RBAC/rpk: Introduce --{allow,deny}-role flags for ACL create/describe/delete
#17416
Conversation
|
/dt |
oleiman
force-pushed
the
rbac/rpk/allow-role
branch
from
4ca31f0
to
4c3ad61
Compare
src/go/rpk/pkg/cli/acl/acl.go
Outdated
| ROLES | ||
|
|
||
| Alternatively, an ACL may be bound to a role. To create a role-bound ACL, | ||
| follow the same procedure used to create a user ACL, but use the --allow-role |
There was a problem hiding this comment.
[question] IIUC, --allow-principal RedpandaRole:role" is no longer the preferred way? But it's still an option but not documented?
There was a problem hiding this comment.
Yeah, that's the intent. Under the hood, these get parsed out in the same way, so I don't know whether there's any great advantage to restricting --allow-principal at the interface. Besides which it might be tricky.
If you have a strong opinion about this, I'm certainly open to suggestions.
There was a problem hiding this comment.
Sounds good to me. As long as we document this as an alternative (it might be confusing) I'm fine 👍
There was a problem hiding this comment.
as long as we document this as an alternative
Ah, so you're saying you prefer the old usage to be documented? I was thinking omission might be less confusing, but I could go either way.
There was a problem hiding this comment.
Oh I'm so sorry! I meant as long as we _dont_ document this as an alternative
There was a problem hiding this comment.
No worries! that's what I thought but didn't want to presume 🙂
|
@r-vasquez - should I get eyes on this from the docs team? not sure exactly what the process is there. |
|
@oleiman Yes, I just added |
src/go/rpk/pkg/cli/acl/acl.go
Outdated
| ROLES | ||
|
|
||
| Alternatively, an ACL may be bound to a role. To create a role-bound ACL, | ||
| follow the same procedure used to create a user ACL, but use the --allow-role |
There was a problem hiding this comment.
does this applies only to rpk acl user create ?
Why do we explicitly have the following? Can't we just explain the process here? (even if it contains duplication)
follow the same procedure used to create a user ACL
There was a problem hiding this comment.
Can we have one example showing how to create the role?
There was a problem hiding this comment.
does this applies only to rpk acl user create ?
No this isrpk acl create
There was a problem hiding this comment.
even if it contains duplication
fine by me! my only concern would be keeping the two in sync, but it's unlikely to change. anything is better than trying to thread the role concept back through existing text IMHO.
src/go/rpk/pkg/cli/acl/acl.go
Outdated
| You should be aware of a few key differences when creating a role ACL: | ||
|
|
||
| * Wildcard matching role names is not allowed. So --allow-role '*' is illegal. | ||
| * The type prefix is not necessary. The flag fully specifies that the |
There was a problem hiding this comment.
what happens if the user passes a type? is it ignored?
There was a problem hiding this comment.
effectively, yes, unless it matches a specific prefix:
If the user passes, e.g., "User:my_role" we bind the resulting ACL to "RedpandaRole:User:my_role". This is analogous to the behavior of --allow-principal and friends.
However, if the user passes "RedpandaRole:my_role" we bind the ACL to "RedpandaRole:my_role". This is also analogous to --allow-principal but the prefix itself is deliberately left undocumented, since a role is always a role.
src/go/rpk/pkg/cli/acl/acl.go
Outdated
| follow the same procedure used to create a user ACL, but use the --allow-role | ||
| and --deny-role flags to specify the role(s) to which the ACL should apply. | ||
|
|
||
| You should be aware of a few key differences when creating a role ACL: |
There was a problem hiding this comment.
| You should be aware of a few key differences when creating a role ACL: | |
| The procedures and semantics for creating and managing ACLs | |
| apply equally to role ACLs and user ACLs, except on the following: |
There was a problem hiding this comment.
if you use this suggestion, delete L98-100
There was a problem hiding this comment.
reworked to make the section stand alone a bit better. lmk what you think
|
Hi @oleiman. Left some questions and suggestions there. Feel free to reach us on slack if you have any questions |
src/go/rpk/pkg/cli/acl/common.go
Outdated
| @@ -87,6 +89,12 @@ func unptr(str *string) string { | |||
| return *str | |||
| } | |||
|
|
|||
| func PrefixRole(roles []string) { | |||
| for i, u := range roles { | |||
| roles[i] = rolePrefix + u | |||
There was a problem hiding this comment.
question: Do you care to, or have you already, check that the rolePrefix has already been applied before applying?
There was a problem hiding this comment.
Yeah, I waffled on this a bit. Since it's undocumented by design, it feels sort of arbitrary, but I think I'll just add the check. No reason to leave a footgun there.
oleiman
force-pushed
the
rbac/rpk/allow-role
branch
from
4c3ad61
to
9a00a6a
Compare
|
src/go/rpk/pkg/cli/acl/acl.go
Outdated
| and the name. Within Redpanda, only one type is supported, "User". The reason | ||
| for the prefix is that a potential future authorizer may add support for | ||
| authorizing by Group or anything else. | ||
| All ACLs require a principal (or a role; see ROLES, below). A principal is |
There was a problem hiding this comment.
| All ACLs require a principal (or a role; see ROLES, below). A principal is | |
| All ACLs require a principal or a role. A principal is |
iMO no need to refer to the other section as is the next one.
src/go/rpk/pkg/cli/acl/acl.go
Outdated
| for the prefix is that a potential future authorizer may add support for | ||
| authorizing by Group or anything else. | ||
| All ACLs require a principal or a role. A principal comprises a user and type. | ||
| Within Redpanda, only the "User" type is supported. The "User" prefix ensures |
There was a problem hiding this comment.
Why is "User" init cap here? It isn't above. Is the syntax for specifying a user case-sensitive? If not, no need for initcap here/throughout.
There was a problem hiding this comment.
@oleiman In the UI/CLI, are types always initcap?
There was a problem hiding this comment.
In the command rpk acl create --allow-principal "User:foo" ... the "User" prefix is indeed case sensitive (initcap). When we talk about users in the abstract, it's not usually capitalized as far as I can tell.
src/go/rpk/pkg/cli/acl/acl.go
Outdated
| and the name. Within Redpanda, only one type is supported, "User". The reason | ||
| for the prefix is that a potential future authorizer may add support for | ||
| authorizing by Group or anything else. | ||
| All ACLs require a principal or a role. A principal comprises a user and type. |
There was a problem hiding this comment.
| All ACLs require a principal or a role. A principal comprises a user and type. | |
| All ACLs require a principal or a role. A principal is comprised of a user and type. |
There was a problem hiding this comment.
This suggestion seems clearer than the original.
There was a problem hiding this comment.
Missed this. Fair point, just slightly non-standard usage for whatever that's worth. Would "composed of" have roughly the same effect?
src/go/rpk/pkg/cli/acl/acl.go
Outdated
| All ACLs require a principal or a role. A principal comprises a user and type. | ||
| Within Redpanda, only the "User" type is supported. The "User" prefix ensures | ||
| that potential future authorizers can add support for authorization by Group | ||
| or some other type. |
There was a problem hiding this comment.
This is unclear to me. How does the user type ensure that future authorizers can add support for groups or other types? Are you suggesting:
Within Redpanda, only the "User" type is supported. Having prefixes for new types ensures that potential future authorizers can add authorization using other types, such as "Group".
There was a problem hiding this comment.
This is sort of a carryover from the Kafka API. The general idea is to namespace user principals so that other types of principals can be added in the future. Incidentally, that's exactly how roles work under the hood! (a role named "my_role" becomes "RedpandaRole:my_role")
Maybe worth noting that this phrasing is not new to this diff and appears in publicly available rpk help text currently. Which is just to say that it probably shouldn't be a release blocker, though I agree that the language is confusing 😕
There was a problem hiding this comment.
Missed the second half of your comment, yes, that's the thrust of it.
src/go/rpk/pkg/cli/acl/acl.go
Outdated
| For example '--allow-role "foo"' specifies a role "foo", whereas | ||
| '--allow-role "User:foo"' specifies a role "User:foo". In either case, the | ||
| result is assigned to an internal namespace for roles and will not collide | ||
| with similarly named user principals. |
There was a problem hiding this comment.
| with similarly named user principals. | |
| with similarly-named user principals. |
src/go/rpk/pkg/cli/acl/acl.go
Outdated
| present, it is considered part of the role name and processed accordingly. | ||
|
|
||
| For example '--allow-role "foo"' specifies a role "foo", whereas | ||
| '--allow-role "User:foo"' specifies a role "User:foo". In either case, the |
There was a problem hiding this comment.
| '--allow-role "User:foo"' specifies a role "User:foo". In either case, the | |
| '--allow-role "User:foo"' specifies a role "foo", which is assigned to a specific user. In either case, the |
There was a problem hiding this comment.
which is assigned to a specific user
This is not correct. The point is that the prefix is ignored here, but maybe the example just confuses things further?
There was a problem hiding this comment.
ignored
More like "treated as text" rather than as type information
src/go/rpk/pkg/cli/acl/acl.go
Outdated
| result is assigned to an internal namespace for roles and will not collide | ||
| with similarly named user principals. | ||
|
|
||
| When you create a role, you must add ACLs for it before it can be used. |
There was a problem hiding this comment.
| When you create a role, you must add ACLs for it before it can be used. | |
| When you create a role, you must associate ACLs to it before it can be used. |
There was a problem hiding this comment.
Not incorrect, though "bind or associate" seems like a distinction w/o a difference. I would gently lean towards "associate" in this context.
src/go/rpk/pkg/cli/acl/acl.go
Outdated
| You can create / delete / list ACLs for that role with "<name>" in the | ||
| --allow-role and --deny-role flags. Note that the wildcard name '*' is not | ||
| permitted here. Attempting to create an ACL bound to role '*' results in an | ||
| error. |
There was a problem hiding this comment.
Please explain. So you cannot allow a user/name to have access to all flags or deny a user access to all flags? In other words, you cannot user ACLs to give a user access equivalent to superuser? This paragraph could use an example to help clarify the point being made.
There was a problem hiding this comment.
Only the wildcard role name is illegal. Wildcards are still permitted for resources and whatnot. Agree an example will help
oleiman
force-pushed
the
rbac/rpk/allow-role
branch
from
a202321
to
0ca0423
Compare
|
force push docs changes |
The goal here is to hide the "RedpandaRole:" prefix from the CLI frontend. Role names passed into rpk via these flags will be prepended with the appropriate type prefix and appended as a group to the appropriate principals slice before passing latter into the acls builder. Includes some documentation. Signed-off-by: Oren Leiman <oren.leiman@redpanda.com>
Signed-off-by: Oren Leiman <oren.leiman@redpanda.com>
Signed-off-by: Oren Leiman <oren.leiman@redpanda.com>
oleiman
dismissed stale reviews from Feediver1, Deflaimun, and michael-redpanda
via
47dafef
oleiman
force-pushed
the
rbac/rpk/allow-role
branch
from
0ca0423
to
47dafef
Compare
|
force push small change in phrasing and hopefully fix lint error 🤞 |
|
/ci-repeat 1 |
1 similar comment
|
/ci-repeat 1 |
Closes https://github.com/redpanda-data/core-internal/issues/1149
Backports Required
Release Notes
Features
--allow-roleand--deny-roleflags forrpk aclcommands