[A2-882] authz-service: fix v1 to v2 policy migration issues with applications #612
Conversation
srenatus
added
bug 🐛
srenatus
force-pushed
the
sr/authz-service/v1-to-v2-policy-migration-issues-with-applications
branch
2 times, most recently
from
35a0d7b to
90bf1e5
Compare
srenatus
changed the title
srenatus
changed the title
| @@ -419,133 +420,127 @@ func customPolicyFromV1(pol *storage_v1.Policy) (*storage.Policy, error) { | |||
|
|
|||
| // Basically implements "Current Resource" -> "New Resource Names (RFR)" column of | |||
| // https://docs.google.com/spreadsheets/d/1ccaYDJdMnHBfFgmNC1n2_S1YOnMJ-OgkYd8ySbb-mS0/edit#gid=363200100 | |||
| func convertV1Resource(resource string) ([]string, error) { | |||
There was a problem hiding this comment.
Drive-by: this function's return value was never more than a slice-of-one. So, I've made it a string, and fixed the fallout.
| case "notifications": | ||
| return combineTermsIntoResourceSlice(terms), nil | ||
| case "*": |
There was a problem hiding this comment.
This was a bug: *:foo:bar would have been converted to *. It's now tighter, above
| @@ -2239,6 +2239,21 @@ func TestV1PolicyMigration(t *testing.T) { | |||
| }), | |||
| ), | |||
| }, | |||
| "service_groups,list": { | |||
There was a problem hiding this comment.
ℹ️ Converting a custom v1 policy for service groups into a custom v2 policy.
| @@ -2279,6 +2294,10 @@ func TestV1PolicyMigration(t *testing.T) { | |||
| wellknown(t, constants_v1.CSNginxComplianceDataCollectorPolicyID), | |||
| checks(isSkipped()), | |||
| }, | |||
| "v1 default application policy": { | |||
There was a problem hiding this comment.
ℹ️ Skipping the default v1 application policy: it's handled by viewer and editor roles in v2.
There was a problem hiding this comment.
I raised the question to Kyleen, to whom this actually matters 😁, and she has confirmed it is not the same. What they want is "all users to have default access to all [application] things". Right now anyone with a viewer role or on the viewers team has access, but all users are not viewers by default. So I think we need a migration for this policy. See https://chefio.slack.com/archives/CFCE1NQ9W/p1560797578017700
There was a problem hiding this comment.
I'd like to pull in Susan's feedback here. In IAM v2, we don't really follow any concept of "all users having default access" anymore.
Also, if we encourage our customers not to migrate v1 policies, we cannot rely on them for any nice out-of-the-box experience when using IAM v2.
| log_error "$output" | ||
| return 1 | ||
| else | ||
| # in CI, we don't want any policies to be skipped |
There was a problem hiding this comment.
This will catch "unknown well-known" policies creeping in again in the future. I've ensured that the test works by running it on master in this build
components/authz-service/README.md
Outdated
| 2. A new IAM v2 policy: they are defined in [server/v2/system](server/v2/system.go#L31). | ||
| 3. Migration logic: When upgrading from IAM v1 to v2 (v2.1), v1 policies are | ||
| converted. The conversion logic needs to be made aware of the new v1 policies, and | ||
| how (and if) they are to be migrated (if they hadn't been deleted). The procedure for |
There was a problem hiding this comment.
I think we want "if they haven't been deleted" . . . but that is confusing, also. You mean if they haven't been migrated?
There was a problem hiding this comment.
You're right about the grammar, for course -- what this was trying to describe is that the migration code only migrates v1 policies that haven't been deleted. There used to be shipped-with-A2 v1 policies that the user could delete. Not all "default policies" were non-deletable.
| @@ -615,6 +615,18 @@ For others, it will be necessary to add and remove policies | |||
| to lock the system down so that known users are authorized to access | |||
| specific resources. | |||
|
|
|||
| #### Adding New Default Policies | |||
| return "", errors.New("there was no resource passed") | ||
| } | ||
|
|
||
| if len(terms) == 1 && terms[0] == "*" { |
| token=$(chef-automate admin-token) | ||
| hab_curl --fail -s -k -H "api-token: $token" \ | ||
| -d "$(jo subjects="$(jo -a user:local:alice team:local:ops)" action=read resource=auth:users)" \ | ||
| https://localhost/api/v0/auth/policies | ||
|
|
||
| log_info "run chef-automate iam upgrade-to-v2" | ||
| chef-automate iam upgrade-to-v2 || return 1 | ||
| if ! output=$(chef-automate iam upgrade-to-v2); then |
There was a problem hiding this comment.
Will this also catch oops wrong script 😳. Do we need it in the v2p1.sh?chef-automate iam upgrade-to-v2 --beta2.1? (since we could possibly go from v1 -> v2.1, we'd need that)
There was a problem hiding this comment.
Don't think so -- it's the same migration code.
components/authz-service/README.md
Outdated
|
|
||
| 1. A new IAM v1 policy: these are defined in [migrations](storage/postgres/migration/sql/), | ||
| and the [v1 constants package](constants/v1/constants.go#L3-L4). | ||
| 2. A new IAM v2 policy: they are defined in [server/v2/system](server/v2/system.go#L31). |
There was a problem hiding this comment.
We should have them use the datamigrations for new V2 policies, otherwise they won't be applied to existing V2 installations.
| if terms[1] == "stats" { | ||
| return combineTermsIntoResourceSlice([]string{"infra", "nodes"}), nil | ||
| return "infra:nodes", nil |
There was a problem hiding this comment.
Using combineTermsIntoResource here still has value--that method is then the single place that knows there are colons involved. (And similarly on "event:events" below.)
There was a problem hiding this comment.
Yeah, but I've opted for keeping this simple. No need to overthink it, the colons aren't going to change in IAM v2. 😉
| @@ -2279,6 +2294,10 @@ func TestV1PolicyMigration(t *testing.T) { | |||
| wellknown(t, constants_v1.CSNginxComplianceDataCollectorPolicyID), | |||
| checks(isSkipped()), | |||
| }, | |||
| "v1 default application policy": { | |||
There was a problem hiding this comment.
I raised the question to Kyleen, to whom this actually matters 😁, and she has confirmed it is not the same. What they want is "all users to have default access to all [application] things". Right now anyone with a viewer role or on the viewers team has access, but all users are not viewers by default. So I think we need a migration for this policy. See https://chefio.slack.com/archives/CFCE1NQ9W/p1560797578017700
…icy"
This will resolve the following, irritating error:
$ chef-automate iam upgrade-to-v2 --result-json output.json
Upgrading to IAM v2
Migrating v1 policies...
Skipped policies:
convert v1 policy "aee14d59-da0b-4974-ba6d-1a018b024874"
unknown "well-known" policy
...by skipping this new default v1 policy in migration. Skipping is OK
because the application access rights are implemented as additions to
the viewer and editor roles in IAM v2 (v2.1).
Signed-off-by: Stephan Renatus <[email protected]>
Signed-off-by: Stephan Renatus <[email protected]>
Signed-off-by: Stephan Renatus <[email protected]>
Signed-off-by: Stephan Renatus <[email protected]>
Signed-off-by: Stephan Renatus <[email protected]>
srenatus
force-pushed
the
sr/authz-service/v1-to-v2-policy-migration-issues-with-applications
branch
from
0ed4408 to
4c3bb9b
Compare
Signed-off-by: Stephan Renatus <[email protected]>
srenatus
force-pushed
the
sr/authz-service/v1-to-v2-policy-migration-issues-with-applications
branch
from
4c3bb9b to
d7a596c
Compare
chef-ci
deleted the
sr/authz-service/v1-to-v2-policy-migration-issues-with-applications
branch
…lications (#612) * authz-service/migration: skip well-known "ApplicationServiceGroupsPolicy" This will resolve the following, irritating error: $ chef-automate iam upgrade-to-v2 --result-json output.json Upgrading to IAM v2 Migrating v1 policies... Skipped policies: convert v1 policy "aee14d59-da0b-4974-ba6d-1a018b024874" unknown "well-known" policy ...by skipping this new default v1 policy in migration. Skipping is OK because the application access rights are implemented as additions to the viewer and editor roles in IAM v2 (v2.1). * [integration] iam v2: assert that no policy is skipped * authz-service/migration: remove comment -- it's only a warning * authz-service/migration: migrate custom v1 policies for app tab * authz-service/migration: bikeshed migration mapping function types * authz-service: add docs re: adding new default policies Signed-off-by: Stephan Renatus <[email protected]>
🔩 Description
service_groups: it's implemented by additions to theviewerandeditorroles in v2 (v2.1)service_groupsproperly migrated👍 Definition of Done
👟 Demo Script / Repro Steps
rebuild components/authz-servicechef-automate iam reset-to-v1export TOK=$(chef-automate admin-token)service_groupsv1 policy:☝️ notice that there's none of these errors anymore:
⛓️ Related Resources
✅ Checklist