mystiq/dex
Archived
4
0
Fork 1
Code Issues Pull requests Packages Projects Releases Wiki Activity
This repository has been archived on 2022-08-17. You can view files and clone it, but cannot push or open issues or pull requests.
dex/Documentation/proposals/authorization.md

5.3 KiB
Raw Blame History

Authorization (Auth-Z) Proposal

Components

Core-Auth consisists of various components:

  1. A web app for users to authenticate with.
  2. A web app for users to manage auth-z policies.
  3. An API to serve auth-z queries.
  4. A common golang library to: validate auth-n tokens, assert identities from auth-n tokens, and fetch auth-z policies for users.

Design Strategy

  • Users authenticate and are provided a JWT
  • API keys are the same format JWT
  • Apps use the common library to access core-auth API to fetch auth-z policies etc
  • Auth-z policy requests supply an etag, policies are cached with a ttl

Basic Flow

  1. users log in via OAuth and are redirected to app with token (alternatively entities can use pregenerated api tokens)
  2. app uses common lib to assert identity from token
  3. app uses common lib to fetch auth-z policies (if not cached, or ttl expired) from configured auth-z server
  4. app uses common lib to assert permissions to requested resource(s)
    input: policies, resource CRN(s)
    output: yes/no, or filtered list of CRNs
  5. app responds with: denial, full-results, or filter-results

Permissions Specification

Core Resource Namespaces (CRN)

Format: crn:provider:product:instance:resource-type:resource

  • provider: a unique FQDN of the organization that created/maintains the application
  • product: a product id/name unique to the provider
  • instance: an individual deployed instance of the product (FQDN, or UUID?)
  • resource-type: app specific resource type unqiue to the product
  • resource: the uniqe id of the resource in question (can use / for nested resources)

Resource Namespace Examples

CoreUpdate Examples:

// CoreOS App
crn:coreos.com:coreupdate:public.update.core-os.net:app:e96281a6-d1af-4bde-9a0a-97b76e56dc57
// CoreOS App's "stable" Group
crn:coreos.com:coreupdate:public.update.core-os.net:group:e96281a6-d1af-4bde-9a0a-97b76e56dc57/stable

Quay Example:

crn:quay.io:enterprise-registry:my-registry.my-company.com:repo:hello-world

Actions

Similar to CRN but defined and registered by individual apps. Action describes the type of access that should be allowed or denied (for example, read, write, list, delete, startService, and so on)

provider:product:name
  • provider: a unique FQDN of the organization that created/maintains the application (same as CRN)
  • product: a product id/name unique to the provider (same as CRN)
  • name: the acutal name of the aciton in the product

Action Examples

CoreUpdate (general):

coreos.com:coreupdate:read
coreos.com:coreupdate:write
coreos.com:coreupdate:delete

CoreUpdate (finer grained control):

coreos.com:coreupdate:publish
coreos.com:coreupdate:pause
coreos.com:coreupdate:modifyBehavior
coreos.com:coreupdate:modifyChannel
coreos.com:coreupdate:modifyVersion

Policies

{
  "apiVersion": "v1",
  "id": "7CFCE45E-610A-407C-84DB-86A24658B217",
  "label": "my policy",
  "statements": [
    {
      "effect": "allow",
      "resource": ["crn:..."],
      "action": ["crn:..."],
    },
  ]
}

Policy:

  • apiVersion: the policy API version
  • id: unique id of the policy
  • label: human readable label for the policy
  • statements: the main element for a policy. it is a list of multiple statements defining access.

Statement:

  • effect: "allow" or "deny"
  • resource: the CRN of the resource
  • action: described in action section

Policiy Examples

CoreUpdate Example:

{
  "apiVersion": "v1",
  "id": "rando-uuid",
  "label": "admin",
  "description": "allows full admin access to everything",
  "statements": [
    {
      "effect": "allow",
      "resource": ["crn:coreos.com:coreupdate:public.update.core-os.net:*:*"],
      "action": ["coreos.com:coreupdate:*"],
    },
  ]
}

{
  "apiVersion": "v1",
  "id": "rando-uuid",
  "label": "full-read-only",
  "description": "allows read only access to everything",
  "statements": [
    {
      "effect": "allow",
      "resource": ["crn:coreos.com:coreupdate:public.update.core-os.net:*:*"],
      "action": ["coreos.com:coreupdate:read"],
    },
  ]
}

{
  "apiVersion": "v1",
  "id": "rando-uuid",
  "label": "full-internal-only",
  "description": "allows read access to everything, denys write access to the main CoreOS app",
  "statements": [
    {
      "effect": "allow",
      "resource": ["crn:coreos.com:coreupdate:public.update.core-os.net:*:*"],
      "action": ["coreos.com:coreupdate:read"],
    },
    {
      "effect": "deny",
      "resource": ["crn:coreos.com:coreupdate:public.update.core-os.net:app:e96281a6-d1af-4bde-9a0a-97b76e56dc57"],
      "action": ["coreos.com:coreupdate:write"],
    },
  ]
}

Policy Associations

Policies can be attached to Organizations, Groups, or Users.

Core Auth API

Should support the following operations:

  • create/delete actions
  • create/delete resources
  • get policies for entity
  • TBD
  • TBD

Open Questions

  • Do we support resource-based permissions?
  • Do we need to include the org in the CRNs?
  • Do we version the policies (different than apiVersion) for easy undo/history?
  • Should we have an enabled flag on policies?
  • How to handle public anonymous access?
  • Include the AWS equivalent of NotResource and NotAction?
  • Do we need to support conditions in policies? Perhaps we don't need these for v1.