-
Notifications
You must be signed in to change notification settings - Fork 552
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RBAC/rpk: Introduce --{allow,deny}-role
flags for ACL create/describe/delete
#17416
Conversation
/dt |
4ca31f0
to
4c3ad61
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM 👍
src/go/rpk/pkg/cli/acl/acl.go
Outdated
ROLES | ||
|
||
Alternatively, an ACL may be bound to a role. To create a role-bound ACL, | ||
follow the same procedure used to create a user ACL, but use the --allow-role |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
[question] IIUC, --allow-principal RedpandaRole:role"
is no longer the preferred way? But it's still an option but not documented?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, that's the intent. Under the hood, these get parsed out in the same way, so I don't know whether there's any great advantage to restricting --allow-principal
at the interface. Besides which it might be tricky.
If you have a strong opinion about this, I'm certainly open to suggestions.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sounds good to me. As long as we document this as an alternative (it might be confusing) I'm fine 👍
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
as long as we document this as an alternative
Ah, so you're saying you prefer the old usage to be documented? I was thinking omission might be less confusing, but I could go either way.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh I'm so sorry! I meant as long as we _dont_ document this as an alternative
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No worries! that's what I thought but didn't want to presume 🙂
@r-vasquez - should I get eyes on this from the docs team? not sure exactly what the process is there. |
@oleiman Yes, I just added |
src/go/rpk/pkg/cli/acl/acl.go
Outdated
ROLES | ||
|
||
Alternatively, an ACL may be bound to a role. To create a role-bound ACL, | ||
follow the same procedure used to create a user ACL, but use the --allow-role |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
does this applies only to rpk acl user create
?
Why do we explicitly have the following? Can't we just explain the process here? (even if it contains duplication)
follow the same procedure used to create a user ACL
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we have one example showing how to create the role?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
does this applies only to rpk acl user create ?
No this isrpk acl create
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
even if it contains duplication
fine by me! my only concern would be keeping the two in sync, but it's unlikely to change. anything is better than trying to thread the role concept back through existing text IMHO.
src/go/rpk/pkg/cli/acl/acl.go
Outdated
You should be aware of a few key differences when creating a role ACL: | ||
|
||
* Wildcard matching role names is not allowed. So --allow-role '*' is illegal. | ||
* The type prefix is not necessary. The flag fully specifies that the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
what happens if the user passes a type? is it ignored?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
effectively, yes, unless it matches a specific prefix:
If the user passes, e.g., "User:my_role" we bind the resulting ACL to "RedpandaRole:User:my_role". This is analogous to the behavior of --allow-principal
and friends.
However, if the user passes "RedpandaRole:my_role" we bind the ACL to "RedpandaRole:my_role". This is also analogous to --allow-principal
but the prefix itself is deliberately left undocumented, since a role is always a role.
src/go/rpk/pkg/cli/acl/acl.go
Outdated
follow the same procedure used to create a user ACL, but use the --allow-role | ||
and --deny-role flags to specify the role(s) to which the ACL should apply. | ||
|
||
You should be aware of a few key differences when creating a role ACL: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You should be aware of a few key differences when creating a role ACL: | |
The procedures and semantics for creating and managing ACLs | |
apply equally to role ACLs and user ACLs, except on the following: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if you use this suggestion, delete L98-100
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
reworked to make the section stand alone a bit better. lmk what you think
Hi @oleiman. Left some questions and suggestions there. Feel free to reach us on slack if you have any questions |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm just one question
src/go/rpk/pkg/cli/acl/common.go
Outdated
@@ -87,6 +89,12 @@ func unptr(str *string) string { | |||
return *str | |||
} | |||
|
|||
func PrefixRole(roles []string) { | |||
for i, u := range roles { | |||
roles[i] = rolePrefix + u |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
question: Do you care to, or have you already, check that the rolePrefix has already been applied before applying?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, I waffled on this a bit. Since it's undocumented by design, it feels sort of arbitrary, but I think I'll just add the check. No reason to leave a footgun there.
4c3ad61
to
9a00a6a
Compare
|
src/go/rpk/pkg/cli/acl/acl.go
Outdated
and the name. Within Redpanda, only one type is supported, "User". The reason | ||
for the prefix is that a potential future authorizer may add support for | ||
authorizing by Group or anything else. | ||
All ACLs require a principal (or a role; see ROLES, below). A principal is |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
All ACLs require a principal (or a role; see ROLES, below). A principal is | |
All ACLs require a principal or a role. A principal is |
iMO no need to refer to the other section as is the next one.
src/go/rpk/pkg/cli/acl/acl.go
Outdated
for the prefix is that a potential future authorizer may add support for | ||
authorizing by Group or anything else. | ||
All ACLs require a principal or a role. A principal comprises a user and type. | ||
Within Redpanda, only the "User" type is supported. The "User" prefix ensures |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why is "User" init cap here? It isn't above. Is the syntax for specifying a user case-sensitive? If not, no need for initcap here/throughout.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@oleiman In the UI/CLI, are types always initcap?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In the command rpk acl create --allow-principal "User:foo" ...
the "User" prefix is indeed case sensitive (initcap). When we talk about users in the abstract, it's not usually capitalized as far as I can tell.
src/go/rpk/pkg/cli/acl/acl.go
Outdated
and the name. Within Redpanda, only one type is supported, "User". The reason | ||
for the prefix is that a potential future authorizer may add support for | ||
authorizing by Group or anything else. | ||
All ACLs require a principal or a role. A principal comprises a user and type. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
All ACLs require a principal or a role. A principal comprises a user and type. | |
All ACLs require a principal or a role. A principal is comprised of a user and type. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This suggestion seems clearer than the original.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Missed this. Fair point, just slightly non-standard usage for whatever that's worth. Would "composed of" have roughly the same effect?
src/go/rpk/pkg/cli/acl/acl.go
Outdated
All ACLs require a principal or a role. A principal comprises a user and type. | ||
Within Redpanda, only the "User" type is supported. The "User" prefix ensures | ||
that potential future authorizers can add support for authorization by Group | ||
or some other type. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is unclear to me. How does the user type ensure that future authorizers can add support for groups or other types? Are you suggesting:
Within Redpanda, only the "User" type is supported. Having prefixes for new types ensures that potential future authorizers can add authorization using other types, such as "Group".
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is sort of a carryover from the Kafka API. The general idea is to namespace user principals so that other types of principals can be added in the future. Incidentally, that's exactly how roles work under the hood! (a role named "my_role" becomes "RedpandaRole:my_role")
Maybe worth noting that this phrasing is not new to this diff and appears in publicly available rpk
help text currently. Which is just to say that it probably shouldn't be a release blocker, though I agree that the language is confusing 😕
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Missed the second half of your comment, yes, that's the thrust of it.
src/go/rpk/pkg/cli/acl/acl.go
Outdated
For example '--allow-role "foo"' specifies a role "foo", whereas | ||
'--allow-role "User:foo"' specifies a role "User:foo". In either case, the | ||
result is assigned to an internal namespace for roles and will not collide | ||
with similarly named user principals. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
with similarly named user principals. | |
with similarly-named user principals. |
src/go/rpk/pkg/cli/acl/acl.go
Outdated
present, it is considered part of the role name and processed accordingly. | ||
|
||
For example '--allow-role "foo"' specifies a role "foo", whereas | ||
'--allow-role "User:foo"' specifies a role "User:foo". In either case, the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
'--allow-role "User:foo"' specifies a role "User:foo". In either case, the | |
'--allow-role "User:foo"' specifies a role "foo", which is assigned to a specific user. In either case, the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
which is assigned to a specific user
This is not correct. The point is that the prefix is ignored here, but maybe the example just confuses things further?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ignored
More like "treated as text" rather than as type information
src/go/rpk/pkg/cli/acl/acl.go
Outdated
result is assigned to an internal namespace for roles and will not collide | ||
with similarly named user principals. | ||
|
||
When you create a role, you must add ACLs for it before it can be used. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
When you create a role, you must add ACLs for it before it can be used. | |
When you create a role, you must associate ACLs to it before it can be used. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
^^ @oleiman--is this correct ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not incorrect, though "bind or associate" seems like a distinction w/o a difference. I would gently lean towards "associate" in this context.
src/go/rpk/pkg/cli/acl/acl.go
Outdated
You can create / delete / list ACLs for that role with "<name>" in the | ||
--allow-role and --deny-role flags. Note that the wildcard name '*' is not | ||
permitted here. Attempting to create an ACL bound to role '*' results in an | ||
error. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please explain. So you cannot allow a user/name to have access to all flags or deny a user access to all flags? In other words, you cannot user ACLs to give a user access equivalent to superuser? This paragraph could use an example to help clarify the point being made.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Only the wildcard role name is illegal. Wildcards are still permitted for resources and whatnot. Agree an example will help
a202321
to
0ca0423
Compare
force push docs changes |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM @oleiman check cuz you have one unresolved suggestion from Joyce.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Only one open suggestion left, but not a PR blocker.
The goal here is to hide the "RedpandaRole:" prefix from the CLI frontend. Role names passed into rpk via these flags will be prepended with the appropriate type prefix and appended as a group to the appropriate principals slice before passing latter into the acls builder. Includes some documentation. Signed-off-by: Oren Leiman <oren.leiman@redpanda.com>
Signed-off-by: Oren Leiman <oren.leiman@redpanda.com>
Signed-off-by: Oren Leiman <oren.leiman@redpanda.com>
47dafef
0ca0423
to
47dafef
Compare
force push small change in phrasing and hopefully fix lint error 🤞 |
/ci-repeat 1 |
1 similar comment
/ci-repeat 1 |
Closes https://github.com/redpanda-data/core-internal/issues/1149
Backports Required
Release Notes
Features
--allow-role
and--deny-role
flags forrpk acl
commands