-
Notifications
You must be signed in to change notification settings - Fork 20
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Role-Based Access Control (RBAC) #95
base: master
Are you sure you want to change the base?
Conversation
### Performance | ||
|
||
Access control checks query the database on every request. | ||
To mitigate performance impact, a user's access rules can be preloaded into memory and stored in the user's session data during login, enabling faster access control validation. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Small issue: if the rules that apply to a user change while they are logged in, this will lead to a mismatch, how will we address that?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As first step I think we should not cache any information. We can change that if we notice any performance issue. The topical (as most simple) solution for this kind of situation is that the user must logout and login again.
Another option is to check which sessions are active in the database for user affected by the access change an invalidate those authentication sessions.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree. But when we decide to implement caching, I think safest and easiest solution would be to simply kick the user out and require a new login whenever their permissions change. This shouldn't happen often anyway.
How do we plan to integrate all of this with the frontend? If a user does not have W on a resource, it doesn't make sense to show them UI components that will just throw an error when they try to save changes. So we would also need to make this information available to the UI in some manner and enforce checks there as well for usability. |
@Etheryte In my opinion that is a good usability improvement but should be considered a second step. With this RFC we want to set the foundations in term of authentication and changing all the pipes to make it more robust and configurable. As next step I think we can improve a lot the UI, and make it more tailored to the end user. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
IIUC, this RBAC implementation will not help with something like proxy admin seeing only systems below that proxy, right?
Visibility will still be based only on organization level, correct?
accepted/00000-rbac.md
Outdated
|
||
1. **Authentication:** Identifies the user calling this action. | ||
2. **Authorization:** Determines if the user is allowed to call the endpoints for this action. | ||
3. **Accounting:** Assesses whether the user is permitted to operate on a specific entity. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe it is my bad English, but are you sure Accounting
means this? Everywhere I looked, accounting is about measuring, logging etc.
From the sentence in the RFC I would assume accounting is some action which can block user access.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is a concept in user access control called Authentication, Authorization, and Accounting (AAA)
Here some links talking about it:
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'll try to rephrase this to be more clear
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
IIUC, this RBAC implementation will not help with something like proxy admin seeing only systems below that proxy, right?
Visibility will still be based only on organization level, correct?
This actually refers to "Accounting". No, at this point we won't control access at this level.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Well not according to those links @rjmateus provided. Accounting is according to those links:
Accounting, the final process in the framework, is all about measuring what's happening within the network. As part of the protocol, it will collect and log data on user sessions, such as length of time, type of session, and resource usage. The value here is that it offers a clear audit trail for compliance and business purposes.
Accounting
Accounting records the used service type, start time, and data traffic to collect and record the network resource usage of the user for implementing time- or traffic-based accounting and network monitoring.
So to me this sound like Accounting it measuring and logging and no way it can decide user has access to this or that. It is simple passive step of logging.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So the "visibility" of resource should be part of Authorization step.
But as we do this RBAC over API calls and not over resources, I guess there is no way to limit user access to individual machines.
User has access to system/listSystems
API call and thus can list all systems of given organization (assuming organization visibility will remain).
User has write access to system/deleteSystem
and thus can remove all systems of given organization.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
And now I'm trying to figure out from where I read that statement :-|
And you are completely right, Accounting is the process of recording all the user interactions.
Currently access control to machines have a different process on SUMA, and relies on 2 roles (spacewalk admin and organization admin) and also if a user is assigned to a systems group.
This is something we can refactor, but in my opinion should be a different step.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@aaannz thank you for pointing it out. Resource access should be one step of the Authorization
process. However, This RFC is focusing only at the part ...perform operation O...
. This would be already a big step, since the role/access control is spread across all the code (from API definition, to database access factories), and this is something we must clean.
Next step can be find a better way to perform resource access check. What do you think?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry, it seems I mixed up all the terms. I rewrote the part so it's hopefully clearer now.
Every access point in Uyuni is mapped as an **endpoint** in the database and grouped into **namespaces**. | ||
Access control is enforced by defining rules for these namespaces, either per **user** or **access group**. | ||
|
||
Below is a simplified ER diagram illustrating the proposed structure for access information in the database: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I know we are not discussing implementation details here, but seeing the ER diagram I can't help myself.
Please NO NUMERIC IDs, I can't stress this enough.
Use BIGINT with identity generated always. Exception being already existing IDs.
And btw. VARCHAR is the same as TEXT in postgres, so use TEXT everywhere.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Noted. Thanks for the tip.
@Etheryte the new mechanism will provide means to check information regarding access rules to use on any page to show/hide/disable sections. You'll be able to check if the user has access to something and render that part conditionally. The hardest part is to do this on all the existing pages. We have to keep this out of scope to make it feasible for 5.1. Until then, when the user navigates to some disallowed part, we'll simply return a branded 403 page. Once the RBAC is done, we'll have to go page-by-page to add conditions according to the user's access rules. With the initial implementation though, we'll at least hide the disallowed entries from the left menu bar. If we can find the time, we can also do this for important parts, like hiding disallowed system details tabs, etc. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks really good Can. Just some small clarification, otherwise looks great to me.
accepted/00000-rbac.md
Outdated
|
||
## Overview | ||
|
||
This solution stores all available network endpoints in the database and determines which endpoints each user can access, with the exception of the **Uyuni Administrator** role, which bypasses access control. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This solution stores all available network endpoints in the database and determines which endpoints each user can access, with the exception of the **Uyuni Administrator** role, which bypasses access control. | |
This solution stores all available system endpoints in the database and determines which endpoints each user can access, except the **Uyuni Administrator** role, which bypasses access control. |
accepted/00000-rbac.md
Outdated
- **`endpoint`**: The accessible URI of the endpoint. | ||
- **`class_method`**: The Java class that handles incoming requests to the endpoint, such as a controller class for web endpoints or an API handler for API endpoints. | ||
- **`http_method`**: The HTTP method (e.g., GET, POST, PUT, DELETE) accepted by the endpoint. If multiple methods are supported, each should be defined as a separate endpoint since they typically serve different purposes. | ||
- **`scope`**: Indicates whether the endpoint is accessible through the web UI (including internal API calls) or the public API. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we should add 2 more fields to the table, one expressing if the endpoint needs authentication and another if authorization is required.
In the PoC this was implemented as a static list on Java side, but I think we could move this information to the database.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'll add a auth_required
column to the RFC to exclude the URLs outside of authentication space (like login, about, API docs, etc.).
I'm not 100% sure about the second flag. It may or may not be needed, depending on the details of the implementation. So I'll leave it out for now.
|
||
For example, `clm.project.details` **[R]** allows viewing a project's details, where `clm.project.details` **[W]** allows modifying them. | ||
|
||
- **`description`**: A clear description of what a namespace grants access to. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we can also add a flag to define if the namespace is tailored to be used from the Web application side of API (XML-RPC side), similar of what we have in the endpoint. I know we can play around with the namespace prefix, but this way would be more explicit.
|
||
- **`label`**: The label of the access group. | ||
- **`description`**: The purpose or scope of the access group. | ||
- **`org_id`**: The ID of the organization to which the group belongs. This field will be `null` for predefined groups. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This "vendor" groups cannot be changed by the users.
accepted/00000-rbac.md
Outdated
|
||
#### Existing roles | ||
|
||
To ensure a smooth transition, existing roles will remain until all JSP/Struts pages are fully removed. The new access control mechanism includes default user access groups replicating the following roles: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure about this topic. We must create access groups mapping the existing roles, that is a must.
However, some of these roles need to stay around for a longer time, even if we remove struts, since they grant access to data and not just features: "Uyuni Administrator" and "Organization administrator" (not 100% sure about the remaining).
For the ones that don't grant access to data, we could try to remove them. The part that can be tricky is the struts ACL rules, which may stop working properly.
An alternative solution for the roles that don't grant data access, and avoid touching the struts ACL could be assign those roles to all users, since the access control to the features will happen in the next mechanism.
We also must develop a automatic migration mechanism from the old roles to the new user access groups.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What do you mean by data access?
An alternative solution for the roles that don't grant data access, and avoid touching the struts ACL could be assign those roles to all users, since the access control to the features will happen in the next mechanism.
Yes, the problem is that the current access control with static roles is embedded everywhere (React as well) and trying to remove these is going to cost a lot of time. So instead, my plan is to leave them in, hide them from the UI (replaced by the new ones), and assign all these static roles to every existing and future user so they effectively won't do any access control.
However, I'm wondering if we should keep an unrestricted bypass mechanism in the filters for the Uyuni and Org Admin roles like:
public boolean canAccess(User user) {
return (user.hasRole(RoleFactory.ORG_ADMIN) && user.getOrg().equals(getOrg())) ||
user.hasRole(RoleFactory.SAT_ADMIN);
}
or should we rely on RBAC only? Are there some areas that won't be covered by RBAC?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You can try in the existing implementation. If a user is part of organization and has not roles, and are not assigned to any systems groups, then the user cannot see any system. If the user has the role Org Admin, then it can see all the systems that are part of that organization.
So currently, the roles are not just to control access to pages but also access to data. I can show you tomorrow.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh ok now I get it. So those superuser logic must stay in the new implementation in any case. All the others can go once we're ready to strip their logic from the individual pages.
After the initial development and mapping of all existing endpoints to the new structure, ongoing effort is required to keep endpoint mappings and the namespace structure up-to-date. To reduce RBAC overhead when implementing new features, the following additional resources are proposed: | ||
|
||
- An extensive Wiki guide on adding necessary endpoints with proper namespace organization | ||
- Stored procedures and scripts to easily grant/revoke user access for development |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would prefer to avoid store procedures as much as possible. They are hard to test and are hidden inside the database.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree. These will be just throwaway tools to help when we're implementing RFC. There's no plan to ship or persist them. Once the API is in place, they won't be needed anyway.
# Unresolved Questions | ||
[unresolved]: #unresolved-questions | ||
|
||
- **Granularity of access control:** Should the RBAC model include finer-grained permissions, such as access by specific actions (create, update, delete) within a namespace, or is the proposed "View" vs. "Modify" access mode sufficient for most cases? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In my opinion, whenever its possible we should have as fine grain as possible, with a separation between the create, update, delete, for example.
|
||
- **Granularity of access control:** Should the RBAC model include finer-grained permissions, such as access by specific actions (create, update, delete) within a namespace, or is the proposed "View" vs. "Modify" access mode sufficient for most cases? | ||
|
||
- **External integration needs:** Will the RBAC system require compatibility with external authentication or access control systems, such as LDAP, and if so, what integration points are required to support this? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That I would say is part of authentication. However, we could define a mapping between LDAP user groups and suma internal access groups, and automatically assign users to a group at login time.
|
||
- **External integration needs:** Will the RBAC system require compatibility with external authentication or access control systems, such as LDAP, and if so, what integration points are required to support this? | ||
|
||
- **Additional access groups:** Should predefined access groups be expanded to cover specific use cases beyond those mirroring existing roles? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That is something we will find out, and we can react according to feedback from customers. One extra groups could be the read-only user that we have now for API only. that can be a new access group and stop relying on method names and a flag on user definition.
Also a small ping for @thesp0nge, if you have the time to give this a read, any input you might have on this proactively would be much appreciated. |
I'm sorry but for such kind of requests you really want to ask @szachovy , your security champion. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
From my side this looks good, I think this is high level enough that most of the detailed discussions will happen in the specific implementation parts later.
Thanks for the review, Karl. Yeah I think this level of detail should be enough to get everyone on the same page and make the right decisions from the beginning so we won't have to scratch the whole design. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me. Thank you for preparing it
# Drawbacks | ||
[drawbacks]: #drawbacks |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Spacing throughout the document is inconsistent, can you parse it through https://github.com/DavidAnson/markdownlint ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Only done have way through. I have Left some questions for my understanding.
|
||
- **`endpoint`**: The accessible URI of the endpoint. | ||
|
||
- **`class_method`**: The Java class that handles incoming requests to the endpoint, such as a controller class for web endpoints or an API handler for API endpoints. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Will this be required field or optional? What will we have in case of struts actions ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is mandatory, especially for the XML-RPC API endpoint, where we use this field to control access. For Structs and spark-only endpoints this is not really needed, but we can populate it.
|
||
- **`http_method`**: The HTTP method (e.g., GET, POST, PUT, DELETE) accepted by the endpoint. If multiple methods are supported, each should be defined as a separate endpoint since they typically serve different purposes. | ||
|
||
- **`auth_required`**: Indicates if the endpoint requires authorization. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If endpoint, will we have a separate namespace for such endpoints? What endpoints would usually fall in this category?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
simples example, login page. You don't need to be authenticated to reach it, otherwise user cannot login.
|
||
### Namespace | ||
|
||
A **namespace** is a logical grouping of endpoints that performs a specific task and defines the smallest unit of access control. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How will we make sure that we don't miss endpoints which are not part of any namespace? my question is more going forward - will we have any tooling which identify this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We can develop a tool. But the side effect will be super visible, because users will not be able to access the base and feature will not work.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So when you're implementing a new URL for a feature, first thing you'll have to do is to add necessary entries (endpoint and namespace info) to the RBAC tables using schema migration. Otherwise you won't be able to visit the URL when testing yourself.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I support the idea of Abid to have some kind of tool part of the unit tests that assure that we don't miss any. Let's not rely only to the side effect even if easy to see. But let's be sure that someone adding a new endpoint in a new Pull Request have feedback if that part is missing.
- `clm.project.list`: Allows viewing the CLM projects list. | ||
- `clm.project.details`: Allows viewing or modifying the details of a CLM project. | ||
|
||
- **`access_mode`**: Defines the access level for each namespace as either "View" (R) or "Modify" (W). Many namespaces will have separate entries for each mode, with different endpoints for each purpose. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I believe actions like export CSV will go under view(R) and delete under W, right?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think that is the goal, but Can can give more insides if needed.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Correct. AFAICS this separation is clear enough for any action. Management UI will provide proper descriptions for each namespace and mode so it'll be clear to users.
Ideally, the UI should have free text search so for example you'll be able to search for the keyword CSV and see what namespaces are available for any CSV related action.
|
||
A **namespace** is a logical grouping of endpoints that performs a specific task and defines the smallest unit of access control. | ||
|
||
- **`namespace`**: A label representing the namespace, expressed as a dot-separated string of components. Each component corresponds to a level of hierarchy for a task, with related tasks sharing the same components at higher levels. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can an end point be part of more than 1 namespace?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We have many cases already. Mostly with some reusable URLs like getting a JSON system list etc. This also aligns with the fact that we want to unify API endpoints to be used by both the public API and the frontend pages.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We'll be able to identify if an endpoint is called for one or other namespace?
I'm thinking about telemetry from the point of view of our features.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
From telemetry is not possible o see, we can only see that and endpoint is called. What we can do is we log all the called, be able to calculate a call trace and deduct what could have be the interaction path.
|
||
- **`scope`**: Indicates whether the endpoint is accessible through the web UI (including internal API calls) or the public API. | ||
|
||
#### Organization of namespaces |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We don't have any table to represent this in our sample database schema, right? will we have some kind of inheritance here that if I have access at the top level namespace, I get access to everything else. And if yes, can as an admin, still change it to be more granular.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If I got it right, the idea is to have this in an indirect way, by playing with the label name. For example:
namespace: admin
namespace: admin.createUser
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If I got it right, the idea is to have this in an indirect way, by playing with the label name.
Correct. By default, granting access to a parent namespace doesn't automatically give access to the children. For that, you'll need to explicitly say "grant access to this namespace and everything that falls below it".
- System Group Administrator | ||
- Read-only API User | ||
|
||
Each of these roles grants access to different features in Uyuni. This static access control is enforced individually within each feature. Stripping these control checks throughout the system requires significant effort. Therefore, in the initial phase, the logic of these static roles will coexist with their RBAC counterparts, but will be bypassed by assigning them to all existing and future users. This will effectively make RBAC the exclusive access control mechanism. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is not clear to me. Yes, we will keep the existing roles so we don't break the users setup when the migrate to 5.1. But wow are we planning to get rid of them? Will we allow administrators to still play with old roles ? Having new and old permissions setup could be pretty confusing for the admin to understand.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There are 2 roles that needs to stay for now, which are satadmin
and orgadmin
.
Other roles should be replaced with new user groups in the new system.
Internally, we may need to keep the old roles because of struts ACL configurations.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Even though the older logic stays for now, it won't be visible to any user or admin.
Users can be granted access either individually or through access groups. | ||
|
||
Users assigned to an access group inherit all permissions defined within that group. | ||
While administrators can grant individual users additional permissions beyond those provided by their assigned group, they cannot revoke permissions set by the group. Additionally, users can belong to multiple access groups and inherit all associated access rules. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
hmm, I didn't get this. Here additional permissions means which are not covered by groups or is it more in a sense that those permissions that user got through groups can be overridden by individually assigning to the user?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The idea is to grant more permissions to the user. User will always have access to all endpoints granted in all the groups, plus all individual permissions grant to the user directly.
Users assigned to an access group inherit all permissions defined within that group. | ||
While administrators can grant individual users additional permissions beyond those provided by their assigned group, they cannot revoke permissions set by the group. Additionally, users can belong to multiple access groups and inherit all associated access rules. | ||
|
||
Predefined access groups are designed to meet the needs of most environments; however, administrators can create custom groups to address specific requirements as needed. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does this mean that namespaces will be static and administrator cannot change them or create new ones or will we provide the same flexibility(not considering here if that's good or bad) there as well that we are providing here in case of access groups?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Namespaces and access groups are just different levels of putting endpoints together. Namespaces are static and controled by us. Users can then create user groups linked to the endpoint in any shape or form, that will put together one or more namespaces.
On top of that, we will also have a few user groups controlled by us and the goal is that those groups match the existing roles.
- Prevent access to sensitive image store information: | ||
|
||
``` | ||
Revoke 'View' on 'cm.store.details' from 'Alice' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If Alice got this 'View' access through one accessgroup but then here Alice got that permissions revoked, I expect this would take precedence or?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As mentioned here:
While administrators can grant individual users additional permissions beyond those provided by their assigned group, they cannot revoke permissions set by the group.
Permissions assigned through a group cannot be revoked individually. This is an arbitrary limitation I wanted to enforce because otherwise it could get really messy for admins after a while. If we see the need for this, we can change the logic to allow this.
So for the example above, you cannot simply make Alice an Image Admin. If you do, you cannot revoke access to cm.store.details
because it's part of the Image Admin role.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If it's removed from User direct grant but is still present in the group, then Alice still has access to the feature. All endpoints are revoked by default, and we are always adding/grant access in all levels we can configure.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So from what I understand with the new UI pages or API endpoints we would be using/testing it somehow like this, right? I put a few user stories with an example feature just to get an idea if I understand it correctly
User Story 1: Admin assigns access groups to users
As an administrator,
I want to assign a user to an access group,
So that they can access the features allowed by the group.
User Story 2: User accesses a feature within their namespace
As a user,
I want to access features and operations allowed by my role,
So that I can perform my job functions.
User Story 3: Unauthorized user attempts to access restricted resources
As a user,
I want the system to prevent me from accessing unauthorized features,
So that security and access rules are maintained.
User Story 4: Admin customizes access for a user
As an administrator,
I want to customize individual permissions for a user,
So that their access meets specific requirements.
User Story 5: Admin creates a new access group
As an administrator,
I want to create new access groups with specific permissions,
So that I can manage user access more efficiently.
User Story 6: User loses access when removed from a group
As an administrator,
I want users to lose permissions immediately when removed from an access group,
So that their access remains strictly controlled.
User Story 7: Permissions propagate correctly for multi-group users
As a user,
I want permissions from multiple groups to apply seamlessly,
So that my access covers all assigned roles.
Feature: Multi-group user access
Scenario: User belongs to multiple access groups with overlapping permissions
Given a user "testuser" belongs to the access groups:
| Group Name | Namespace | Access Mode |
| Image Viewer | cm.image.list | View |
| Profile Manager | cm.profile.* | Modify |
When "testuser" logs in
Then "testuser" should have the following combined permissions:
| Namespace | Access Mode |
| cm.image.list | View |
| cm.profile.* | Modify |
And "testuser" should be able to modify image profiles
And "testuser" should not be able to delete images
User Story 8: Audit access logs
As an administrator,
I want to track and log user actions,
So that I can audit access and detect misuse.
This RFC proposes Role-Based Access Control (RBAC) model in Uyuni.
See the rendered version.