[a2-694] Add policy for applications service IAM v1 and v2 #462
Conversation
- For v1 add resource service_groups - For v2 add resource applications:serviceGroups Signed-off-by: kmacgugan <[email protected]>
|
do we want any docs changes related to this? should we be updating the viewer and editor iam roles as well? |
There was a problem hiding this comment.
Looks good to me. However, I suppose this needs some discussion for IAM v2 -- is this supposed to be accessible out of the box for viewers/editors? If so, it needs to be added to their default policies.
We've recently merged a change that adds these users locally, and upgrades IAM to v2, as part of start_all_services. If you login using viewer or editor (password chefautomate), you can observe the current behaviour, without these additions.
| @@ -21,41 +21,41 @@ service ApplicationsService { | |||
| // TODO (dan, 2/2019): need to replace this once we have resources and such | |||
There was a problem hiding this comment.
So can this comment now go away?
| @@ -300,6 +300,14 @@ func DefaultPolicies() (map[string]*Policy, error) { | |||
| Effect: "allow", | |||
| Version: 1, | |||
| }, | |||
| constants.ApplicationsServiceGroupsPolicyID: { | |||
There was a problem hiding this comment.
You've added this policy to our system policies, which are hidden policies that govern permissions that Automate needs to work correctly (i.e. every user always needs to be able to get the license status so they won't be always blocked by the license modal). These policies never change.
My guess is that we should be able to change permissions on this API. In that case, instead of adding this policy, we'll want to add the API's v2 action to the role(s) that should have access. Maybe Viewer and Editor?
There was a problem hiding this comment.
actually just kidding about that system policy comment! i misread the code. this is correct for adding a v1 default policy 👍
for v2 permissions:
- add
applications:*to the Editor role - add
applications:serviceGroups:listto the Viewer role - add a datamigration updating those two roles with their new actions (similar to this migration)
There was a problem hiding this comment.
If we make changes to these roles please also update the iam v2 docs, thx!
| option (chef.automate.api.iam.policy).resource = "infra:nodes"; | ||
| option (chef.automate.api.iam.policy).action = "infra:nodes:list"; | ||
| option (chef.automate.api.iam.policy).resource = "applications:serviceGroups"; | ||
| option (chef.automate.api.iam.policy).action = "applications:serviceGroups:list"; |
There was a problem hiding this comment.
If you can GetServices, can you always get their healthcounts and get services by SG?
There was a problem hiding this comment.
Yes, at least you should be able to.
There was a problem hiding this comment.
gotcha, makes sense that all the resources/actions should be the same then. 👍
|
|
||
| INSERT INTO policies | ||
| VALUES ('aee14d59-da0b-4974-ba6d-1a018b024874', | ||
| '{"action": "*", "effect": "allow", "resource": "applications:serviceGroups", "subjects": ["user:*"]}', |
There was a problem hiding this comment.
the resource here must match the v1 resource.
| '{"action": "*", "effect": "allow", "resource": "applications:serviceGroups", "subjects": ["user:*"]}', | |
| '{"action": "*", "effect": "allow", "resource": "service_group", "subjects": ["user:*"]}', |
-Update v1 policies to actually be v1 policy and not the v2 ones Signed-off-by: kmacgugan <[email protected]>
kmacgugan
force-pushed
the
km/applications-policy
branch
from
2bfa0c1 to
7c7959a
Compare
| @@ -254,6 +255,7 @@ func DefaultRoles() []Role { | |||
| "event:*:list", | |||
| "ingest:*:get", | |||
| "ingest:*:list", | |||
| "applications:*:list", | |||
There was a problem hiding this comment.
is there a possibility there will be an individual getService in the near future? if so we may want to add applications:*:get as well while we're here
| SET policy_data='{"action": "list", "effect": "allow", "resource": "service_groups", "subjects": ["user:*"]}', | ||
| deletable=TRUE; | ||
|
|
||
| UPDATE iam_roles |
There was a problem hiding this comment.
ah i forgot to mention one thing 😅
hopefully last thing to fix: move L13-23 into a new migration file under the postgres/datamigrations/sql directory
There was a problem hiding this comment.
Please make the change @bcmdarroch mentioned to the sql migration but otherwise g2g.
| 1, | ||
| TRUE) | ||
| ON CONFLICT (id) DO UPDATE | ||
| SET policy_data='{"action": "list", "effect": "allow", "resource": "service_groups", "subjects": ["user:*"]}', |
There was a problem hiding this comment.
This action must be the same as the action on L5.
| @@ -234,6 +234,7 @@ func DefaultRoles() []Role { | |||
| "ingest:*", | |||
| "secrets:*", | |||
| "telemetry:*", | |||
| "applications:*", | |||
There was a problem hiding this comment.
This is incompatible with 45_add_application_policies.up.sql and will result in the entry being added to the database twice. Just delete this line and all is well.
Same for L258 below.
Signed-off-by: kmacgugan <[email protected]>
| actions = actions || '{applications:*}' | ||
| WHERE | ||
| id = 'editor'; | ||
| END; |
There was a problem hiding this comment.
What is this END doing that's distinct from COMMIT?
There was a problem hiding this comment.
probably i just wanted commit and end snuck in there. Commit will commit a transaction, end just delineates a block of code, like if it were in a loop. I think maybe I copied this structure from a loop somewhere?
Signed-off-by: kmacgugan <[email protected]>
Signed-off-by: kmacgugan <[email protected]>
|
@susanev I added docs for default policies. |
| }; | ||
| rpc GetServices(ServicesReq) returns (ServicesRes) { | ||
| // TODO (afiune, 4/2019): need to replace this once we have resources and such | ||
| // created in the auth system | ||
| option (google.api.http).get = "/beta/applications/services"; | ||
| option (chef.automate.api.policy).resource = "nodes"; | ||
| option (chef.automate.api.policy).resource = "service_groups"; |
There was a problem hiding this comment.
I don't think this endpoint has anything to do with service-groups here. This is only listing all services so we would probably need a different resource?
There was a problem hiding this comment.
For any future readers of this, we decided to stick with service_groups because this matches the labeling in the UI, so that is what users will expect to see.
Signed-off-by: kmacgugan [email protected]
🔩 Description
👍 Definition of Done
👟 Demo Script / Repro Steps
⛓️ Related Resources
✅ Checklist