Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

create ephemeral policies for task access to Variables #15875

Closed
tgross opened this issue Jan 25, 2023 · 2 comments · Fixed by #18744
Closed

create ephemeral policies for task access to Variables #15875

tgross opened this issue Jan 25, 2023 · 2 comments · Fixed by #18744
Labels
stage/needs-discussion theme/auth theme/variables Variables feature theme/workload-identity type/enhancement

Comments

@tgross
Copy link
Member

tgross commented Jan 25, 2023

Workload-Associated ACL Policies are ordinary ACL policies with the appropriate job/group/task fields set. This is suitable for use with most APIs, as shown in #15870. But the implicit Task Access to Variables pseudo-policies need special handling for the Variables RPC, which feels likely to result in a security bug eventually.

The acl.ACL objects are expensive to create, so we cache them on the server after they've been resolved from the token (or claim). The cache is keyed by a hash of the policies and not the token, so without considering Task Access to Variables most acl.ACL objects we get from WIs are going to be the same and will cache efficiently. Unfortunately when you add Task Access to Variables implicit policies, every WI will have a different cache key and that'll explode the number of acl.ACL objects we need to cache if there are a lot of them. This will push user-tokens out of the LRU.

A couple of ideas we'll want to explore:

  • Is there a way to create an efficient "pattern matching" policy that can be matched against the Variables paths without having to have a separate policy for each and every WI? (That's also ACL policy interpolation #14764)
  • Is the memory usage so much that we can't just split out the WI ACL objects to their own cache, so that we don't push user-tokens out of the LRU cache?
@tgross tgross mentioned this issue Jan 25, 2023
Open
@tgross tgross mentioned this issue Jan 26, 2023
Merged
tgross added a commit that referenced this issue Oct 12, 2023
@tgross
auth: remove "mixed auth" special casing for Variables endpoint
cd90706 
The RPC handlers expect to see `nil` ACL objects whenever ACLs are disabled. By
using `nil` as a sentinel value, we have the risk of nil pointer exceptions and
improper handling of `nil` when returned from our various auth methods that can
lead to privilege escalation bugs. This is the third in a series to eliminate
the use of `nil` ACLs as a sentinel value for when ACLs are disabled.

This patch involves leveraging the refactored `auth` package to remove the weird
"mixed auth" helper functions that only support the Variables read/list RPC
handlers. Instead, pass the ACL object and claim together into the
`AllowVariableOperations` method in the usual `acl` package.

Ref: hashicorp/nomad-enterprise#1218
Ref: #18703
Ref: #18715
Ref: #16799
Ref: #18730

Fixes: #15875
@tgross tgross mentioned this issue Oct 12, 2023
Merged
@tgross
Copy link
Member Author

tgross commented Oct 12, 2023

Will be closed by #18744. That doesn't exactly do what's described here, but instead makes it unnecessary.

tgross added a commit that referenced this issue Oct 12, 2023
@tgross
auth: remove "mixed auth" special casing for Variables endpoint (#18744)
484f91b 
The RPC handlers expect to see `nil` ACL objects whenever ACLs are disabled. By
using `nil` as a sentinel value, we have the risk of nil pointer exceptions and
improper handling of `nil` when returned from our various auth methods that can
lead to privilege escalation bugs. This is the third in a series to eliminate
the use of `nil` ACLs as a sentinel value for when ACLs are disabled.

This patch involves leveraging the refactored `auth` package to remove the weird
"mixed auth" helper functions that only support the Variables read/list RPC
handlers. Instead, pass the ACL object and claim together into the
`AllowVariableOperations` method in the usual `acl` package.

Ref: hashicorp/nomad-enterprise#1218
Ref: #18703
Ref: #18715
Ref: #16799
Ref: #18730

Fixes: #15875
@github-actions GitHub Actions
Copy link

github-actions bot commented Jan 6, 2025

I'm going to lock this issue because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jan 6, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
stage/needs-discussion theme/auth theme/variables Variables feature theme/workload-identity type/enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

auth: remove "mixed auth" special casing for Variables endpoint hashicorp/nomad
1 participant
@tgross