New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(draft): Authz #3008
base: main
Are you sure you want to change the base?
feat(draft): Authz #3008
Conversation
if action != "" { | ||
event = audit.NewEvent(audit.FlagType, action, actor, audit.NewFlag(r)) | ||
} | ||
event = audit.NewEvent(request, actor, audit.NewFlag(r)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we can likely clean this up a bit by having audit.NewEvent
also know how to wrap the resp r
with the appropriate type maybe? so we don't have to have this switch statement
{ | ||
"version": "0.1.0", | ||
"roles": [ | ||
{ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
need to rethink this policy schema to support namespaces @GeorgeMac
feat: impl authz middleware feat: impl authz middleware chore: fix panic and bad redux selector chore: fmt ui chore: refactor chore: fix build, change to single role, default role chore: fix build, change to single role, default role chore: rm unneeded files feat: configurable roles/policies chore: config schema and tests chore: mv back events to audit package chore: reset ui folder chore: revert ui back to main chore: policy schema, visibility of errors chore: add policy schema test chore: rebase on main Signed-off-by: Mark Phelps <[email protected]>
* chore: fix tests, add role attribute path / role mapping to oidc server tests Signed-off-by: Mark Phelps <[email protected]> * chore: authz middleware tests Signed-off-by: Mark Phelps <[email protected]> * chore: fix audit tests Signed-off-by: Mark Phelps <[email protected]> * chore: proto regen Signed-off-by: Mark Phelps <[email protected]> * chore: try to fix marshal audit events behaviour Signed-off-by: Mark Phelps <[email protected]> * chore: fix failing test Signed-off-by: Mark Phelps <[email protected]> --------- Signed-off-by: Mark Phelps <[email protected]>
Signed-off-by: Mark Phelps <[email protected]>
Signed-off-by: Mark Phelps <[email protected]>
Signed-off-by: Mark Phelps <[email protected]>
chore: refactor request models to include scope
…3108) * refactor(server/authz): rename scope to resource Signed-off-by: George MacRorie <[email protected]> * feat(config/authz): add policy and data source configuration Signed-off-by: George MacRorie <[email protected]> * refactor(server/authz): make policy and data external dependencies Signed-off-by: George MacRorie <[email protected]> * refactor(cmd/grpc): integrate new authz Engine changes Signed-off-by: George MacRorie <[email protected]> * fix(server/authz): ensure error is captured in return Signed-off-by: George MacRorie <[email protected]> * fix(config): allow policy and data sources to be empty Signed-off-by: George MacRorie <[email protected]> * refactor(server/authz): support separate poll durations for policy and data Signed-off-by: George MacRorie <[email protected]> * fix(config): validate non zero poll duration for authz sources Signed-off-by: George MacRorie <[email protected]> * fix(cmd/grpc): calls to authz engine with changes to polling Signed-off-by: George MacRorie <[email protected]> --------- Signed-off-by: George MacRorie <[email protected]>
Ive gone around the houses with this for several days, so decided its best to open this up for feedback before I go too much further and start adding tests, etc. There's also several open questions that I could use some help addressing.
The goal of this PR is to start down the path of adding authorization (authz) to Flipt.
This has been a heavily requested feature recently, ex: #2756
While this initial functionality will not support namespace-based authz, it lays the foundation for it by implementing global authz.
The idea basic idea is to add Role Based Access Control (RBAC) support to Flipt using Open Policy Agent for both the 'language' used to define the authz policies as well as the enforcement library.
I think that using OPA in this way continues with Flipt's ethos of:
What/How
This will allow users to enable authz and assign users one of the 3 default global roles which will be mapped to a user via the authentication system of choice (more in the next section).
Each API request to Flipt that is to be authorized (management API only) is annotated with both a
subject
andaction
such asflag:create
, similar to our already existing audit events.The authz policy defines which roles can perform which actions on which subjects and is enforced via a middleware similar to how our authentication works.
Our existing audit events were changed to use these new
request
types as well, since they map 1-1 to audit events that we already publish.Configurability
The goal is to eventually allow operators to define their own policy rules via JSON (or YAML) that can override our default policy rules.
This is not part of this PR, but it is the reason I chose to load the policy rules using rego/OPA's data API.
We will validate that the operator's policy data conforms to our expected schema using JSON schema (part of this PR).
The rego rules should not need to be adjusted or overridden (ideally) in this manner since the rules are abstracted via this data API.
In the future we can support loading these rules from:
Mapping Authn to Authz
A key aspect of this functionality that is currently not implemented is the mapping of a user to a role.
AFAIK, most OIDC providers have the notion of roles and allow enriching the tokens they create with custom attributes such as roles.
OIDC Providers:
We'll need a mechanism to then map the roles in the OIDC token at authn time to the token that we create in Flipt and then get stored in the token metadata (here in this PR)
This is one of the major open questions I have with this approach, how to best represent this mapping, perhaps in our existing config file?
Future
Namespaced Authz and Custom Roles
If we can figure out how to do ☝🏻 , then I think the next step would be to add support for namespace based authz, so that users could have different permissions depending on the namespace of the data they are accessing. This is ultimately what is being asked for in #2756
I think for this we could implement it one of two ways:
Open Questions
Anyways, would love any and all feedback!
cc @piclemx @erka @GeorgeMac