Thanks to visit codestin.com
Credit goes to github.com

Skip to content

feat: Add RBAC package for managing user permissions #929

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 79 commits into from
Apr 13, 2022
Merged

feat: Add RBAC package for managing user permissions #929

merged 79 commits into from
Apr 13, 2022

Conversation

Emyrk
Copy link
Member

@Emyrk Emyrk commented Apr 8, 2022
edited
Loading

What this does

Authorize is the stub function that will be called externally. This is the main entry-point for the package.

#715 , #716, #718, #720, #725

Making a user with given roles

See example_test.go to see how to add multiple roles to a user. SubjectTODO is a placeholder, and roles can be serialized for db storage. Serialization is not implemented until required.

user := authz.SubjectTODO{
	UserID: "alice",
	Roles: []authz.Role{
		authz.RoleOrgAdmin("default"),
		authz.RoleSiteMember,
	},
}

Using Authorize

Authorize is a function on an authorizer. For now, the authorizer just precompiles a builtin rego policy.

For example, to "Read all workspaces in the org Coder", we create a ResourceWorkspace owned by the org Coder

// In practice 'Coder' would be a uuid
authz.Authorize(ctx, user.ID, user.Roles, authz.ActionRead, authz.ResourceWorkspace.InOrg("Coder"))

To read all workspaces across the whole product, we omit the owner id since we want to include the set of all workspaces.

authz.Authorize(ctx, user.ID, user.Roles,  authz.ActionRead, authz.ResourceWorkspace.All())

Making a new Role

Most roles are just * and easy to write. One example of enumerating certain permissions uses a helper function to keep the role as few LoC:

coder/coderd/authz/role.go

Lines 40 to 47 in f5d95ef

RoleSiteAuditor = Role{
Name: "site-auditor",
Site: permissions(map[ResourceType][]Action{
ResourceAuditLogs: {ActionRead},
// Should be able to read user details to associate with logs.
// Without this the user-id in logs is not very helpful
ResourceUser: {ActionRead},
}),

The helper func omits negative permissions, but those can be defined explicitly. Note that no builtin roles require negative permissions, and are only needed for edge cases that we don't need to support in MVP.

Benchmarks

736 permission checks were done in <300ms. I think this is fast enough.
The rego handles role expansion, which is kinda neat.

Emyrk and others added 30 commits March 31, 2022 15:46
@Emyrk @johnstcn
WIP: This is a massive WIP
ab61328 
Just testing out some ideas. The code is far from finished, and
very sloppy. Committing to share it to start conversations
@Emyrk @johnstcn
More info in the print
03e4d0f
@Emyrk @johnstcn
Fix all()
9981291
@Emyrk @johnstcn
reduce the amount of memoery allocated
3ab32da
@Emyrk @johnstcn
Reuse a buffer
e1d5893
@Emyrk @johnstcn
fix: use return size over size
84a90f3
@Emyrk @johnstcn
WIP: don't look at this
1fac0d9
@johnstcn
WIP: 🍐 auth-> testdata, refactoring and restructuring
1e3aac0
@johnstcn
testdata -> authztest
e977e84
@johnstcn
WIP: start work on SVO
00a7c3f
@Emyrk
reduce allocations for union sets
1f04c01
@Emyrk
fix: Fix nil permissions as Strings()
fbf4db1
@Emyrk
chore: Make all permission variant levels
4946897 
Playing around with helper functions to make life easy
@Emyrk
First full draft of the authz authorize test
7e6cc66
@Emyrk
Tally up failed tests
a0017e5
@Emyrk
Change test pkg
4b110b3
@Emyrk
Use an interface for the object
65ef4e3
@johnstcn
fix: make authztest.Objects return correct type
d294786
@johnstcn
refactor: rename consts {Read,Write,Modify,Delete}Action to Action$1
c1f8945
@Emyrk
chore: Define object interface
01f3d40 
- Cleanup some code too
@Emyrk
test: Unit test extra properties
de7de6e
@Emyrk
Merge remote-tracking branch 'origin/stevenmasley/rbac' into stevenma…
4c86e44 
…sley/rbac
@Emyrk
put back interface assertion
30c6568
@Emyrk
Fix some compile errors from merge
a419a65
@Emyrk
test: Roles, sets, permissions, iterators
bbd1c4c
@Emyrk
Test string functions
def010f
@Emyrk
test: Unit test permission string
c4ee590 
- Add some docs
@Emyrk
Add A+ and A-
84e3ab9
@Emyrk
Parallelize tests
c2eec18
@Emyrk
fix code line in readme
5a2834a
@Emyrk Emyrk marked this pull request as ready for review April 12, 2022 14:55
kylecarbs
kylecarbs approved these changes Apr 12, 2022
View reviewed changes
Copy link
Member

@kylecarbs kylecarbs left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we should change the PR title to something like: feat: Add RBAC package for managing user permissions. This is a big deal!

coderd/rbac/authz.go
Comment on lines +23 to +32
query, err := rego.New(
// allowed is the `allow` field from the prepared query. This is the field to check if authorization is
// granted.
rego.Query("allowed = data.authz.allow"),
rego.Module("policy.rego", policy),
).PrepareForEval(ctx)

if err != nil {
return nil, xerrors.Errorf("prepare query: %w", err)
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could we do this in init and panic if an error occurs? Then users don't have to hold a struct, and can just call Authorize.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was thinking about that, and I just hate init() functions. I figure we can put the init() anywhere if it's a pain to pass around, meaning we can put the init in coderd somewhere too. So we can decide to init() once we use this.

We will need more PRs for integration, and that is when I think we can make that call.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fair enough fair enough

@Emyrk Emyrk changed the title feat: Authorize stub function feat: Add RBAC package for managing user permissions Apr 12, 2022
@Emyrk Emyrk mentioned this pull request Apr 12, 2022
Closed
10 tasks
@johnstcn johnstcn self-requested a review April 13, 2022 13:27
@johnstcn johnstcn merged commit 770c567 into main Apr 13, 2022
@johnstcn johnstcn deleted the cj/rbac_table_driven branch April 13, 2022 13:35
This was referenced Apr 13, 2022
Closed
Closed
Closed
Closed
Closed
Closed
Closed
@misskniss misskniss added this to the V2 Beta milestone May 15, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kylecarbs kylecarbs kylecarbs approved these changes

@deansheather deansheather deansheather left review comments

@johnstcn johnstcn johnstcn approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
V2 Beta
Development

Successfully merging this pull request may close these issues.
5 participants
@Emyrk @johnstcn @kylecarbs @deansheather @misskniss