Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AuthZ: Further protect admin endpoints #86285

Merged
merged 5 commits into from
Apr 16, 2024

Conversation

IevaVasiljeva
Copy link
Contributor

What is this feature?

Add several security improvements, notably:

  • require a user to be Grafana Server Admin in order to be able to set Server Admin role;
  • authorize admin endpoints globally, as all of these are actions with global impact;
  • check service account permissions globally for global actions (related to changes in Authn: allow ResolveIdentity to authenticate in "global" scope #85835 - I think we forgot to specify AllowGlobalOrg for service accounts).

Why do we need this feature?

To make sure that users and service accounts with local admin permissions can't carry out actions with global (cross-organization) impact.

Which issue(s) does this PR fix?:

Fixes https://github.com/grafana/identity-access-team/issues/644

@IevaVasiljeva IevaVasiljeva added this to the 11.1.x milestone Apr 16, 2024
@IevaVasiljeva IevaVasiljeva requested review from mgyongyosi, gamab, kalleep and a team April 16, 2024 10:55
@IevaVasiljeva IevaVasiljeva requested review from a team as code owners April 16, 2024 10:55
@IevaVasiljeva IevaVasiljeva requested review from diegommm, mildwonkey and undef1nd and removed request for a team April 16, 2024 10:55
Copy link
Contributor

@kalleep kalleep left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great, A couple of questions but nothing blocking the pr

@@ -353,6 +353,7 @@ func (s *Service) resolveIdenity(ctx context.Context, orgID int64, namespaceID a
ID: namespaceID.String(),
OrgID: orgID,
ClientParams: authn.ClientParams{
AllowGlobalOrg: true,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are we suppose to allow service account to use gloabl org?

Copy link
Contributor Author

@IevaVasiljeva IevaVasiljeva Apr 16, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

They shouldn't be able to do anything in the global org, so any checks in the global org should fail. What happens now though is that FetchSyncedUserHook sets user's org ID to their current org when the signed in user is fetched (code) and it doesn't get reset to 0 by FetchSyncedUserHook (here) because AllowGlobalOrg is set to false. So when we evaluate permissions, we do it in the current org instead of the global org, and the evaluation passes.

Comment on lines 179 to 181
if !c.SignedInUser.IsGrafanaAdmin {
return response.Error(http.StatusForbidden, "You must be a Grafana Admin to grant and revoke Grafana Admin permissions", nil)
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

An alternative would be to use this middleware for this endpoint. Either way is fine

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah nice, I forgot about that one. I'll use the middleware then to slightly centralise the access checks.

pkg/api/api.go Outdated
Comment on lines 575 to 586
adminUserRoute.Post("/", authorizeInOrg(ac.UseGlobalOrg, ac.EvalPermission(ac.ActionUsersCreate)), routing.Wrap(hs.AdminCreateUser))
adminUserRoute.Put("/:id/password", authorizeInOrg(ac.UseGlobalOrg, ac.EvalPermission(ac.ActionUsersPasswordUpdate, userIDScope)), routing.Wrap(hs.AdminUpdateUserPassword))
adminUserRoute.Put("/:id/permissions", authorizeInOrg(ac.UseGlobalOrg, ac.EvalPermission(ac.ActionUsersPermissionsUpdate, userIDScope)), routing.Wrap(hs.AdminUpdateUserPermissions))
adminUserRoute.Delete("/:id", authorizeInOrg(ac.UseGlobalOrg, ac.EvalPermission(ac.ActionUsersDelete, userIDScope)), routing.Wrap(hs.AdminDeleteUser))
adminUserRoute.Post("/:id/disable", authorizeInOrg(ac.UseGlobalOrg, ac.EvalPermission(ac.ActionUsersDisable, userIDScope)), routing.Wrap(hs.AdminDisableUser))
adminUserRoute.Post("/:id/enable", authorizeInOrg(ac.UseGlobalOrg, ac.EvalPermission(ac.ActionUsersEnable, userIDScope)), routing.Wrap(hs.AdminEnableUser))
adminUserRoute.Get("/:id/quotas", authorizeInOrg(ac.UseGlobalOrg, ac.EvalPermission(ac.ActionUsersQuotasList, userIDScope)), routing.Wrap(hs.GetUserQuotas))
adminUserRoute.Put("/:id/quotas/:target", authorizeInOrg(ac.UseGlobalOrg, ac.EvalPermission(ac.ActionUsersQuotasUpdate, userIDScope)), routing.Wrap(hs.UpdateUserQuota))

adminUserRoute.Post("/:id/logout", authorizeInOrg(ac.UseGlobalOrg, ac.EvalPermission(ac.ActionUsersLogout, userIDScope)), routing.Wrap(hs.AdminLogoutUser))
adminUserRoute.Get("/:id/auth-tokens", authorizeInOrg(ac.UseGlobalOrg, ac.EvalPermission(ac.ActionUsersAuthTokenList, userIDScope)), routing.Wrap(hs.AdminGetUserAuthTokens))
adminUserRoute.Post("/:id/revoke-auth-token", authorizeInOrg(ac.UseGlobalOrg, ac.EvalPermission(ac.ActionUsersAuthTokenUpdate, userIDScope)), routing.Wrap(hs.AdminRevokeUserAuthToken))
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe this fix would allow us to change the scopes to users:id instead of a special global scope! But we would have to confirm that

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh, good point! I didn't even think about that. I think you're right.

@IevaVasiljeva IevaVasiljeva merged commit 036f826 into main Apr 16, 2024
12 checks passed
@IevaVasiljeva IevaVasiljeva deleted the ieva/further-protect-admin-endpoints branch April 16, 2024 14:48
@kevinwcyu kevinwcyu modified the milestones: 11.1.x, 11.1.0 Jun 21, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants