5.3 KiB
5.3 KiB
Authorization (Auth-Z) Proposal
Components
Core-Auth consisists of various components:
- A web app for users to authenticate with.
- A web app for users to manage auth-z policies.
- An API to serve auth-z queries.
- A common golang library to: validate auth-n tokens, assert identities from auth-n tokens, and fetch auth-z policies for users.
Design Strategy
- Users authenticate and are provided a JWT
- API keys are the same format JWT
- Apps use the common library to access core-auth API to fetch auth-z policies etc
- Auth-z policy requests supply an etag, policies are cached with a ttl
Basic Flow
- users log in via OAuth and are redirected to app with token (alternatively entities can use pregenerated api tokens)
- app uses common lib to assert identity from token
- app uses common lib to fetch auth-z policies (if not cached, or ttl expired) from configured auth-z server
- app uses common lib to assert permissions to requested resource(s)
input: policies, resource CRN(s)
output: yes/no, or filtered list of CRNs - app responds with: denial, full-results, or filter-results
Permissions Specification
Core Resource Namespaces (CRN)
Format: crn:provider:product:instance:resource-type:resource
provider
: a unique FQDN of the organization that created/maintains the applicationproduct
: a product id/name unique to the providerinstance
: an individual deployed instance of the product (FQDN, or UUID?)resource-type
: app specific resource type unqiue to the productresource
: the uniqe id of the resource in question (can use/
for nested resources)
Resource Namespace Examples
CoreUpdate Examples:
// CoreOS App
crn:coreos.com:coreupdate:public.update.core-os.net:app:e96281a6-d1af-4bde-9a0a-97b76e56dc57
// CoreOS App's "stable" Group
crn:coreos.com:coreupdate:public.update.core-os.net:group:e96281a6-d1af-4bde-9a0a-97b76e56dc57/stable
Quay Example:
crn:quay.io:enterprise-registry:my-registry.my-company.com:repo:hello-world
Actions
Similar to CRN but defined and registered by individual apps. Action describes the type of access that should be allowed or denied (for example, read, write, list, delete, startService, and so on)
provider:product:name
provider
: a unique FQDN of the organization that created/maintains the application (same as CRN)product
: a product id/name unique to the provider (same as CRN)name
: the acutal name of the aciton in the product
Action Examples
CoreUpdate (general):
coreos.com:coreupdate:read
coreos.com:coreupdate:write
coreos.com:coreupdate:delete
CoreUpdate (finer grained control):
coreos.com:coreupdate:publish
coreos.com:coreupdate:pause
coreos.com:coreupdate:modifyBehavior
coreos.com:coreupdate:modifyChannel
coreos.com:coreupdate:modifyVersion
Policies
{
"apiVersion": "v1",
"id": "7CFCE45E-610A-407C-84DB-86A24658B217",
"label": "my policy",
"statements": [
{
"effect": "allow",
"resource": ["crn:..."],
"action": ["crn:..."],
},
]
}
Policy:
apiVersion
: the policy API versionid
: unique id of the policylabel
: human readable label for the policystatements
: the main element for a policy. it is a list of multiple statements defining access.
Statement:
effect
: "allow" or "deny"resource
: the CRN of the resourceaction
: described in action section
Policiy Examples
CoreUpdate Example:
{
"apiVersion": "v1",
"id": "rando-uuid",
"label": "admin",
"description": "allows full admin access to everything",
"statements": [
{
"effect": "allow",
"resource": ["crn:coreos.com:coreupdate:public.update.core-os.net:*:*"],
"action": ["coreos.com:coreupdate:*"],
},
]
}
{
"apiVersion": "v1",
"id": "rando-uuid",
"label": "full-read-only",
"description": "allows read only access to everything",
"statements": [
{
"effect": "allow",
"resource": ["crn:coreos.com:coreupdate:public.update.core-os.net:*:*"],
"action": ["coreos.com:coreupdate:read"],
},
]
}
{
"apiVersion": "v1",
"id": "rando-uuid",
"label": "full-internal-only",
"description": "allows read access to everything, denys write access to the main CoreOS app",
"statements": [
{
"effect": "allow",
"resource": ["crn:coreos.com:coreupdate:public.update.core-os.net:*:*"],
"action": ["coreos.com:coreupdate:read"],
},
{
"effect": "deny",
"resource": ["crn:coreos.com:coreupdate:public.update.core-os.net:app:e96281a6-d1af-4bde-9a0a-97b76e56dc57"],
"action": ["coreos.com:coreupdate:write"],
},
]
}
Policy Associations
Policies can be attached to Organizations, Groups, or Users.
Core Auth API
Should support the following operations:
- create/delete actions
- create/delete resources
- get policies for entity
- TBD
- TBD
Open Questions
- Do we support resource-based permissions?
- Do we need to include the org in the CRNs?
- Do we version the policies (different than apiVersion) for easy undo/history?
- Should we have an
enabled
flag on policies? - How to handle public anonymous access?
- Include the AWS equivalent of
NotResource
andNotAction
? - Do we need to support conditions in policies? Perhaps we don't need these for v1.