forked from mystiq/dex
199 lines
5.3 KiB
Markdown
199 lines
5.3 KiB
Markdown
|
Authorization (Auth-Z) Proposal
|
||
|
===============================
|
||
|
|
||
|
## Components
|
||
|
|
||
|
Core-Auth consisists of various components:
|
||
|
|
||
|
1. A web app for users to authenticate with.
|
||
|
2. A web app for users to manage auth-z policies.
|
||
|
3. An API to serve auth-z queries.
|
||
|
4. A common golang library to: validate auth-n tokens, assert identities from auth-n tokens, and fetch auth-z policies for users.
|
||
|
|
||
|
## Design Strategy
|
||
|
|
||
|
- Users authenticate and are provided a JWT
|
||
|
- API keys are the same format JWT
|
||
|
- Apps use the common library to access core-auth API to fetch auth-z policies etc
|
||
|
- Auth-z policy requests supply an etag, policies are cached with a ttl
|
||
|
|
||
|
## Basic Flow
|
||
|
|
||
|
1. users log in via OAuth and are redirected to app with token (alternatively entities can use pregenerated api tokens)
|
||
|
1. app uses common lib to assert identity from token
|
||
|
1. app uses common lib to fetch auth-z policies (if not cached, or ttl expired) from configured auth-z server
|
||
|
1. app uses common lib to assert permissions to requested resource(s)
|
||
|
input: policies, resource CRN(s)
|
||
|
output: yes/no, or filtered list of CRNs
|
||
|
1. app responds with: denial, full-results, or filter-results
|
||
|
|
||
|
|
||
|
## Permissions Specification
|
||
|
|
||
|
### Core Resource Namespaces (CRN)
|
||
|
|
||
|
Format: `crn:provider:product:instance:resource-type:resource`
|
||
|
|
||
|
- `provider`: a unique FQDN of the organization that created/maintains the application
|
||
|
- `product`: a product id/name unique to the provider
|
||
|
- `instance`: an individual deployed instance of the product (FQDN, or UUID?)
|
||
|
- `resource-type`: app specific resource type unqiue to the product
|
||
|
- `resource`: the uniqe id of the resource in question (can use `/` for nested resources)
|
||
|
|
||
|
### Resource Namespace Examples
|
||
|
|
||
|
CoreUpdate Examples:
|
||
|
|
||
|
```
|
||
|
// CoreOS App
|
||
|
crn:coreos.com:coreupdate:public.update.core-os.net:app:e96281a6-d1af-4bde-9a0a-97b76e56dc57
|
||
|
// CoreOS App's "stable" Group
|
||
|
crn:coreos.com:coreupdate:public.update.core-os.net:group:e96281a6-d1af-4bde-9a0a-97b76e56dc57/stable
|
||
|
```
|
||
|
|
||
|
Quay Example:
|
||
|
|
||
|
```
|
||
|
crn:quay.io:enterprise-registry:my-registry.my-company.com:repo:hello-world
|
||
|
```
|
||
|
|
||
|
### Actions
|
||
|
|
||
|
Similar to CRN but defined and registered by individual apps.
|
||
|
Action describes the type of access that should be allowed or denied (for example, read, write, list, delete, startService, and so on)
|
||
|
|
||
|
```
|
||
|
provider:product:name
|
||
|
```
|
||
|
|
||
|
- `provider`: a unique FQDN of the organization that created/maintains the application (same as CRN)
|
||
|
- `product`: a product id/name unique to the provider (same as CRN)
|
||
|
- `name`: the acutal name of the aciton in the product
|
||
|
|
||
|
#### Action Examples
|
||
|
|
||
|
CoreUpdate (general):
|
||
|
|
||
|
```
|
||
|
coreos.com:coreupdate:read
|
||
|
coreos.com:coreupdate:write
|
||
|
coreos.com:coreupdate:delete
|
||
|
```
|
||
|
|
||
|
CoreUpdate (finer grained control):
|
||
|
|
||
|
```
|
||
|
coreos.com:coreupdate:publish
|
||
|
coreos.com:coreupdate:pause
|
||
|
coreos.com:coreupdate:modifyBehavior
|
||
|
coreos.com:coreupdate:modifyChannel
|
||
|
coreos.com:coreupdate:modifyVersion
|
||
|
```
|
||
|
|
||
|
### Policies
|
||
|
|
||
|
```json
|
||
|
{
|
||
|
"apiVersion": "v1",
|
||
|
"id": "7CFCE45E-610A-407C-84DB-86A24658B217",
|
||
|
"label": "my policy",
|
||
|
"statements": [
|
||
|
{
|
||
|
"effect": "allow",
|
||
|
"resource": ["crn:..."],
|
||
|
"action": ["crn:..."],
|
||
|
},
|
||
|
]
|
||
|
}
|
||
|
```
|
||
|
|
||
|
Policy:
|
||
|
|
||
|
- `apiVersion`: the policy API version
|
||
|
- `id`: unique id of the policy
|
||
|
- `label`: human readable label for the policy
|
||
|
- `statements`: the main element for a policy. it is a list of multiple statements defining access.
|
||
|
|
||
|
Statement:
|
||
|
|
||
|
- `effect`: "allow" or "deny"
|
||
|
- `resource`: the CRN of the resource
|
||
|
- `action`: described in action section
|
||
|
|
||
|
#### Policiy Examples
|
||
|
|
||
|
CoreUpdate Example:
|
||
|
|
||
|
```json
|
||
|
{
|
||
|
"apiVersion": "v1",
|
||
|
"id": "rando-uuid",
|
||
|
"label": "admin",
|
||
|
"description": "allows full admin access to everything",
|
||
|
"statements": [
|
||
|
{
|
||
|
"effect": "allow",
|
||
|
"resource": ["crn:coreos.com:coreupdate:public.update.core-os.net:*:*"],
|
||
|
"action": ["coreos.com:coreupdate:*"],
|
||
|
},
|
||
|
]
|
||
|
}
|
||
|
|
||
|
{
|
||
|
"apiVersion": "v1",
|
||
|
"id": "rando-uuid",
|
||
|
"label": "full-read-only",
|
||
|
"description": "allows read only access to everything",
|
||
|
"statements": [
|
||
|
{
|
||
|
"effect": "allow",
|
||
|
"resource": ["crn:coreos.com:coreupdate:public.update.core-os.net:*:*"],
|
||
|
"action": ["coreos.com:coreupdate:read"],
|
||
|
},
|
||
|
]
|
||
|
}
|
||
|
|
||
|
{
|
||
|
"apiVersion": "v1",
|
||
|
"id": "rando-uuid",
|
||
|
"label": "full-internal-only",
|
||
|
"description": "allows read access to everything, denys write access to the main CoreOS app",
|
||
|
"statements": [
|
||
|
{
|
||
|
"effect": "allow",
|
||
|
"resource": ["crn:coreos.com:coreupdate:public.update.core-os.net:*:*"],
|
||
|
"action": ["coreos.com:coreupdate:read"],
|
||
|
},
|
||
|
{
|
||
|
"effect": "deny",
|
||
|
"resource": ["crn:coreos.com:coreupdate:public.update.core-os.net:app:e96281a6-d1af-4bde-9a0a-97b76e56dc57"],
|
||
|
"action": ["coreos.com:coreupdate:write"],
|
||
|
},
|
||
|
]
|
||
|
}
|
||
|
```
|
||
|
|
||
|
### Policy Associations
|
||
|
|
||
|
Policies can be attached to Organizations, Groups, or Users.
|
||
|
|
||
|
### Core Auth API
|
||
|
|
||
|
Should support the following operations:
|
||
|
|
||
|
- create/delete actions
|
||
|
- create/delete resources
|
||
|
- get policies for entity
|
||
|
- TBD
|
||
|
- TBD
|
||
|
|
||
|
# Open Questions
|
||
|
|
||
|
- Do we support resource-based permissions?
|
||
|
- Do we need to include the org in the CRNs?
|
||
|
- Do we version the policies (different than apiVersion) for easy undo/history?
|
||
|
- Should we have an `enabled` flag on policies?
|
||
|
- How to handle public anonymous access?
|
||
|
- Include the AWS equivalent of `NotResource` and `NotAction`?
|
||
|
- Do we need to support conditions in policies? Perhaps we don't need these for v1.
|