New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enhancing Quarkus Security for ROOT Group Access #37414
Comments
/cc @sberyozkin (security) |
Thanks @gbourant, I guess we need to make sure that when |
My problem with this suggestion is that:
I think @gbourant have a point that there should be a way to do that, but I'm worried to do that based on
Again, I suggest that @gbourant have a good idea, but IMHO the easiest and clearest way to do that is
Please replace property name with the one you like. Hey @gbourant, would you like to implement this? I can do that, but I can see you are interested and contributions are welcome! This should be simple enough to implement. Let's wait for @sberyozkin on concrete implementation ideas and let me know if you plan to do this. |
btw. you implementation idea won't work, I won't go into details unless you require to as my suggest is not related to that. |
However policy share role won't have effect on other annotation. To create some I agree there should be some property that will give access to that role everywhere, WDYT @sberyozkin @gbourant ? |
If there is an agreement on such root role, I'll put this issue on my list. |
|
no, it can't be done on policy level. such a "passthrough for selected role" over all security checks needs to be done differently, but can be (also) configured with config properties. I like this idea, I'll have a look. |
@michalvavrik Thanks, I guess we just should not focus on the role only, because then when someone asks for a default permission or default role mappings, we'll have a problem. which is I why I thought, given an HTTP Policy instance already has all those properties, it might make sense to just apply it to everywhere where it matches. It is not really a passthrouh, but more like augmenting the existing policy with one or more matching shared policy data. |
I thought to make this "passthrough" CDI bean that is more like predicate applied on
problem is that it has no relation to RBAC security checks and we do not have a control ever any of:
we just control default ones and applying HTTP Policy won't make RBAC security checks passing. Extensions / users may define their own security checks and policies for methods, we don't have a way to augment them
scary word, I don't want to relax security, augmenting sounds better, there is just one catch - augmenting can work only for builtin policies / checks
It will work for builtin policies, and I think we should do that if we don't allow what I suggest. So I can see 2 ways:
I'm perfectly fine with 1., but please bear in mind it won't work on anything not provided by Quarkus @sberyozkin |
Michal, sorry, I find it difficult to follow the above, can you please answer the question why simply designating a given policy as shared can not work, for example:
Why we can't have the above implemented such that |
Your example can work and:
You example does not mention it would not work for:
because HTTP policy |
Sure it is easier but this is a variation of what this issue aims to avoid ( where they can already do it right now anyway by repeating
My thinking has been not to try to merge this shared policy with all other polices whose paths can be matched, though I initially thought this is how it would work. My proposal would be to make it simple:
That should do I guess.
IMHO we should not consider this case in isolation: if HTTP policy has no effect on standard security annotations in Quarkus Security right now, so be it, then we will have one solution like a shared HTTP policy when users prefer working with HTTP policies only and another one for the case where users prefer to have annotations only. I can imagine we can have some new property which will work for roles, but as I said HTTP policy that can also have permissions, and role mappings and will probably have more things added, which is why I'm quite keen to have an HTTP policy configuration reusable/shareable Can you give an example of how your solution would look like ? Thanks |
I understand you now. Yes, what you propose would work if you applied shared policy first and if it succeeded, you would skip not shared one. Or if you augmented identity in shared policy in a way it would make pass not-shared policy. I will make your example work by merging policies based on path pattern during creation of path HTTP Security policy bean. Thanks for suggestion.
Based on when you are heading with HTTP Security policies, it needs to be independent solution. My suggestion would be to just augment identity in HTTP Security policy to have required roles. We are talking about few words. Let's not add complexity to Quarkus. If user augment identity in HTTP Security policy, let say for root to have roles |
I forgot to mention is that what we should want (and do) is to merge shared policy with others once, during bean creation. So that 2 path matching do not need to be applied for every single HTTP request. |
@michalvavrik That sounds good, but it can be tricky trying to figure out how to merge, like you said, one non-shared policy can have |
I've played with this little bit and merging permissions is very difficult, because you can also have less specific permission that is enhanced by more specific permission ( |
There is one else thing though - this #37414 (comment) proposal by @sberyozkin doesn't take into consideration that many permission checks can be applied on one path (not just roles-allowed that can be matched) and also sometimes shared policy will be custom named policy that can't be merged somehow. I belief we need to follow what already exists in path-matching HTTP security policies - merging. You can merge many permission checks for same path and all are applied => the relationship between permission checks is logical AND, not OR as suggested in the example. It can do same job though as there is role mapping where you can give root all roles on all authenticated paths. |
On the other hand, the fact that we would stick to logical AND between permissions allows you to require |
Description
Assume you are using JWT for security which has a group called ROOT. The user with the group
ROOT
should be able to access all JAX-RS (all beans in general) despite what is defined in@RolesAllowed
,@PermissionsAllowed
or security config properties.For example, the following configuration behavior does not allow that. The
root-policy
would work for all paths except the ones defined inquarkus.http.auth.permission.*.paths
properties. In the following case the ROOT won't be able to access/api/hello
due to the longest path wins principle(/api/hello > /*)
.The current behaviour does offer a solution which would mean that i will have to add the ROOT role to all
quarkus.http.auth.policy.*.roles-allowed
properties.Implementation ideas
A potential solution could involve incorporating a mechanism where, if a SecurityInterceptor is defined, it operates subsequent to the Quarkus Engine's determination of whether a call should be permitted or denied. In this proposed solution, the SecurityInterceptor would yield the conclusive result for the call after the Quarkus Engine has made its decision.
The text was updated successfully, but these errors were encountered: