RBAC: Initial implementation #9844
Conversation
|
👋 Hello! Thanks for contributing to our project. You can see the progress at the end of this page and at https://github.com/uyuni-project/uyuni/pull/9844/checks If you are unsure the failing tests are related to your code, you can check the "reference jobs". These are jobs that run on a scheduled time with code from master. If they fail for the same reason as your build, it means the tests or the infrastructure are broken. If they do not fail, but yours do, it means it is related to your code. Reference tests: KNOWN ISSUES Sometimes the build can fail when pulling new jar files from download.opensuse.org . This is a known limitation. Given this happens rarely, when it does, all you need to do is rerun the test. Sorry for the inconvenience. For more tips on troubleshooting, see the troubleshooting guide. Happy hacking! |
cbbayburt
force-pushed
the
rbac-base
branch
2 times, most recently
from
ad0e46e to
b0574d1
Compare
cbbayburt
force-pushed
the
rbac-base-schema
branch
from
6540ae8 to
843333c
Compare
| @@ -136,7 +139,7 @@ public static Set<String> getUnautenticatedRoutes() { | |||
| */ | |||
| private void registerAuthEndpoints() { | |||
| registrationHelper.addPostRoute(HTTP_API_ROOT + "auth/login", LoginController::apiLogin); | |||
| registrationHelper.addPostRoute(HTTP_API_ROOT + "auth/logout", withUser(LoginController::logout)); | |||
| registrationHelper.addGetRoute(HTTP_API_ROOT + "auth/logout", withUser(LoginController::logout)); | |||
There was a problem hiding this comment.
Why was this changed from get to post? Will this influence the way other pages/locations call this method? Or is this endpoint only used by costumers? If that is the case, we would need to add something to release notes.
There was a problem hiding this comment.
I think it was a mistake in the initial HTTP API implementation. In XML-RPC it's @ReadOnly which means it's supposed to be a GET request in HTTP API (also no payload). That's why I changed it now. The change only affects the HTTP API (and the testsuite, which is included in the PR).
And yes, since it's on the public API, we'll need a release note.
| boolean authorized = UserManager.getPermittedNamespaces(user) | ||
| .filter(ns -> params[0].equals(ns.getNamespace()) || | ||
| ns.getNamespace().startsWith(params[0] + '.') | ||
| ).anyMatch(ns -> params.length < 2 || |
There was a problem hiding this comment.
we should have some comments explaining this magic number. Why 2? (I'm assuming that it must have and least one parent, otherwise it would match the full path)
There was a problem hiding this comment.
Right, this one needs a description.
Second element in params is the optional "access mode". If not provided, either R or W would match.
There was a problem hiding this comment.
Here are some examples: 4f50a5d
| @@ -136,6 +141,15 @@ public Object invoke(String methodCalled, List params) throws XmlRpcFault { | |||
| } | |||
| } | |||
|
|
|||
| try { | |||
There was a problem hiding this comment.
We should consider if we should continue to have the read-only user logic or if that should/can be replaced by a User group.
I think we must replace the read-only API user with a new group in the logic that is being implemented in the RBAC, and in that case, the code that is placed a few lines above (L18-L142) should be removed.
There was a problem hiding this comment.
Yes, the read-only logic can be fully replaced with RBAC. And yes, there'll be many obsolete parts then :)
| * @param mode the access mode (view/modify) | ||
| * @throws PermissionException if the user is not permitted to access the specified namespace | ||
| */ | ||
| public static void ensureRoleBasedAccess(User user, String namespace, Namespace.AccessMode mode) { |
There was a problem hiding this comment.
I think this method is not used. It also feels strange, since it doesn't return anything and checks user access and through an exception if he doesn't have access to the endpoint.
There was a problem hiding this comment.
Oh this one has a long story:
Imagine a struts page that renders a JSP table with pagination buttons, select all button, etc.
On top of that, there's a button to do some real action on selected rows.
In Struts, all the pagination and the actual action are handled in the same handler with the same POST endpoint. However, pagination is a read operation, while the action is usually a "modify".
Since the endpoint is the same, the only sensible way is to make the differentiation in the handler code.
So this method is called from these handlers. And the way it doesn't return but throws is for convenience.
Here's some example usages: d4517b3
| * @return the stream of permitted namespaces | ||
| */ | ||
| public static Stream<Namespace> getPermittedNamespaces(User user) { | ||
| return Stream.concat(user.getNamespaces().stream(), |
There was a problem hiding this comment.
I think we can have this method with a more efficient implementation, where we could get all the user namespaces with a single query execution. We don't need to change it for this PR, but we should refactor it.
There was a problem hiding this comment.
I still need to test the performance of different approaches, but with eager fetching, Hibernate should perform good enough on this.
|
|
||
| private void handleAjaxAccess(HttpServletRequest hreq, Set<String> noAuthEndpoints) { | ||
| String path = hreq.getServletPath() + hreq.getPathInfo(); | ||
| if (!authenticationService.requestURIRequiresAuthentication(hreq) || noAuthEndpoints.contains(path)) { |
There was a problem hiding this comment.
I would prefer to not have a dependency from AuthenticationServiceFactory, but I was looking at the endpoints in there and they are super generic (like /css), so would be hard to move them to the database.
| RequestContext requestContext = new RequestContext(hreq); | ||
| User user = requestContext.getCurrentUser(); | ||
| if (user == null) { | ||
| if (!noAuthEndpoints.contains(route.getMatchUri())) { |
There was a problem hiding this comment.
I think we can just throw the exception without the if statement, since we are already checking the noAuthEndpoints in line 173.
HOwever, it doesn't cause any issue if we keep it as is. Up to you to decide :)
There was a problem hiding this comment.
Right, I guess I overlooked this one.
|
|
||
| User user = new RequestContext(hreq).getCurrentUser(); | ||
| if (user == null) { | ||
| if (!noAuthEndpoints.contains(hreq.getServletPath())) { |
There was a problem hiding this comment.
Same comment from the handleSparkAccess, up to you if you want to keep this check.
This PR introduces the layout for RBAC filtering structure, without enforcing access or adding any endpoint/namespace data.
Optionally, here's how to enable RBAC in this version:
server.susemanager.rbac = 1config option torhn.confDocumentation
Test coverage
Changelogs
Make sure the changelogs entries you are adding are compliant with https://github.com/uyuni-project/uyuni/wiki/Contributing#changelogs and https://github.com/uyuni-project/uyuni/wiki/Contributing#uyuni-projectuyuni-repository
If you don't need a changelog check, please mark this checkbox:
If you uncheck the checkbox after the PR is created, you will need to re-run
changelog_test(see below)Re-run a test
If you need to re-run a test, please mark the related checkbox, it will be unchecked automatically once it has re-run:
Before you merge
Check How to branch and merge properly!