Skip to content

✨ auth: Implement user scopes #3235

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
Jan 16, 2025
Merged

✨ auth: Implement user scopes #3235

merged 6 commits into from
Jan 16, 2025

Conversation

sttts
Copy link
Member

@sttts sttts commented Dec 21, 2024
edited
Loading

Summary

Vendors kcp-dev/kubernetes#157 for authentication.kcp.io/scopes: cluster:<name>,... user info extra values that scope down a user to those clusters. In a cluster outside of the users' (potentially existing) scopes, the user is considered authenticated, but it loses it other properties like groups and extra data.

This PR uses the mechanism to:

  1. add a scope to impersonated users ("they cannot escape their cluster")
  2. add a scope to the impersonation happening in the initializing virtual workspace. I.e. the WorkspaceType owner cannot use the workspace owner identity for other purposes than accessing the logical cluster at hand.

This is towards warrant support in #3156.

Related issue(s)

Release Notes

Add user info support for scopes through the extra key `authentication.kcp.io/scopes: cluster:<name>,...` to contain a user in a certain cluster. Multiple extra values are conjunctive, i.e. their intersection is the allowed scope.

@kcp-ci-bot kcp-ci-bot added release-note Denotes a PR that will be considered when it comes time to generate release notes. dco-signoff: yes Indicates the PR's author has signed the DCO. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Dec 21, 2024
mjudeikis
mjudeikis reviewed Jan 9, 2025
View reviewed changes
Copy link
Contributor

@mjudeikis mjudeikis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In general this look ok. I think :)

mjudeikis
mjudeikis reviewed Jan 11, 2025
View reviewed changes
@kcp-ci-bot kcp-ci-bot added needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. and removed size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Jan 16, 2025
@sttts sttts force-pushed the sttts-scopes branch 2 times, most recently from d9736ba to 48915f7 Compare January 16, 2025 09:00
@kcp-ci-bot kcp-ci-bot added size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. and removed size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. labels Jan 16, 2025
@sttts sttts force-pushed the sttts-scopes branch 2 times, most recently from eb92f8f to f9438f4 Compare January 16, 2025 09:09
@sttts sttts changed the title ✨ PoC: Implement user scopes ✨ auth: Implement user scopes Jan 16, 2025
@sttts sttts force-pushed the sttts-scopes branch 4 times, most recently from 920425b to 9f5086b Compare January 16, 2025 12:03
sttts and others added 5 commits January 16, 2025 13:16
@sttts @mjudeikis
authz: add user scoping
0192e88 
Signed-off-by: Dr. Stefan Schimanski <stefan.schimanski@gmail.com>
Co-authored-by: Mangirdas Judeikis <Mangirdas@Judeikis.LT>
Signed-off-by: Mangirdas Judeikis <Mangirdas@Judeikis.LT>
On-behalf-of: @SAP mangirdas.judeikis@sap.com
@mjudeikis @sttts
virtualworkspaces/initialize: add scoping
8f7f2a5 
Signed-off-by: Mangirdas Judeikis <Mangirdas@Judeikis.LT>
On-behalf-of: @SAP mangirdas.judeikis@sap.com
Signed-off-by: Dr. Stefan Schimanski <stefan.schimanski@gmail.com>
@sttts
e2e: add scope SubjectAccessReview tests
df8f955 
Signed-off-by: Dr. Stefan Schimanski <stefan.schimanski@gmail.com>
@sttts
e2e: add SelfSubjectReview test for impersonation scoping
a1e42b3 
Signed-off-by: Dr. Stefan Schimanski <stefan.schimanski@gmail.com>
@sttts
authorizer: simplify unit tests by less helpers
968bbfd 
Signed-off-by: Dr. Stefan Schimanski <stefan.schimanski@gmail.com>
@embik
Copy link
Member

embik commented Jan 16, 2025

lgtm (leaving "real" approval for after the PR has been rebased to kcp-dev/kubernetes).

@sttts
Bump kubernetes
5e67ef9 
Signed-off-by: Dr. Stefan Schimanski <stefan.schimanski@gmail.com>
@mjudeikis
Copy link
Contributor

/lgtm
/approve

@kcp-ci-bot kcp-ci-bot added the lgtm Indicates that a PR is ready to be merged. label Jan 16, 2025
@kcp-ci-bot
Copy link
Contributor

LGTM label has been added.

Git tree hash: d0572537fdd40869d1c9aa27d7ea12843d4e88ff

@kcp-ci-bot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: mjudeikis

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@kcp-ci-bot kcp-ci-bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jan 16, 2025
@kcp-ci-bot kcp-ci-bot merged commit 6e79dae into kcp-dev:main Jan 16, 2025
16 checks passed
sttts
sttts commented Jan 21, 2025
View reviewed changes
pkg/authorization/workspace_content_authorizer.go
// service accounts from other workspaces cannot access
case isServiceAccount && isForeign:
// Service accounts from other workspaces might conflict with local service accounts by name.
// Use another reason string to make this very common case clearer.
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mjudeikis wondering whether we need all this logic here at all? Isn't the rule resolver doing this work already?

@embik embik mentioned this pull request Jan 23, 2025
Merged
@embik
Copy link
Member

embik commented Mar 17, 2025

/kind feature

@kcp-ci-bot kcp-ci-bot added the kind/feature Categorizes issue or PR as related to a new feature. label Mar 17, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mjudeikis mjudeikis mjudeikis left review comments

Assignees

@mjudeikis mjudeikis

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. dco-signoff: yes Indicates the PR's author has signed the DCO. kind/feature Categorizes issue or PR as related to a new feature. lgtm Indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@sttts @embik @mjudeikis @kcp-ci-bot