flow for unprivileged users #1354
Comments
|
We discussed this in today's RAP/IAM call. Here's what I think we landed on: rather than changing anything about the current behavior, we recommend that customers deploying the rack have an "everyone" group in their IdP that has everybody in it. Then when they set up the Silo, one of the first steps should be to grant the "silo viewer" role to that group. This is blocked on IdP group support, which is in progress. Concretely, for the demo, this means that both "alice" and "bob" would be in the "everyone" group. When we create the Silo, "alice" will grant the "silo viewer" role to the "everyone" group. This is part of the pre-demo setup. During the demo, bob can log in for the first time and will be able to see everything. (We could also move this assignment to during the demo, showing that "bob" initially has no permissions. But we can't demo that now without an We considered the alternative of granting all silo users the ability to see all Organizations and Projects in the Silo. This could be evolved in a way that's able to be locked-down and even locked-down by default. In v1, we just say that all users can see all Organizations and Projects. In v2, we could create the idea of built-in groups that includes an "everyone" group. As part of that upgrade, we'd create a role assignment for each existing Organization and Project that grants the "everyone" group the "viewer" role on that resource. We'd also create that role assignment for all new Organizations and Projects. In summary, in v2, the default behavior is the same (everyone can see everything), but individual Organizations and Projects could be restricted. In v3, we could allow configuration at the Silo, Organization, or Project level that says what role assignments are granted by default for new children. (Or we could just require you to specify this when you create any Organization or Project, and just have the console prepopulate "everyone is a viewer".) |
Added a new package, crucible-dtrace that pulls from buildomat a package that contains a set of DTrace scripts. These scripts are extracted into the global zone at /opt/oxide/crucible_dtrace/ Update Crucible to latest includes these updates: Clean up dependency checking, fixing space leak (#1372) Make a DTrace package (#1367) Use a single context in all messages (#1363) Remove `DownstairsWork`, because it's redundant (#1371) Remove `WorkState`, because it's implicit (#1370) Do work immediately upon receipt of a job, if possible (#1366) Move 'do work for one job' into a helper function (#1365) Remove `DownstairsWork` from map when handling it (#1361) Using `block_in_place` for IO operations (#1357) update omicron deps; use re-exported dropshot types in oximeter-producer configuration (#1369) Parameterize more tests (#1364) Misc cleanup, remove sqlite references. (#1360) Fix `Extent::close` docstring (#1359) Make many `Region` functions synchronous (#1356) Remove `Workstate::Done` (unused) (#1355) Return a sorted `VecDeque` directly (#1354) Combine `proc_frame` and `do_work_for` (#1351) Move `do_work_for` and `do_work` into `ActiveConnection` (#1350) Support arbitrary Volumes during replace compare (#1349) Remove the SQLite backend (#1352) Add a custom timeout for buildomat tests (#1344) Move `proc_frame` into `ActiveConnection` (#1348) Remove `UpstairsConnection` from `DownstairsWork` (#1341) Move Work into ConnectionState (#1340) Make `ConnectionState` an enum type (#1339) Parameterize `test_repair.sh` directories (#1345) Remove `Arc<Mutex<Downstairs>>` (#1338) Send message to Downstairs directly (#1336) Consolidate `on_disconnected` and `remove_connection` (#1333) Move disconnect logic to the Downstairs (#1332) Remove invalid DTrace probes. (#1335) Fix outdated comments (#1331) Use message passing when a new connection starts (#1330) Move cancellation into Downstairs, using a token to kill IO tasks (#1329) Make the Downstairs own per-connection state (#1328) Move remaining local state into a `struct ConnectionState` (#1327) Consolidate negotiation + IO operations into one loop (#1322) Allow replacement of a target in a read_only_parent (#1281) Do all IO through IO tasks (#1321) Make `reqwest_client` only present if it's used (#1326) Move negotiation into Downstairs as well (#1320) Update Rust crate clap to v4.5.4 (#1301) Reuse a reqwest client when creating Nexus clients (#1317) Reuse a reqwest client when creating repair client (#1324) Add % to keep buildomat happy (#1323) Downstairs task cleanup (#1313) Update crutest replace test, and mismatch printing. (#1314) Added more DTrace scripts. (#1309) Update Rust crate async-trait to 0.1.80 (#1298)
Update Crucible and Propolis to the latest Added a new package, crucible-dtrace that pulls from buildomat a package that contains a set of DTrace scripts. These scripts are extracted into the global zone at /opt/oxide/crucible_dtrace/ Crucible latest includes these updates: Clean up dependency checking, fixing space leak (#1372) Make a DTrace package (#1367) Use a single context in all messages (#1363) Remove `DownstairsWork`, because it's redundant (#1371) Remove `WorkState`, because it's implicit (#1370) Do work immediately upon receipt of a job, if possible (#1366) Move 'do work for one job' into a helper function (#1365) Remove `DownstairsWork` from map when handling it (#1361) Using `block_in_place` for IO operations (#1357) update omicron deps; use re-exported dropshot types in oximeter-producer configuration (#1369) Parameterize more tests (#1364) Misc cleanup, remove sqlite references. (#1360) Fix `Extent::close` docstring (#1359) Make many `Region` functions synchronous (#1356) Remove `Workstate::Done` (unused) (#1355) Return a sorted `VecDeque` directly (#1354) Combine `proc_frame` and `do_work_for` (#1351) Move `do_work_for` and `do_work` into `ActiveConnection` (#1350) Support arbitrary Volumes during replace compare (#1349) Remove the SQLite backend (#1352) Add a custom timeout for buildomat tests (#1344) Move `proc_frame` into `ActiveConnection` (#1348) Remove `UpstairsConnection` from `DownstairsWork` (#1341) Move Work into ConnectionState (#1340) Make `ConnectionState` an enum type (#1339) Parameterize `test_repair.sh` directories (#1345) Remove `Arc<Mutex<Downstairs>>` (#1338) Send message to Downstairs directly (#1336) Consolidate `on_disconnected` and `remove_connection` (#1333) Move disconnect logic to the Downstairs (#1332) Remove invalid DTrace probes. (#1335) Fix outdated comments (#1331) Use message passing when a new connection starts (#1330) Move cancellation into Downstairs, using a token to kill IO tasks (#1329) Make the Downstairs own per-connection state (#1328) Move remaining local state into a `struct ConnectionState` (#1327) Consolidate negotiation + IO operations into one loop (#1322) Allow replacement of a target in a read_only_parent (#1281) Do all IO through IO tasks (#1321) Make `reqwest_client` only present if it's used (#1326) Move negotiation into Downstairs as well (#1320) Update Rust crate clap to v4.5.4 (#1301) Reuse a reqwest client when creating Nexus clients (#1317) Reuse a reqwest client when creating repair client (#1324) Add % to keep buildomat happy (#1323) Downstairs task cleanup (#1313) Update crutest replace test, and mismatch printing. (#1314) Added more DTrace scripts. (#1309) Update Rust crate async-trait to 0.1.80 (#1298) Propolis just has this one update: Allow boot order config in propolis-standalone --------- Co-authored-by: Alan Hanson <alan@oxide.computer>
Suppose you create a Silo with a real identity provider (IdP). The first time an IdP user logs in, their user is JIT-provisioned in the Silo. If the operator has set things up so that roles are assigned to members of IdP groups, and the user is a member of some groups that have roles, then the user may get some privileges -- great. But if not, the new user has no roles on any resource. Right now, that means they won't see any Organizations, which means they can't see anything else either. Fair enough -- they don't have access to anything.
We talked briefly about saying that unprivileged users in a Silo should have the privileges required to list the Organizations in the Silo. The thinking would be: if you don't trust everyone in the Silo to know about each others' Organizations, well, put them into different Silos. But I realized this isn't enough: now they can see the Organizations, but they can't see the Projects or anything else in the Organizations. That's not much better.
Another thing that sucks here: suppose somebody does share a particular Project with them. None of this changes: they still can't see any Organizations. If they know the name of the Organization and Project, they can navigate to it and all should be fine. But they'd have to type that into the URL bar.
I see a couple of options here:
The text was updated successfully, but these errors were encountered: