Mapped fleet roles on silo

[david-crespo]

• Bump API
• Fix type in API client
• Implement form
• Display configured role mapping on silo detail
• Test goodly

[david-crespo]

This is not correct. Need to fix the generator and/or the OpenAPI spec.

https://github.com/oxidecomputer/omicron/blob/51d2c58510b3c07def1f22dede5a76060c35a053/openapi/nexus.json#L11822-L11832

[david-crespo]

@benjaminleonard @paryhin This is going to need kind of an interesting control in the form. The API post looks like this:

mapped_fleet_roles: {
  viewer: [],
  collaborator: [],
  admin: ['admin'],
}

The key is the fleet role, and the list is the silo roles that give you that fleet role. So in this example, we're saying if you have admin on this silo, then you also have fleet admin. The most general representation of this data structure would be a 3x3 grid of checkboxes, or equivalently a list of 3 selects that support multiple selection.

	silo viewer	silo collaborator	silo admin
fleet viewer
fleet collaborator
fleet admin			⬅️

However, that is almost certainly the wrong way to do it because the vast majority of the 2^9 = 512 representable states make no sense. For example, none of the following should ever be necessary because silo admin -> fleet admin also implicitly gives silo admins fleet viewer and fleet collaborator:

mapped_fleet_roles: {
  viewer: ['admin'],
  collaborator: ['admin'],
  admin: ['admin'],
}

mapped_fleet_roles: {
  viewer: ['admin'],
  collaborator: [],
  admin: ['admin'],
}

mapped_fleet_roles: {
  viewer: [],
  collaborator: ['admin'],
  admin: ['admin'],
}

A better approach would be to pick a much smaller number of options (maybe as small as 3 or 6 or 9) that make sense and provide a UI for picking among those. We would treat the fact that the underlying representation actually has 512 possible states as an implementation detail. The most obvious option is admin -> admin.

Thinking about the above example of states that don't make sense, you can extrapolate a rule that says it only makes sense to check at most one cell in a given column, because if you ever have multiple checks in a column, it's equivalent to only checking the bottom one.

	silo viewer	silo collaborator	silo admin
fleet viewer			✖️
fleet collaborator			✖️
fleet admin			⬅️

This rule cuts the number of states substantially — each column has 4 states (off + 3 roles) and there are 3 of them, so we have 4^3 = 64. But even then we can still think of a bunch more states that make no sense, like this:

	silo viewer	silo collaborator	silo admin
fleet viewer
fleet collaborator			⬅️
fleet admin	⬅️

In this case the rule would be something like a weaker silo role should never give a stronger fleet role. Visually that would be something like you would never see an arrow down and to the left of another arrow. That eliminates some further number of states, I'm guessing half but I'm too lazy to do the math.

This one also probably doesn't make sense (because all silo viewers and collaborators are also viewers)

	silo viewer	silo collaborator	silo admin
fleet viewer
fleet collaborator	⬅️		⬅️
fleet admin

This implies a rule of thumb only one checkbox per row in addition to the above one checkbox per column. Now we're getting somewhere. Though this one is only true if implicit silo roles confer fleet roles, which looks like it might be false, based on the code.

Note that because you can also create a silo through the API and CLI, on the silo view side we'd still have to make all 512 possible states displayable, maybe with a grid like above.

@davepacheco when writing the feature, did you have in mind a few configurations that would be most likely to be used?

[davepacheco]

@askfongjojo might want to weigh in, but the configurations I'd expect are, in decreasing order of importance:

1. Silo Admin -> Fleet Admin. Use case: this is the Silo that I intend to do all my Fleet administration from. This is the simplest way to be able to do anything with the Fleet without having to dig the recovery silo password out of a safe somewhere. I'd suggest we make this the default during initial setup (i.e., when creating the first IdP-backed Silo).
2. Silo Admin -> Fleet Admin + Silo Viewer -> Fleet Viewer. Use case: same as above, and I also trust the end users with a read-only view of Fleet information. I think this is probably useful (maybe a competitive advantage?) when the users are more trusted than they are in a typical public cloud.
3. Silo Admin -> Fleet Viewer. Use case: imagine starting with (1) and then like (2) saying "I trust the end users with a read-only view", and you've delegated a whole Silo to them. (The administrators are in a separate Silo with Silo Admin -> Fleet Admin.)

Only the first of these seems really important right now. I expect much of this could change with user feedback.

As you said, many combinations don't make a lot of sense (e.g., Silo Admin -> [ Fleet Viewer, Fleet Admin ]). But the authz system mostly avoids assuming the roles are hierarchical (and not all the internal roles are hierarchical).

[david-crespo]

Ok, great. So I'm thinking we can start with either:

• one checkbox: Silo Admin -> Fleet Admin
• two checkboxes: one for Silo Admin -> Fleet Admin and one for Silo Viewer -> Fleet Viewer

[david-crespo]

design HEEEEEELP

[paryhin]

I think two checkboxes are fine for now, but let's decrease the spacing between them. Also, let's make the text more user-friendly, perhaps something like: Grant fleet admin permissions to a silo admin. / Grant fleet viewer permissions to a silo viewer.

[askfongjojo]

The two options mocked up seem adequate for now. We can always add more based on field feedback.

The applications of the fleet roles I can think of, supporting what @davepacheco already mentioned, are:

1. Small IT team setting: A single IT team that owns all infrastructure. Everyone does everything and needs all admin permissions at silo and fleet level.
2. Medium-sized IT setting: There are two distinct type of superusers - administrators and support/helpdesk. The former needs fleet/silo admin capabilities whereas the latter may be limited to fleet/silo viewer access.
3. Medium-to-large IT orgs: There are separate IT teams for different areas - e.g. server, network, security, support. They will likely be separate silos. This is where the role mapping may be a bit more complex. "Support" silo admin can likely get fleet viewer capabilities but most other users in this silo who aren't working on infrastructure (e.g. people dealing with laptop/device support) shouldn't be granted any fleet roles.

Down the road, the bigger needs might actually be splitting the /system permissions into more granular roles. For example, helpdesk support may be allowed to create new silos but they probably shouldn't be given the ability to modify rack networking configurations.

[david-crespo]

That's better. It still feels a little lonely down there. Maybe we could use more text or some kind of heading that groups these checkboxes together with the admin group name field under the category of "authz stuff". But it's tolerable as-is IMO.

Displaying in silo detail

There is no silo detail! Right now the silo link goes to IDPs list. Soon there will be an update endpoint for silos (oxidecomputer/omicron#3400), which means there will be a need for an edit form. So I'm thinking the silo link should go to a detail page or an edit form instead, and there we can show the state of the two checkboxes (or, like I said above, we probably have to show the entire roles-to-roles map).

[david-crespo]

Hey @benjaminleonard @paryhin, check out this horrible thing I did!

Like I said at the end here, because you can still set this mapping arbitrarily through the API and CLI, we might have to display the full mapping rather than this condensed version.

[david-crespo]

Obviously this is too large but this would be a more precise way to show it. Ew.

After thinking more about it, I think the best thing would be to default to showing the two checkboxes-ish display that matches the form, and then we can detect whether we also need a "show more" button that shows this table. Or maybe we always have the button that lets you see the full mapping.

[david-crespo]

I thought about it for 3 hours and came up with a much less offensive idea: list the pairs. This is nice because it scales trivially to include "non-standard" combinations set through the API without making the standard case uglier.

[david-crespo]

unrelated, just noticed this was missing

[david-crespo]

Unfortunately, the PropertiesTable component we use to make the thing that looks like the design isn't really up to the task yet. I made an issue for that: #1647. So I'm thinking we can split the difference: do something trivially easy here and then fix PropertiesTable separately.

Design

What I have