Proposal: enhance pluggable policy #12209
Proposal: enhance pluggable policy #12209
Conversation
GCE e2e build/test passed for commit bb27420cb573818474f1898c77c800808cd9b3a3. |
|
||
// GetAllowedSubjects takes a Context (for namespace and traceability) and Attributes to determine which users and | ||
// groups are allowed to perform the described action in the namespace. This API enables the ResourceBasedReview requests below | ||
GetAllowedSubjects(ctx api.Context, a Attributes) (users util.StringSet, groups util.StringSet, evaluationError error) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe split this into a second interface which is optionally provided.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe split this into a second interface which is optionally provided.
GetAllowedSubjects
is a pretty fundamental operation. Without the ability to know who can perform an operation, proper auditing of authorization policy is an impossibility. Why would we ever want to allow someone to create an authorizer that couldn't be audited?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Because you don't need audit? Unless every call site needs both methods
(and they don't) I would organize these so that there are two fundamental
interfaces, and if at the highest level you require both, require both.
On Thu, Aug 6, 2015 at 9:30 AM, David Eads notifications@github.com wrote:
In docs/design/enhance-pluggable-policy.md
#12209 (comment)
:+// OLD
+type Authorizer interface {
- Authorize(a Attributes) error
+}
+`
+`
+// NEW
+type Authorizer interface {
- // Authorize takes a Context (for namespace, user, and traceability) and Attributes to make a policy determination.
- // reason is an optional return value that can describe why a policy decision was made.
- Authorize(ctx api.Context, a Attributes) (allowed bool, reason string, evaluationError error)
- // GetAllowedSubjects takes a Context (for namespace and traceability) and Attributes to determine which users and
- // groups are allowed to perform the described action in the namespace. This API enables the ResourceBasedReview requests below
- GetAllowedSubjects(ctx api.Context, a Attributes) (users util.StringSet, groups util.StringSet, evaluationError error)
Maybe split this into a second interface which is optionally provided.
GetAllowedSubjects is a pretty fundamental operation. Without the ability
to know who can perform an operation, proper auditing of authorization
policy is an impossibility. Why would we ever want to allow someone to
create an authorizer that couldn't be audited?—
Reply to this email directly or view it on GitHub
https://github.com/GoogleCloudPlatform/kubernetes/pull/12209/files#r36413537
.
Clayton Coleman | Lead Engineer, OpenShift
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Because you don't need audit? Unless every call site needs both methods
(and they don't) I would organize these so that there are two fundamental
interfaces, and if at the highest level you require both, require both.
So would we make ResourceAccessReview
optional? It's essential for doing things like "which namespaces/projects can I see".
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think ResourceAccessReview is required for all deployments or
authorizers. It is definitely useful, but not all consumers may choose to
invert the model (or even support inverting the model).
On Fri, Aug 7, 2015 at 11:38 AM, David Eads notifications@github.com
wrote:
In docs/design/enhance-pluggable-policy.md
#12209 (comment)
:+// OLD
+type Authorizer interface {
- Authorize(a Attributes) error
+}
+`
+`
+// NEW
+type Authorizer interface {
- // Authorize takes a Context (for namespace, user, and traceability) and Attributes to make a policy determination.
- // reason is an optional return value that can describe why a policy decision was made.
- Authorize(ctx api.Context, a Attributes) (allowed bool, reason string, evaluationError error)
- // GetAllowedSubjects takes a Context (for namespace and traceability) and Attributes to determine which users and
- // groups are allowed to perform the described action in the namespace. This API enables the ResourceBasedReview requests below
- GetAllowedSubjects(ctx api.Context, a Attributes) (users util.StringSet, groups util.StringSet, evaluationError error)
Because you don't need audit? Unless every call site needs both methods
(and they don't) I would organize these so that there are two fundamental
interfaces, and if at the highest level you require both, require both.So would we make ResourceAccessReview optional? It's essential for doing
things like "which namespaces/projects can I see".—
Reply to this email directly or view it on GitHub
https://github.com/GoogleCloudPlatform/kubernetes/pull/12209/files#r36531053
.
Clayton Coleman | Lead Engineer, OpenShift
Nit: I think it's good to use backticks around code constructs |
1. Provide a way for disconnected pieces of the system to ask whether a user is permitted to take an action without running in process with the API Authorizer. For instance, a proxy for exec calls could ask whether a user can run the exec they are requesting. | ||
1. Provide a mechanism to discover who can perform a given action on a given resource. This is useful for answering questions like, "who can create replication controllers in my namespace". | ||
|
||
This proposal adds to and extends existing API to so that authorizers may provide the functionality described above. It does not attempt to describe how the policies themselves can be expressed, that is up the authorization plugins themselves. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
extends the existing API
bb27420
to
2ac69ab
Compare
First round comments done. Items not addressed:
We considered |
GCE e2e build/test passed for commit 2ac69abb207fe6317fa61844e111f515bab832d4. |
On Thu, Aug 6, 2015 at 9:39 AM, David Eads notifications@github.com wrote:
It's worth discussing whether the world has changed since then - it's |
Labelling this PR as size/L |
I'm on vacation this week (:house: :mouse:) and will take a look next week. |
2ac69ab
to
793ea6d
Compare
I haven't seen disagreement. |
Hrm... spec/status definitely fits with our other models. |
yes... though when you "create" a review, you aren't actually persisting anything, so it feels little silly to echo back your request |
I've updated the available attributes to remove |
Just thinking out loud here:
|
GCE e2e test build/test passed for commit b5a4f1fb49f8be8f69436c71964b7acb30dab08c. |
GCE e2e test build/test passed for commit 932e3e2c55aeec2b49274b3d570707b206d30e24. |
GCE e2e test build/test passed for commit c51393b8f2cb8c713b0e15d0b33ecdf8d1b9bfd4. |
I think that we'll end up happier with API resources. Using resources makes concepts like namespace level protection for the LocalSAR very easy to reason about and inspect in all the authorizers I've seen so far (abac file, keystone, o. When writing rules for an authorizer, the structure provided by the API resources and divisions provided by namespaces are very easy for users to understand. Attempting to write similar non-resource URLs rules would be more difficult. |
Query parameters are usually something you use to change a query. Having a On Nov 25, 2015, at 9:57 AM, David Eads notifications@github.com wrote: Just thinking out loud here: We have DeleteOptions which is defined as an API type, and lives in an API I think that we'll end up happier with API resources. Using resources makes — |
I talked to @bgrant0607. He doesn't have a problem in principle with the Can you proceed with your implementation of |
Yes. As soon as API Groups seem stable enough to build on top of (see #16173 and #17216 for ongoing work), I'll add it. |
LGTM |
FAIL: changes needed but not made due to --verify Can you please fix it? |
932e3e2
to
17d3db1
Compare
PR changed after LGTM, removing LGTM. |
Automatic merge from submit-queue |
Auto commit by PR queue bot
GCE e2e build/test failed for commit 17d3db1. |
This describes modifications to the current authorization APIs to make policy more powerful and easier to extend. This document aligns with OpenShift authorization.
@erictune ptal
@liggitt @smarterclayton @derekwaynecarr fyi