Authorization (Auth-Z) Proposal =============================== ## Components Core-Auth consisists of various components: 1. A web app for users to authenticate with. 2. A web app for users to manage auth-z policies. 3. An API to serve auth-z queries. 4. A common golang library to: validate auth-n tokens, assert identities from auth-n tokens, and fetch auth-z policies for users. ## Design Strategy - Users authenticate and are provided a JWT - API keys are the same format JWT - Apps use the common library to access core-auth API to fetch auth-z policies etc - Auth-z policy requests supply an etag, policies are cached with a ttl ## Basic Flow 1. users log in via OAuth and are redirected to app with token (alternatively entities can use pregenerated api tokens) 1. app uses common lib to assert identity from token 1. app uses common lib to fetch auth-z policies (if not cached, or ttl expired) from configured auth-z server 1. app uses common lib to assert permissions to requested resource(s) input: policies, resource CRN(s) output: yes/no, or filtered list of CRNs 1. app responds with: denial, full-results, or filter-results ## Permissions Specification ### Core Resource Namespaces (CRN) Format: `crn:provider:product:instance:resource-type:resource` - `provider`: a unique FQDN of the organization that created/maintains the application - `product`: a product id/name unique to the provider - `instance`: an individual deployed instance of the product (FQDN, or UUID?) - `resource-type`: app specific resource type unqiue to the product - `resource`: the uniqe id of the resource in question (can use `/` for nested resources) ### Resource Namespace Examples CoreUpdate Examples: ``` // CoreOS App crn:coreos.com:coreupdate:public.update.core-os.net:app:e96281a6-d1af-4bde-9a0a-97b76e56dc57 // CoreOS App's "stable" Group crn:coreos.com:coreupdate:public.update.core-os.net:group:e96281a6-d1af-4bde-9a0a-97b76e56dc57/stable ``` Quay Example: ``` crn:quay.io:enterprise-registry:my-registry.my-company.com:repo:hello-world ``` ### Actions Similar to CRN but defined and registered by individual apps. Action describes the type of access that should be allowed or denied (for example, read, write, list, delete, startService, and so on) ``` provider:product:name ``` - `provider`: a unique FQDN of the organization that created/maintains the application (same as CRN) - `product`: a product id/name unique to the provider (same as CRN) - `name`: the acutal name of the aciton in the product #### Action Examples CoreUpdate (general): ``` coreos.com:coreupdate:read coreos.com:coreupdate:write coreos.com:coreupdate:delete ``` CoreUpdate (finer grained control): ``` coreos.com:coreupdate:publish coreos.com:coreupdate:pause coreos.com:coreupdate:modifyBehavior coreos.com:coreupdate:modifyChannel coreos.com:coreupdate:modifyVersion ``` ### Policies ```json { "apiVersion": "v1", "id": "7CFCE45E-610A-407C-84DB-86A24658B217", "label": "my policy", "statements": [ { "effect": "allow", "resource": ["crn:..."], "action": ["crn:..."], }, ] } ``` Policy: - `apiVersion`: the policy API version - `id`: unique id of the policy - `label`: human readable label for the policy - `statements`: the main element for a policy. it is a list of multiple statements defining access. Statement: - `effect`: "allow" or "deny" - `resource`: the CRN of the resource - `action`: described in action section #### Policiy Examples CoreUpdate Example: ```json { "apiVersion": "v1", "id": "rando-uuid", "label": "admin", "description": "allows full admin access to everything", "statements": [ { "effect": "allow", "resource": ["crn:coreos.com:coreupdate:public.update.core-os.net:*:*"], "action": ["coreos.com:coreupdate:*"], }, ] } { "apiVersion": "v1", "id": "rando-uuid", "label": "full-read-only", "description": "allows read only access to everything", "statements": [ { "effect": "allow", "resource": ["crn:coreos.com:coreupdate:public.update.core-os.net:*:*"], "action": ["coreos.com:coreupdate:read"], }, ] } { "apiVersion": "v1", "id": "rando-uuid", "label": "full-internal-only", "description": "allows read access to everything, denys write access to the main CoreOS app", "statements": [ { "effect": "allow", "resource": ["crn:coreos.com:coreupdate:public.update.core-os.net:*:*"], "action": ["coreos.com:coreupdate:read"], }, { "effect": "deny", "resource": ["crn:coreos.com:coreupdate:public.update.core-os.net:app:e96281a6-d1af-4bde-9a0a-97b76e56dc57"], "action": ["coreos.com:coreupdate:write"], }, ] } ``` ### Policy Associations Policies can be attached to Organizations, Groups, or Users. ### Core Auth API Should support the following operations: - create/delete actions - create/delete resources - get policies for entity - TBD - TBD # Open Questions - Do we support resource-based permissions? - Do we need to include the org in the CRNs? - Do we version the policies (different than apiVersion) for easy undo/history? - Should we have an `enabled` flag on policies? - How to handle public anonymous access? - Include the AWS equivalent of `NotResource` and `NotAction`? - Do we need to support conditions in policies? Perhaps we don't need these for v1.