Migrate to new ACL Architecture

Make Roles a dynamic thing, so not tied to any source of truth, cos in reality different services can create an infinite and arbitrary set of scopes. This also forms the basis of having the UI change based on what's allowed for the user.
unikorn-cloud · Apr 4, 2024 · 46116a0 · 46116a0
1 parent 1e39b32
commit 46116a0
Show file tree

Hide file tree

Showing 22 changed files with 896 additions and 355 deletions.
diff --git a/charts/identity/Chart.yaml b/charts/identity/Chart.yaml
@@ -4,7 +4,7 @@ description: A Helm chart for deploying Unikorn's IdP
 
 type: application
 
-version: v0.1.22
-appVersion: v0.1.22
+version: v0.1.23
+appVersion: v0.1.23
 
 icon: https://raw.githubusercontent.com/unikorn-cloud/assets/main/images/logos/dark-on-light/icon.png
diff --git a/charts/identity/crds/identity.unikorn-cloud.org_organizations.yaml b/charts/identity/crds/identity.unikorn-cloud.org_organizations.yaml
@@ -90,13 +90,6 @@ spec:
                     roles:
                       description: Roles are a list of roles users of the group inherit.
                       items:
-                        description: Role defines the role a user has within the Scope
-                          of a group.
-                        enum:
-                        - superAdmin
-                        - admin
-                        - user
-                        - reader
                         type: string
                       type: array
                     users:

diff --git a/charts/identity/crds/identity.unikorn-cloud.org_roles.yaml b/charts/identity/crds/identity.unikorn-cloud.org_roles.yaml
@@ -0,0 +1,100 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.14.0
+  name: roles.identity.unikorn-cloud.org
+spec:
+  group: identity.unikorn-cloud.org
+  names:
+    categories:
+    - unikorn
+    kind: Role
+    listKind: RoleList
+    plural: roles
+    singular: role
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .metadata.creationTimestamp
+      name: age
+      type: date
+    name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: |-
+          Role defines a role type that forms the basis of RBAC.  Permissions are
+          applied to arbitrary scopes that are used by individual components to
+          allow or prevent API access.  Roles are additive, so effective RBAC
+          permssions should be create from the boolean union for any roles that apply
+          to a user.  Roles can optionally be scoped to an organization to allow
+          deep customization of roles and permissions within that organization, for
+          example the system management organization may have an onboarding role that
+          allows basic account creation before handing off to the user.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: RoleSpec defines the role's requested state.
+            properties:
+              isDefault:
+                description: |-
+                  IsDefault indicates that all authenticated users are granted
+                  the following scopes regardless of organizational group membership
+                  and typically are required for organization discovery and RBAC functionality
+                  in the first instance.
+                type: boolean
+              scopes:
+                description: Scopes are a list of uniquely named scopes for the role.
+                items:
+                  properties:
+                    name:
+                      description: |-
+                        Name is a unique name that applies to the scope.  Individual APIs should
+                        coordinate with one another to avoid clashes and privilege escallation.
+                      type: string
+                    permissions:
+                      description: Permissions defines a set of CRUD permissions for
+                        the scope.
+                      items:
+                        enum:
+                        - create
+                        - read
+                        - update
+                        - delete
+                        type: string
+                      type: array
+                      x-kubernetes-list-type: set
+                  required:
+                  - name
+                  type: object
+                type: array
+                x-kubernetes-list-map-keys:
+                - name
+                x-kubernetes-list-type: map
+            type: object
+          status:
+            description: RoleStatus defines any role status information.
+            type: object
+        required:
+        - spec
+        type: object
+    served: true
+    storage: true
+    subresources: {}
diff --git a/charts/identity/templates/deployment.yaml b/charts/identity/templates/deployment.yaml
@@ -36,6 +36,9 @@ spec:
             {{ printf "- --cors-max-age=%s" $cors.maxAge | nindent 8 }}
           {{- end }}
         {{- end }}
+        {{- if .Values.otlpEndpoint }}
+          {{ printf "- --otlp-endpoint=%s" .Values.otlpEndpoint | nindent 8 }}
+        {{- end }}
         volumeMounts:
         - name: unikorn-identity-jose-tls
           mountPath: /var/lib/secrets/unikorn-cloud.org/jose

diff --git a/charts/identity/templates/identity-role.yaml b/charts/identity/templates/identity-role.yaml
@@ -0,0 +1,18 @@
+{{- range $role, $spec := .Values.roles }}
+---
+apiVersion: identity.unikorn-cloud.org/v1alpha1
+kind: Role
+metadata:
+  name: {{ $role }}
+spec:
+  {{- if $spec.isDefault }}
+  isDefault: true
+  {{- end }}
+  {{- with $scopes := $spec.scopes }}
+  scopes:
+    {{- range $scope, $permissions := $scopes }}
+      {{- printf "- name: %s" $scope | nindent 4 }}
+      {{- printf "permissions: [%v]" ($permissions | join ", ") | nindent 6 }}
+    {{- end }}
+  {{- end }}
+{{- end }}
diff --git a/charts/identity/templates/role.yaml b/charts/identity/templates/role.yaml
@@ -10,6 +10,7 @@ rules:
   resources:
   - oauth2clients
   - oauth2providers
+  - roles
   - organizations
   verbs:
   - list

diff --git a/charts/identity/values.yaml b/charts/identity/values.yaml
@@ -54,6 +54,33 @@ host: identity.acme.org
 #   # The client secret assigned by the identity provider.
 #   clientSecret:  GOCSPX-akjfdns3238r328r9832rewjbds
 
+# A static list of roles.
+roles:
+  # A default role contains permissions that work at any scope
+  # in the system, and are a set of minimum required permissions.
+  default:
+    isDefault: true
+    scopes:
+      roles: [read]
+      organizations: [read]
+  reader:
+    scopes:
+      projects: [read]
+      infrastructure: [read]
+  user:
+    scopes:
+      projects: [read]
+      infrastructure: [create,read,update,delete]
+  admin:
+    scopes:
+      roles: [read]
+      organizations: [read,update]
+      groups: [create,read,update,delete]
+      oauth2providers-public: [read]
+      oauth2providers-private: [create,read,update,delete]
+      projects: [create,read,update,delete]
+      infrastructure: [create,read,update,delete]
+
 # A static list of oauth2 domain mappings.
 # organizations:
 # - # Must be a member of the the domain.
@@ -106,3 +133,6 @@ ingress:
 #   allowOrigin: ['*']
 #   # How long to cache the CORS preflight for, mostly useless as browsers override this.
 #   maxAge: 86400
+
+# Sets the OTLP endpoint for shipping spans.
+# otlpEndpoint: jaeger-collector.default:4318
diff --git a/go.mod b/go.mod
@@ -10,7 +10,7 @@ require (
 	github.com/go-jose/go-jose/v3 v3.0.3
 	github.com/google/uuid v1.6.0
 	github.com/spf13/pflag v1.0.5
-	github.com/unikorn-cloud/core v0.1.20
+	github.com/unikorn-cloud/core v0.1.21
 	go.opentelemetry.io/otel v1.24.0
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.24.0
 	go.opentelemetry.io/otel/sdk v1.24.0