Skip to content

Commit

Permalink
Tighten RBAC
Browse files Browse the repository at this point in the history 
As the user's token is used to provision things e.g. phyiscal networks,
this presents a very real danger of DoS sttacks that exhaust all
available VLANs for example.  This simplifies RBAC so the user is only
allowed to operate on kubernetes clusters, and thus cannot have direct
low level access to the region service, they must go via a higher order
abstraction.  This has the knock on effect of making quota management a
lot easier in the future, and acts as precedent for the compute service
so the same "mistakes" (actually, it's just natural evolution) from
occurring.
  • Loading branch information
@spjmurray
spjmurray committed Nov 1, 2024
1 parent a251ab4 commit f5ac90a
Show file tree
Hide file tree
Showing 2 changed files with 11 additions and 11 deletions.
4 changes: 2 additions & 2 deletions charts/kubernetes/Chart.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,8 +4,8 @@ description: A Helm chart for deploying Unikorn Kubernetes Service

type: application

version: v0.2.45
appVersion: v0.2.45
version: v0.2.46
appVersion: v0.2.46

icon: https://raw.githubusercontent.com/unikorn-cloud/assets/main/images/logos/dark-on-light/icon.png

Expand Down
18 changes: 9 additions & 9 deletions pkg/server/handler/handler.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -78,15 +78,15 @@ func (h *Handler) GetApiV1OrganizationsOrganizationIDClustermanagers(w http.Resp
}

result = slices.DeleteFunc(result, func(resource openapi.ClusterManagerRead) bool {
return rbac.AllowProjectScope(r.Context(), "kubernetesclustermanagers", identityapi.Read, organizationID, resource.Metadata.ProjectId) != nil
return rbac.AllowProjectScope(r.Context(), "kubernetes:clustermanagers", identityapi.Read, organizationID, resource.Metadata.ProjectId) != nil
})

h.setUncacheable(w)
util.WriteJSONResponse(w, r, http.StatusOK, result)
}

func (h *Handler) PostApiV1OrganizationsOrganizationIDProjectsProjectIDClustermanagers(w http.ResponseWriter, r *http.Request, organizationID openapi.OrganizationIDParameter, projectID openapi.ProjectIDParameter) {
if err := rbac.AllowProjectScope(r.Context(), "kubernetesclustermanagers", identityapi.Create, organizationID, projectID); err != nil {
if err := rbac.AllowProjectScope(r.Context(), "kubernetes:clustermanagers", identityapi.Create, organizationID, projectID); err != nil {
errors.HandleError(w, r, err)
return
}
Expand All @@ -109,7 +109,7 @@ func (h *Handler) PostApiV1OrganizationsOrganizationIDProjectsProjectIDClusterma
}

func (h *Handler) DeleteApiV1OrganizationsOrganizationIDProjectsProjectIDClustermanagersClusterManagerID(w http.ResponseWriter, r *http.Request, organizationID openapi.OrganizationIDParameter, projectID openapi.ProjectIDParameter, clusterManagerID openapi.ClusterManagerIDParameter) {
if err := rbac.AllowProjectScope(r.Context(), "kubernetesclustermanagers", identityapi.Delete, organizationID, projectID); err != nil {
if err := rbac.AllowProjectScope(r.Context(), "kubernetes:clustermanagers", identityapi.Delete, organizationID, projectID); err != nil {
errors.HandleError(w, r, err)
return
}
Expand All @@ -124,7 +124,7 @@ func (h *Handler) DeleteApiV1OrganizationsOrganizationIDProjectsProjectIDCluster
}

func (h *Handler) PutApiV1OrganizationsOrganizationIDProjectsProjectIDClustermanagersClusterManagerID(w http.ResponseWriter, r *http.Request, organizationID openapi.OrganizationIDParameter, projectID openapi.ProjectIDParameter, clusterManagerID openapi.ClusterManagerIDParameter) {
if err := rbac.AllowProjectScope(r.Context(), "kubernetesclustermanagers", identityapi.Update, organizationID, projectID); err != nil {
if err := rbac.AllowProjectScope(r.Context(), "kubernetes:clustermanagers", identityapi.Update, organizationID, projectID); err != nil {
errors.HandleError(w, r, err)
return
}
Expand Down Expand Up @@ -159,15 +159,15 @@ func (h *Handler) GetApiV1OrganizationsOrganizationIDClusters(w http.ResponseWri
}

result = slices.DeleteFunc(result, func(resource openapi.KubernetesClusterRead) bool {
return rbac.AllowProjectScope(r.Context(), "kubernetesclusters", identityapi.Read, organizationID, resource.Metadata.ProjectId) != nil
return rbac.AllowProjectScope(r.Context(), "kubernetes:clusters", identityapi.Read, organizationID, resource.Metadata.ProjectId) != nil
})

h.setUncacheable(w)
util.WriteJSONResponse(w, r, http.StatusOK, result)
}

func (h *Handler) PostApiV1OrganizationsOrganizationIDProjectsProjectIDClusters(w http.ResponseWriter, r *http.Request, organizationID openapi.OrganizationIDParameter, projectID openapi.ProjectIDParameter) {
if err := rbac.AllowProjectScope(r.Context(), "kubernetesclusters", identityapi.Create, organizationID, projectID); err != nil {
if err := rbac.AllowProjectScope(r.Context(), "kubernetes:clusters", identityapi.Create, organizationID, projectID); err != nil {
errors.HandleError(w, r, err)
return
}
Expand Down Expand Up @@ -196,7 +196,7 @@ func (h *Handler) PostApiV1OrganizationsOrganizationIDProjectsProjectIDClusters(
}

func (h *Handler) DeleteApiV1OrganizationsOrganizationIDProjectsProjectIDClustersClusterID(w http.ResponseWriter, r *http.Request, organizationID openapi.OrganizationIDParameter, projectID openapi.ProjectIDParameter, clusterID openapi.ClusterIDParameter) {
if err := rbac.AllowProjectScope(r.Context(), "kubernetesclusters", identityapi.Delete, organizationID, projectID); err != nil {
if err := rbac.AllowProjectScope(r.Context(), "kubernetes:clusters", identityapi.Delete, organizationID, projectID); err != nil {
errors.HandleError(w, r, err)
return
}
Expand All @@ -217,7 +217,7 @@ func (h *Handler) DeleteApiV1OrganizationsOrganizationIDProjectsProjectIDCluster
}

func (h *Handler) PutApiV1OrganizationsOrganizationIDProjectsProjectIDClustersClusterID(w http.ResponseWriter, r *http.Request, organizationID openapi.OrganizationIDParameter, projectID openapi.ProjectIDParameter, clusterID openapi.ClusterIDParameter) {
if err := rbac.AllowProjectScope(r.Context(), "kubernetesclusters", identityapi.Update, organizationID, projectID); err != nil {
if err := rbac.AllowProjectScope(r.Context(), "kubernetes:clusters", identityapi.Update, organizationID, projectID); err != nil {
errors.HandleError(w, r, err)
return
}
Expand Down Expand Up @@ -245,7 +245,7 @@ func (h *Handler) PutApiV1OrganizationsOrganizationIDProjectsProjectIDClustersCl
}

func (h *Handler) GetApiV1OrganizationsOrganizationIDProjectsProjectIDClustersClusterIDKubeconfig(w http.ResponseWriter, r *http.Request, organizationID openapi.OrganizationIDParameter, projectID openapi.ProjectIDParameter, clusterID openapi.ClusterIDParameter) {
if err := rbac.AllowProjectScope(r.Context(), "kubernetesclusters", identityapi.Read, organizationID, projectID); err != nil {
if err := rbac.AllowProjectScope(r.Context(), "kubernetes:clusters", identityapi.Read, organizationID, projectID); err != nil {
errors.HandleError(w, r, err)
return
}
Expand Down

0 comments on commit f5ac90a

Please sign in to comment.