Skip to content

authentication operations should use special Nexus context #846

Closed
@davepacheco

Description

@davepacheco

Right now, the session lookup and silo user fetch operations are not protected with authz. I think the reason is that they're used during request authentication -- before we know who the user is, and certainly before we know what privileges they have.

A better solution might be to use a special Nexus context for this, whose only privileges are to read from those tables (and maybe update the session table, in order to refresh and invalidate sessions). I think this would be pretty straightforward:

  • create a new built-in user for this purpose ("external-api-authenticator"?)
  • create a new built-in role for this user -- it could be at the "Fleet" level ("fleet.authenticator")
  • create a new built-in role assignment that grants "fleet.authenticator" on the global Fleet to the built-in user "external-api-authenticator"
  • update omicron.polar: define custom resources for SiloUser and ConsoleSession, with the usual permissions, and say that "read" and "modify" permissions are granted to anybody with "fleet.authenticator" on the parent fleet
  • update nexus/src/authz/api_resources.rs to include types for the new Polar resources
  • update the code paths in datastore.rs:
  • at Nexus startup, create an OpContext for the "external-api-authenticator" user
  • use this OpContext inside the external API authenticator

This way, at the datastore and below, these are just like any other resource. At the caller, we're basically saying that the authentication steps access to the database as Nexus itself, and once we've validated the user, we switch to using their context for everything. I think this accurately reflects what's really going on and maintains least-privilege.

This should also allow us to remove DataStore::pool() and use DataStore::pool_authorized() everywhere.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions