- Notifications
You must be signed in to change notification settings - Fork928
chore: Implement standard rbac.Subject to be reused everywhere#5881
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
Uh oh!
There was an error while loading.Please reload this page.
Conversation
An rbac subject is created in multiple spots because of the way weexpand roles, scopes, etc. This difference in use creates a listof arguments which is unwieldy.Use of the expander interface lets us conform to a single subjectin every case
| type Subject struct { | ||
| ID string | ||
| Roles ExpandableRoles | ||
| Groups []string | ||
| Scope ExpandableScope | ||
| } |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
This is the added type shared by all callers now.
| Authorize(ctx context.Context,subject Subject, action Action, object Object) error | ||
| Prepare(ctx context.Context,subject Subject, action Action, objectType string) (PreparedAuthorized, error) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
This is the interface of the package changing to use less arguments.
| return err | ||
| } | ||
| err := a.authorize(ctx, subject, action, object) | ||
| span.SetAttributes(attribute.Bool("authorized", err == nil)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
This is better than an event, learned I can add attributes to a span after I started it. So it allows filtering the parent span on this attribute, which is what I want.
| @@ -217,7 +219,7 @@ func (api *API) checkAuthorization(rw http.ResponseWriter, r *http.Request) { | |||
| obj = dbObj.RBACObject() | |||
| } | |||
| err := api.Authorizer.ByRoleName(ctx, auth.ID.String(), auth.Roles, auth.Scope.ToRBAC(), auth.Groups, rbac.Action(v.Action), obj) | |||
| err := api.Authorizer.Authorize(ctx, auth.Actor, rbac.Action(v.Action), obj) | |||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
This is so much nicer and more readable ❤️
| // SafeScopeName prevent nil pointer dereference. | ||
| func (s Subject) SafeScopeName() string { | ||
| if s.Scope == nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Looking at RegoAuthorizer.Authorize, wouldn't this be a developer error?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
It would be a developer error.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
👍
Uh oh!
There was an error while loading.Please reload this page.
This is purely a type refactor, and does not change any behavior
What this does
Before this PR, the rbac package expected the caller to hold the various
Subjectfields, and pass them in as individual arguments:(subjectID string, roleNames ExpandableRoles, scope ScopeName, groups []string). This was ok in the beginning when it was just(ID, Roles), but it has grown toscopeandgroupsas well.This change ensures all subject fields are tightly coupled, and less likely to be mistakenly used. It also simplifies using
rbacsince the arguments are nowAutorize(ctx, subject, action, object).The only downside is that logging still requires poking into the subject struct. But usage of the rbac package now takes less arguments.
What this enables
For
authquerierinterface we wanted to enable the use of aSystemactor. This actor needs to have custom roles that should not be available to the user. This newSubjectstruct accepts both user defined roles,RoleNamesand explicitRoles.This allows us to create custom roles that will never be returned via an api or any other exporting of roles (docs, enums, etc).
Minor bonus, this allows unit tests to call the
Authorizedirectly as it was using explicit Roles.