Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CSS-5674 Replace database-stored access with OpenFGA #1051

Merged
merged 28 commits into from
Oct 12, 2023
Merged

CSS-5674 Replace database-stored access with OpenFGA #1051

Show file tree
Hide file tree
Changes from 16 commits
Commits
Show all changes
28 commits
Select commit Hold shift + click to select a range
0a3479e
JIMM uses JWT to log in to individual controllers.
alesstimec Sep 5, 2023
b02d546
Update godocs to indicate idempotency
babakks Sep 29, 2023
1f0b28b
Add `unsetMultipleResourceAccess`
babakks Oct 2, 2023
e0b6310
Replace database-stored relations with OpenFGA
babakks Oct 2, 2023
72db748
Un-comment grant/revoke cloud access tests
babakks Oct 2, 2023
6adda6d
Use existing `ToCloudRelation` for mapping accesses to relations
babakks Oct 2, 2023
a9fbc13
Merge branch 'feature-rebac' into css-5674/replace-db-with-openfga
babakks Oct 4, 2023
1ce4d99
Add `UnsetModelAccess` method
babakks Oct 4, 2023
f3fde61
Assert for tuples that should exist after revoking cloud access
babakks Oct 4, 2023
9517dc9
Update `ModifyModelAccess` to change state in OpenFGA
babakks Oct 4, 2023
fdcd5ed
Update `GrantModelAccess` tests
babakks Oct 4, 2023
a755c0e
Update `RevokeModelAccess` tests
babakks Oct 4, 2023
46a4957
Improve revoke cloud access tests
babakks Oct 4, 2023
a090d49
Improve revoke model access tests
babakks Oct 4, 2023
3e3b83e
Add more revoke cloud access cases having all relations separately
babakks Oct 4, 2023
5e85687
Add more revoke model access cases having all relations separately
babakks Oct 4, 2023
b475081
Change if-statements with switch-statements
babakks Oct 10, 2023
0a467c4
Remove unnecessary Juju API call to grant/revoke model access
babakks Oct 10, 2023
f435efe
Remove unnecessary Juju API call to grant/revoke cloud access
babakks Oct 10, 2023
9a88556
Improve failure error message
babakks Oct 10, 2023
03916b2
Change to inline if-err checks where possible
babakks Oct 10, 2023
543f39d
Improve local var naming
babakks Oct 10, 2023
e1ade1a
Add `op` to re-thrown error
babakks Oct 10, 2023
e43cc66
Remove unnecessary test for idempotent re-granting of cloud access
babakks Oct 10, 2023
0cf9f3e
Merge branch 'feature-rebac' into css-5674/replace-db-with-openfga
babakks Oct 11, 2023
42a373b
Log errors when granting/revoking access
babakks Oct 11, 2023
29ac788
Add tests to verify returning unrecognized access error
babakks Oct 11, 2023
92b3b71
Improve naming
babakks Oct 12, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
172 changes: 81 additions & 91 deletions internal/jimm/cloud.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -552,124 +552,114 @@ func (j *JIMM) doCloudAdmin(ctx context.Context, u *openfga.User, ct names.Cloud
// given user. If the cloud is not found then an error with the code
// CodeNotFound is returned. If the authenticated user does not have admin
// access to the cloud then an error with the code CodeUnauthorized is
// returned. If the ModifyCloudAccess API call retuns an error the error
// code is not masked.
func (j *JIMM) GrantCloudAccess(ctx context.Context, u *dbmodel.User, ct names.CloudTag, ut names.UserTag, access string) error {
// returned. If the ModifyCloudAccess API call returns an error, the error is
// returned with the error code unmasked.
func (j *JIMM) GrantCloudAccess(ctx context.Context, user *openfga.User, ct names.CloudTag, ut names.UserTag, access string) error {
const op = errors.Op("jimm.GrantCloudAccess")

// TODO (alesstimec) granting and revoking access tbd in a followup
return errors.E(errors.CodeNotImplemented)
/*
ale := dbmodel.AuditLogEntry{
Time: time.Now().UTC().Round(time.Millisecond),
Tag: ct.String(),
UserTag: u.Tag().String(),
Action: "grant",
Params: dbmodel.StringMap{
"user": ut.String(),
"access": access,
},
targetRelation, err := ToCloudRelation(access)
if err != nil {
return errors.E(op, errors.CodeBadRequest, "failed to recognize given access", err)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

could we, please log the access? might be useful for debugging purposes

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you think it should be a debug entry? or error? If it's for debugging I think debug should suffice.

}

err = j.doCloudAdmin(ctx, user, ct, func(c *dbmodel.Cloud, api API) error {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The callback still takes dbmodel.Cloud, is this needed now? I'd presume not right?

targetUser := &dbmodel.User{}
targetUser.SetTag(ut)
err := j.Database.GetUser(ctx, targetUser)
if err != nil {
return err
}
defer j.addAuditLogEntry(&ale)
targetOfgaUser := openfga.NewUser(targetUser, j.OpenFGAClient)

err := j.doCloudAdmin(ctx, u, ct, func(c *dbmodel.Cloud, api API) error {
targetUser := dbmodel.User{
Username: ut.Id(),
}
if err := j.Database.GetUser(ctx, &targetUser); err != nil {
return err
}
if err := api.GrantCloudAccess(ctx, ct, ut, access); err != nil {
return err
}
var uca dbmodel.UserCloudAccess
for _, a := range c.Users {
if a.Username == targetUser.Username {
uca = a
break
currentRelation := targetOfgaUser.GetCloudAccess(ctx, ct)
if currentRelation != ofganames.NoRelation {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Might this be better as a switch statement?

if targetRelation == ofganames.CanAddModelRelation {
return nil
} else if targetRelation == ofganames.AdministratorRelation {
if currentRelation == ofganames.AdministratorRelation {
return nil
}
}
uca.User = targetUser
uca.Cloud = *c
uca.Access = access
}

if err := j.Database.UpdateUserCloudAccess(ctx, &uca); err != nil {
return errors.E(op, err, "cannot update database after updating controller")
}
return nil
})
if err := api.GrantCloudAccess(ctx, ct, ut, access); err != nil {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need to do this? This is assigning access on the Juju side I believe, but Juju won't be checking it's own access permissions, it will just rely on whatever is in the JWT.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah looking at

jimm/internal/jimm/cloud.go

Line 488 in 5e85687

// TODO (alesstimec) This will no longer be needed.
I'm pretty sure this isn't needed.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

agreed.. this should no longer be needed..

return err
}

err = targetOfgaUser.SetCloudAccess(ctx, ct, targetRelation)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sometime we do err := p(); err != nil, and sometimes two lines, let's try keep it inline if's with errs where we can

if err != nil {
ale.Params["err"] = err.Error()
return errors.E(op, err)
return errors.E(err, "cannot update OpenFGA record after updating cloud")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Isn't the error more a tuple issue just from ofga?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

also, please include op in the error

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since there's no Juju API call anymore, I changed the error message to failed to set cloud access.

}
ale.Success = true
return nil
*/
})

if err != nil {
return errors.E(op, err)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please log this error

}
return nil
}

// RevokeCloudAccess revokes the given access level on the given cloud from
// the given user. If the cloud is not found then an error with the code
// CodeNotFound is returned. If the authenticated user does not have admin
// access to the cloud then an error with the code CodeUnauthorized is
// returned. If the ModifyCloudAccess API call retuns an error the error
// code is not masked.
func (j *JIMM) RevokeCloudAccess(ctx context.Context, u *dbmodel.User, ct names.CloudTag, ut names.UserTag, access string) error {
// returned. If the ModifyCloudAccess API call returns an error, the error
// is returned with the code unmasked.
func (j *JIMM) RevokeCloudAccess(ctx context.Context, user *openfga.User, ct names.CloudTag, ut names.UserTag, access string) error {
const op = errors.Op("jimm.RevokeCloudAccess")

// TODO (alesstimec) granting and revoking access tbd in a followup
return errors.E(errors.CodeNotImplemented)

/*
ale := dbmodel.AuditLogEntry{
Time: time.Now().UTC().Round(time.Millisecond),
Tag: ct.String(),
UserTag: u.Tag().String(),
Action: "revoke",
Params: dbmodel.StringMap{
"user": ut.String(),
"access": access,
},
targetRelation, err := ToCloudRelation(access)
if err != nil {
return errors.E(op, errors.CodeBadRequest, "failed to recognize given access", err)
}

err = j.doCloudAdmin(ctx, user, ct, func(c *dbmodel.Cloud, api API) error {
targetUser := &dbmodel.User{}
targetUser.SetTag(ut)
err := j.Database.GetUser(ctx, targetUser)
if err != nil {
return err
}
defer j.addAuditLogEntry(&ale)
targetOfgaUser := openfga.NewUser(targetUser, j.OpenFGAClient)

err := j.doCloudAdmin(ctx, u, ct, func(c *dbmodel.Cloud, api API) error {
targetUser := dbmodel.User{
Username: ut.Id(),
}
if err := j.Database.GetUser(ctx, &targetUser); err != nil {
return err
}
if err := api.RevokeCloudAccess(ctx, ct, ut, access); err != nil {
return err
currentRelation := targetOfgaUser.GetCloudAccess(ctx, ct)
if currentRelation == ofganames.NoRelation {
return nil
}

var relationsToRevoke []openfga.Relation
if targetRelation == ofganames.CanAddModelRelation {
// If we're revoking "add-model" access, in addition to the "add-model" relation, we should also revoke the
// "admin" relation. That's because having an "admin" relation indirectly grants the "add-model" permission
// to the user.
relationsToRevoke = []openfga.Relation{
ofganames.CanAddModelRelation,
ofganames.AdministratorRelation,
}
var uca dbmodel.UserCloudAccess
for _, a := range c.Users {
if a.Username == targetUser.Username {
uca = a
break
}
} else if targetRelation == ofganames.AdministratorRelation {
if currentRelation == ofganames.CanAddModelRelation {
return nil
}
uca.User = targetUser
uca.Cloud = *c
switch access {
case "admin":
uca.Access = "add-model"
default:
uca.Access = ""
relationsToRevoke = []openfga.Relation{
ofganames.AdministratorRelation,
}
}

if err := j.Database.UpdateUserCloudAccess(ctx, &uca); err != nil {
return errors.E(op, err, "cannot update database after updating controller")
}
return nil
})
if err := api.RevokeCloudAccess(ctx, ct, ut, access); err != nil {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Don't think this is needed either, api typically hits the controller/model, we wanna keep this purely in JIMM

return err
}

err = targetOfgaUser.UnsetCloudAccess(ctx, ct, relationsToRevoke...)
if err != nil {
ale.Params["err"] = err.Error()
return errors.E(op, err)
return errors.E(err, "cannot update OpenFGA record after updating cloud")
}
ale.Success = true
return nil
*/
})

if err != nil {
return errors.E(op, err)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please log this error

}
return nil
}

// RemoveCloud removes the given cloud from JAAS If the cloud is not found
Expand Down
Loading
Loading