Authorization refactor in preparation for fine-grained authorization

[markylaing]

This is a large refactor of authorization in LXD. The key points are:

• There is no longer a concept of an "admin" outside of the auth package.
• All EndpointActions must have either an AccessHandler or AllowUntrusted must be true.
• The auth package now contains Entitlements which act or particular objects. Access handlers should ask "Does user X have entitlement Y on object Z?"

This is in preparation for https://warthogs.atlassian.net/browse/LXD-389, the remainder of which will be found in #12252

[markylaing]

I think the DCO check is failing because there are too many commits. I've definitely signed them all. If it's an issue I'll figure out how to run the action locally and submit a fix upstream.

[markylaing]

@tomponline @monstermunchkin @gabrielmougard @MusicDin I've addressed the comments so ready for round 2 when you have a moment. Thanks :)

[markylaing]

I've just pushed an update because my most recent changes still included some logic which caused inconsistent behaviour in in the OpenFGA driver. Tests are passing locally including RBAC tests.

[markylaing]

@tomponline Regarding the problem with the events websocket I mentioned on Monday.

If you add this commit: f02bec6

Rather than fail because the user does not have sufficient privilege to view logging events, the test suite will hang indefinitely, never outputting an event. This happens because the client implementation of GetEvents does not specify an event type, so the /1.0/events endpoint returns all events to which the user has access. The CLI adds a handler to the EventListener returned by GetEvents, but since no logging events are ever returned, the handler is never run.

Really this should return a 403 Forbidden, but I'm not sure how this can be achieved with the current client implementation, especially given that we really don't want to be changing the client interface. Given that this behaviour is currently in main with TLS and RBAC, I don't think the OpenFGA driver needs to fix it. We can fix at a later date.

[markylaing]

@tomponline an additional pain I have found is that lxc exec requires access to /1.0/events. Rather than querying the /1.0/operations/{uuid}/wait endpoint, the client uses an event listener to figure out when an operation has completed. This means that for a user to be able to exec into a single instance they currently need to be able to see all operation and lifecycle events. This is a fairly easy fix though, I'll point it out in the other PR in a commit message.

[tomponline]

This is a fairly easy fix though, I'll point it out in the other PR in a commit message.

Can you put this up as a standalone PR so we can evaluate it independently, it sounds like a reasonable change to me though. Thanks

[tomponline]

Rather than fail because the user does not have sufficient privilege to view logging events, the test suite will hang indefinitely, never outputting an event. This happens because the client implementation of GetEvents does not specify an event type, so the /1.0/events endpoint returns all events to which the user has access. The CLI adds a handler to the EventListener returned by GetEvents, but since no logging events are ever returned, the handler is never run.

Really this should return a 403 Forbidden,

Why do you think it should be a 403?

Isn't this like the other discussion we had the other day regarding filtered lists, whereby if you dont have permission on any resources you just get an empty output rather than an error? In this case, isn't a blocking event stream with no events equivalent to that?

[markylaing]

Why do you think it should be a 403?

Isn't this like the other discussion we had the other day regarding filtered lists, whereby if you dont have permission on any resources you just get an empty output rather than an error? In this case, isn't a blocking event stream with no events equivalent to that?

I guess it is equivalent. Though in this case I think the reason for a hanging lxc monitor is a little more obfuscated. Happy to leave as it is for now though.

[markylaing]

This is a fairly easy fix though, I'll point it out in the other PR in a commit message.

Can you put this up as a standalone PR so we can evaluate it independently, it sounds like a reasonable change to me though. Thanks

Yep will do.

[tomponline]

Can we make it so if the user has access to no events it returns 403 then?

[markylaing]

This is a fairly easy fix though, I'll point it out in the other PR in a commit message.

Can you put this up as a standalone PR so we can evaluate it independently, it sounds like a reasonable change to me though. Thanks

Yep will do.

#12349

[markylaing]

Rebased.

[tomponline]

I wonder if we should ban all requests that use an invalid authentication protocol rather than fail open?

[markylaing]

I wasn't sure. Currently if you authenticate with Candid (without RBAC) or OIDC the default is to allow everything. I can change it but will need to change some tests. Any existing users using these authentication methods will find that they are unauthorized and will need to configure authorization via the unix socket.

[markylaing]

I think it's unlikely that there many (or any) users using OIDC or standalone Candid though.

[tomponline]

I see, so they dont have a trusted client TLS cert because they authenticated through a different mechanism but the active authorizer is for TLS. I think we should keep it the same, but perhaps clarify that section there with a comment how you explained it above.

[tomponline]

@markylaing I dont understand what this part is doing, will it always be false?

[markylaing]

The permissions map here is a map of project name to slice of permissions. However, if the user is an admin, this permission is stored in the map with the project name as an empty string. This is how it is currently done, but I can change it to something like:

type rbacPermission struct {
    admin bool
    projects map[string][]Permission
}

The permission cache defined on rbac will then be a map[string]rbacPermission where the keys are usernames.

How does that sound?

[tomponline]

yeah i think that would be clearer. Thanks

[tomponline]

Is "administrator" an RBAC concept? As I remember you were removing IsAdmin concept from LXD.
So I wouldn't want to see "administrator" in the error unless it was related to an RBAC concept specifically.

[markylaing]

Yes "admin" is an RBAC permission which grants full access. I'll update the comment to: // Only RBAC administrators can use the all-projects parameter.

[tomponline]

It would be good to include in the log message what it was trying to do, i.e "Failed RBAC status check, failed preparing request: %v"

[tomponline]

Something like "Failed RBAC status check, failed connecting to RBAC service, retrying: %v"

[tomponline]

Should use constants from http package here.

[tomponline]

Should use constants from http package here.

[tomponline]

We should return an error here rather than logging right? Otherwise we can get into an inconsistent state?

[tomponline]

Or do we also need to fallback to TLS in that case?

[tomponline]

I think in general we should rework this function to be a generic "one of the authorization keys has changed, we need to restart/change the authorization driver" and have it handle all the driver's config keys so it can fallback to the previous active driver (and not just TLS) on error. But this can come as a separate PR.

[tomponline]

why not []string or []*string?

[tomponline]

Can we avoid calling this function for each entity in entries - this could be a lot of them and slow?
Can we use the transactional checker concept we discussed?

[tomponline]

So if you can view all metrics with auth.EntitlementCanViewMetrics why cant you also do filtering?

[tomponline]

I think this section could do with a comment explaining whats going on here and why its special.

[tomponline]

A comment here explaining why this bit is special would be good.

[tomponline]

Can we do this earlier, fail if it fails, and if something goes wrong later remove the entry from the authorizer again?
This feels safer to me.

[tomponline]

Think this should be an error.

[tomponline]

I think in general we need to review and consider the ordering of when entities are added/removed from the authorizer and whether if that fails whether it should be passed back to the user.

[tomponline]

Can we use a "get permission checker" to avoid having to call out to the authorizer service for each op.Resources()?

[tomponline]

Although there's some additional conversations and changes to be made to this, in the interests of making progress I am approving it as I do not see any glaring problems with it. Thanks!

changes made

[markylaing]

Thanks for your review @tomponline. Glad it's finally merged 🥳

I've created an issue for the outstanding comments: #12461