Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

security: Wire up RBAC role to OCSF user::groups #17359

Merged
merged 3 commits into from
Mar 28, 2024
Merged

security: Wire up RBAC role to OCSF user::groups #17359

merged 3 commits into from
Mar 28, 2024

Conversation

BenPope
Copy link
Member

@BenPope BenPope commented Mar 25, 2024
edited

Fixes https://github.com/redpanda-data/core-internal/issues/1102

Backports Required

  • none - not a bug fix
  • none - this is a backport
  • none - issue does not exist in previous branches
  • none - papercut/not impactful enough to backport
  • v23.3.x
  • v23.2.x

Release Notes

  • none

@BenPope BenPope self-assigned this Mar 25, 2024
@BenPope BenPope added area/security area/auditing Issues associated with auditing in Redpanda labels Mar 25, 2024
@BenPope
security/audit: Add OCSF user::groups
a2a1d3b 
Signed-off-by: Ben Pope <ben@redpanda.com>
oleiman
oleiman reviewed Mar 25, 2024
View reviewed changes
Copy link
Member

@oleiman oleiman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks great to me. small omission in the DT test

tests/rptest/tests/audit_log_test.py Outdated Show resolved Hide resolved
@vbotbuildovich
Copy link
Collaborator

vbotbuildovich commented Mar 25, 2024
edited

ducktape was retried in https://buildkite.com/redpanda/redpanda/builds/46689#018e73a8-6122-4fb3-8e52-858ae795523d

ducktape was retried in https://buildkite.com/redpanda/redpanda/builds/46710#018e7693-906c-401c-8f29-ba33a8a4775b

ducktape was retried in https://buildkite.com/redpanda/redpanda/builds/46710#018e7693-9065-4227-81a7-de44af3c9206

ducktape was retried in https://buildkite.com/redpanda/redpanda/builds/46710#018e76bc-0008-4194-8465-60c8944ef115

michael-redpanda
michael-redpanda reviewed Mar 25, 2024
View reviewed changes
Copy link
Contributor

@michael-redpanda michael-redpanda left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm, just address @oleiman

@BenPope
security/audit: Add test for describe topics
fe93627 
Check the audit events for the `describe` permission during
the `metadata` request of list topics.

Signed-off-by: Ben Pope <ben@redpanda.com>
@BenPope
security/audit: Wire up rbac::role to user::groups
1812f66 
Signed-off-by: Ben Pope <ben@redpanda.com>
@BenPope
Copy link
Member Author

BenPope commented Mar 25, 2024

Changes in force-push

  • Rework the test around a metadata filter since there's no role during authenticate

oleiman
oleiman approved these changes Mar 25, 2024
View reviewed changes
Copy link
Member

@oleiman oleiman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@vbotbuildovich
Copy link
Collaborator

new failures in https://buildkite.com/redpanda/redpanda/builds/46710#018e7693-906e-4770-8ff0-14c090f831c3:

"rptest.tests.e2e_shadow_indexing_test.EndToEndShadowIndexingTest.test_reset_from_cloud.cloud_storage_type=CloudStorageType.ABS"

dotnwat
dotnwat reviewed Mar 25, 2024
View reviewed changes
src/v/security/audit/schemas/types.h
// A collection or association of entities, such as users, policies, or devices.
// https://schema.ocsf.io/1.0.0/objects/group?extensions=
struct group {
enum class type_id : int { unknown = 0, role = 1 };
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: if int is there for serde, it's unnecessary since serde will override and always use a fixed-size integer type. otherwise, int is already the default i think.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fair enough, I was just following the pattern from:

// Characteristics of a user/person or security principal
// https://schema.ocsf.io/1.0.0/objects/user?extensions=
struct user {
    enum class type : int {

@BenPope
Copy link
Member Author

BenPope commented Mar 25, 2024
edited

New failure is unrelated.

@BenPope
Copy link
Member Author

BenPope commented Mar 26, 2024

lgtm, just address @oleiman

@michael-redpanda can you confirm or deny that the role -> group mapping is not expected for authentication, but is expected for authorized operations?

@michael-redpanda
Copy link
Contributor

lgtm, just address @oleiman

@michael-redpanda can you confirm or deny that the role -> group mapping is not expected for authentication, but is expected for authorized operations?

Yes, roles are just authZ related and should only effect the authZ audit message

@piyushredpanda piyushredpanda merged commit 53822dd into redpanda-data:dev Mar 28, 2024
15 of 18 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dotnwat dotnwat dotnwat left review comments

@oleiman oleiman oleiman approved these changes

@michael-redpanda michael-redpanda michael-redpanda approved these changes

Assignees

@BenPope BenPope

Labels
area/auditing Issues associated with auditing in Redpanda area/redpanda area/security
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@BenPope @vbotbuildovich @michael-redpanda @dotnwat @oleiman @piyushredpanda