Description
Right now, the session lookup and silo user fetch operations are not protected with authz. I think the reason is that they're used during request authentication -- before we know who the user is, and certainly before we know what privileges they have.
A better solution might be to use a special Nexus context for this, whose only privileges are to read from those tables (and maybe update the session table, in order to refresh and invalidate sessions). I think this would be pretty straightforward:
- create a new built-in user for this purpose ("external-api-authenticator"?)
- create a new built-in role for this user -- it could be at the "Fleet" level ("fleet.authenticator")
- create a new built-in role assignment that grants "fleet.authenticator" on the global Fleet to the built-in user "external-api-authenticator"
- update omicron.polar: define custom resources for SiloUser and ConsoleSession, with the usual permissions, and say that "read" and "modify" permissions are granted to anybody with "fleet.authenticator" on the parent fleet
- update nexus/src/authz/api_resources.rs to include types for the new Polar resources
- update the code paths in datastore.rs:
- the "fetch" code paths should go away, in favor of the new lookup API (see clean up remaining "fetch" interfaces in datastore #845 for another dependency here)
- the other code paths in datastore.rs (update/delete/etc.) should check authz like for other resources
- at Nexus startup, create an
OpContext
for the "external-api-authenticator" user - use this
OpContext
inside the external API authenticator
This way, at the datastore and below, these are just like any other resource. At the caller, we're basically saying that the authentication steps access to the database as Nexus itself, and once we've validated the user, we switch to using their context for everything. I think this accurately reflects what's really going on and maintains least-privilege.
This should also allow us to remove DataStore::pool()
and use DataStore::pool_authorized()
everywhere.