feat(draft): Authz #3008
Draft
feat(draft): Authz #3008
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
markphelps
commented
Apr 21, 2024
markphelps
commented
Apr 21, 2024
| if action != "" { | ||
| event = audit.NewEvent(audit.FlagType, action, actor, audit.NewFlag(r)) | ||
| } | ||
| event = audit.NewEvent(request, actor, audit.NewFlag(r)) |
There was a problem hiding this comment.
we can likely clean this up a bit by having audit.NewEvent also know how to wrap the resp r with the appropriate type maybe? so we don't have to have this switch statement
markphelps
commented
Apr 21, 2024
markphelps
commented
May 20, 2024
markphelps
commented
May 20, 2024
| { | ||
| "version": "0.1.0", | ||
| "roles": [ | ||
| { |
There was a problem hiding this comment.
need to rethink this policy schema to support namespaces @GeorgeMac
feat: impl authz middleware feat: impl authz middleware chore: fix panic and bad redux selector chore: fmt ui chore: refactor chore: fix build, change to single role, default role chore: fix build, change to single role, default role chore: rm unneeded files feat: configurable roles/policies chore: config schema and tests chore: mv back events to audit package chore: reset ui folder chore: revert ui back to main chore: policy schema, visibility of errors chore: add policy schema test chore: rebase on main Signed-off-by: Mark Phelps <[email protected]>
* chore: fix tests, add role attribute path / role mapping to oidc server tests Signed-off-by: Mark Phelps <[email protected]> * chore: authz middleware tests Signed-off-by: Mark Phelps <[email protected]> * chore: fix audit tests Signed-off-by: Mark Phelps <[email protected]> * chore: proto regen Signed-off-by: Mark Phelps <[email protected]> * chore: try to fix marshal audit events behaviour Signed-off-by: Mark Phelps <[email protected]> * chore: fix failing test Signed-off-by: Mark Phelps <[email protected]> --------- Signed-off-by: Mark Phelps <[email protected]>
Signed-off-by: Mark Phelps <[email protected]>
Signed-off-by: Mark Phelps <[email protected]>
Signed-off-by: Mark Phelps <[email protected]>
chore: refactor request models to include scope
…3108) * refactor(server/authz): rename scope to resource Signed-off-by: George MacRorie <[email protected]> * feat(config/authz): add policy and data source configuration Signed-off-by: George MacRorie <[email protected]> * refactor(server/authz): make policy and data external dependencies Signed-off-by: George MacRorie <[email protected]> * refactor(cmd/grpc): integrate new authz Engine changes Signed-off-by: George MacRorie <[email protected]> * fix(server/authz): ensure error is captured in return Signed-off-by: George MacRorie <[email protected]> * fix(config): allow policy and data sources to be empty Signed-off-by: George MacRorie <[email protected]> * refactor(server/authz): support separate poll durations for policy and data Signed-off-by: George MacRorie <[email protected]> * fix(config): validate non zero poll duration for authz sources Signed-off-by: George MacRorie <[email protected]> * fix(cmd/grpc): calls to authz engine with changes to polling Signed-off-by: George MacRorie <[email protected]> --------- Signed-off-by: George MacRorie <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Ive gone around the houses with this for several days, so decided its best to open this up for feedback before I go too much further and start adding tests, etc. There's also several open questions that I could use some help addressing.
The goal of this PR is to start down the path of adding authorization (authz) to Flipt.
This has been a heavily requested feature recently, ex: #2756
While this initial functionality will not support namespace-based authz, it lays the foundation for it by implementing global authz.
The idea basic idea is to add Role Based Access Control (RBAC) support to Flipt using Open Policy Agent for both the 'language' used to define the authz policies as well as the enforcement library.
I think that using OPA in this way continues with Flipt's ethos of:
What/How
This will allow users to enable authz and assign users one of the 3 default global roles which will be mapped to a user via the authentication system of choice (more in the next section).
Each API request to Flipt that is to be authorized (management API only) is annotated with both a
subjectandactionsuch asflag:create, similar to our already existing audit events.The authz policy defines which roles can perform which actions on which subjects and is enforced via a middleware similar to how our authentication works.
Our existing audit events were changed to use these new
requesttypes as well, since they map 1-1 to audit events that we already publish.Configurability
The goal is to eventually allow operators to define their own policy rules via JSON (or YAML) that can override our default policy rules.
This is not part of this PR, but it is the reason I chose to load the policy rules using rego/OPA's data API.
We will validate that the operator's policy data conforms to our expected schema using JSON schema (part of this PR).
The rego rules should not need to be adjusted or overridden (ideally) in this manner since the rules are abstracted via this data API.
In the future we can support loading these rules from:
Mapping Authn to Authz
A key aspect of this functionality that is currently not implemented is the mapping of a user to a role.
AFAIK, most OIDC providers have the notion of roles and allow enriching the tokens they create with custom attributes such as roles.
OIDC Providers:
We'll need a mechanism to then map the roles in the OIDC token at authn time to the token that we create in Flipt and then get stored in the token metadata (here in this PR)
This is one of the major open questions I have with this approach, how to best represent this mapping, perhaps in our existing config file?
Future
Namespaced Authz and Custom Roles
If we can figure out how to do ☝🏻 , then I think the next step would be to add support for namespace based authz, so that users could have different permissions depending on the namespace of the data they are accessing. This is ultimately what is being asked for in #2756
I think for this we could implement it one of two ways:
Open Questions
Anyways, would love any and all feedback!
cc @piclemx @erka @GeorgeMac