oxidecomputer · davepacheco · May 20, 2022 · May 20, 2022 · May 23, 2022 · May 23, 2022
diff --git a/common/src/sql/dbinit.sql b/common/src/sql/dbinit.sql
@@ -273,6 +273,7 @@ CREATE TABLE omicron.public.organization (
 );
 
 CREATE UNIQUE INDEX ON omicron.public.organization (
+    silo_id,
     name
 ) WHERE
     time_deleted IS NULL;

diff --git a/nexus/Cargo.toml b/nexus/Cargo.toml
@@ -47,6 +47,7 @@ serde_with = "1.13.0"
 sled-agent-client = { path = "../sled-agent-client" }
 slog-dtrace = "0.2"
 structopt = "0.3"
+strum = { version = "0.23", features = [ "derive" ] }
 tempfile = "3.3"
 thiserror = "1.0"
 toml = "0.5.9"
@@ -127,7 +128,6 @@ regex = "1.5.5"
 subprocess = "0.2.9"
 term = "0.7"
 httptest = "0.15.4"
-strum = { version = "0.23", features = [ "derive" ] }
 
 [dev-dependencies.openapi-lint]
 git = "https://github.com/oxidecomputer/openapi-lint"

diff --git a/nexus/src/app/project.rs b/nexus/src/app/project.rs
@@ -96,7 +96,7 @@ impl super::Nexus {
     ) -> ListResultVec<db::model::Project> {
         let (.., authz_org) = LookupPath::new(opctx, &self.db_datastore)
             .organization_name(organization_name)
-            .lookup_for(authz::Action::CreateChild)
+            .lookup_for(authz::Action::ListChildren)
             .await?;
         self.db_datastore
             .projects_list_by_name(opctx, &authz_org, pagparams)
@@ -111,7 +111,7 @@ impl super::Nexus {
     ) -> ListResultVec<db::model::Project> {
         let (.., authz_org) = LookupPath::new(opctx, &self.db_datastore)
             .organization_name(organization_name)
-            .lookup_for(authz::Action::CreateChild)
+            .lookup_for(authz::Action::ListChildren)
             .await?;
         self.db_datastore
             .projects_list_by_id(opctx, &authz_org, pagparams)

diff --git a/nexus/src/authz/api_resources.rs b/nexus/src/authz/api_resources.rs
@@ -50,7 +50,6 @@ use parse_display::Display;
 use parse_display::FromStr;
 use schemars::JsonSchema;
 use serde::{Deserialize, Serialize};
-#[cfg(test)]
 use strum::EnumIter;
 use uuid::Uuid;
 
@@ -206,9 +205,16 @@ impl ApiResourceWithRolesType for Fleet {
 }
 
 #[derive(
-    Clone, Copy, Debug, Deserialize, Eq, PartialEq, Serialize, JsonSchema,
+    Clone,
+    Copy,
+    Debug,
+    Deserialize,
+    EnumIter,
+    Eq,
+    PartialEq,
+    Serialize,
+    JsonSchema,
 )]
-#[cfg_attr(test, derive(EnumIter))]
 #[serde(rename_all = "snake_case")]
 pub enum FleetRoles {
     Admin,
@@ -379,13 +385,13 @@ impl ApiResourceWithRolesType for Organization {
     Debug,
     Deserialize,
     Display,
+    EnumIter,
     Eq,
     FromStr,
     PartialEq,
     Serialize,
     JsonSchema,
 )]
-#[cfg_attr(test, derive(EnumIter))]
 #[display(style = "kebab-case")]
 #[serde(rename_all = "snake_case")]
 pub enum OrganizationRoles {
@@ -433,13 +439,13 @@ impl ApiResourceWithRolesType for Project {
     Debug,
     Deserialize,
     Display,
+    EnumIter,
     Eq,
     FromStr,
     PartialEq,
     Serialize,
     JsonSchema,
 )]
-#[cfg_attr(test, derive(EnumIter))]
 #[display(style = "kebab-case")]
 #[serde(rename_all = "snake_case")]
 pub enum ProjectRoles {
@@ -579,13 +585,13 @@ impl ApiResourceWithRolesType for Silo {
     Debug,
     Deserialize,
     Display,
+    EnumIter,
     Eq,
     FromStr,
     PartialEq,
     Serialize,
     JsonSchema,
 )]
-#[cfg_attr(test, derive(EnumIter))]
 #[display(style = "kebab-case")]
 #[serde(rename_all = "snake_case")]
 pub enum SiloRoles {

diff --git a/nexus/src/authz/omicron.polar b/nexus/src/authz/omicron.polar
@@ -137,23 +137,42 @@ resource Silo {
 	];
 	roles = [ "admin", "collaborator", "viewer" ];
 
+	# permissions granted by this resource's roles
 	"list_children" if "viewer";
 	"read" if "viewer";
+	"create_child" if "collaborator";
+	"modify" if "admin";
 
+	# roles implied by other roles
 	"viewer" if "collaborator";
-	"create_child" if "collaborator";
 	"collaborator" if "admin";
-	"modify" if "admin";
+
+	# roles implied by relationships with the parent fleet
 	relations = { parent_fleet: Fleet };
-	"admin" if "admin" on "parent_fleet";
-	"collaborator" if "collaborator" on "parent_fleet";
+	"admin" if "collaborator" on "parent_fleet";
 	"viewer" if "viewer" on "parent_fleet";
+	"list_children" if "viewer" on "parent_fleet";
 }
 has_relation(fleet: Fleet, "parent_fleet", silo: Silo)
 	if silo.fleet = fleet;
-has_role(actor: AuthenticatedActor, "viewer", silo: Silo)
+
+# All authenticated users can read their own Silo.  That's not quite the same as
+# having the "viewer" role.  For example, they cannot list Organizations in the
+# Silo.
+#
+# One reason this is necessary is because if an unprivileged user tries to
+# create an Organization using "POST /organizations", they should get back a 403
+# (which implies they're able to see /organizations, which is essentially seeing
+# the Silo itself) rather than a 404.  This behavior isn't a hard constraint
+# (i.e., you could reasonably get a 404 for an API you're not allowed to call).
+# Nor is the implementation (i.e., we could special-case this endpoint somehow).
+# But granting this permission is the simplest way to keep this endpoint's
+# behavior consistent with the rest of the API.
+#
+# It's unclear what else would break if users couldn't see their own Silo.
+has_permission(actor: AuthenticatedActor, "read", silo: Silo)
 	# TODO-security TODO-coverage We should have a test that exercises this
-	# case.
+	# syntax.
 	if silo in actor.silo;
 
 resource Organization {
@@ -180,7 +199,9 @@ resource Organization {
 	"modify" if "admin";
 
 	relations = { parent_silo: Silo };
-	"admin" if "admin" on "parent_silo";
+	"admin" if "collaborator" on "parent_silo";
+	"read" if "viewer" on "parent_silo";
+	"list_children" if "viewer" on "parent_silo";
 }
 has_relation(silo: Silo, "parent_silo", organization: Organization)
 	if organization.silo = silo;
@@ -212,7 +233,9 @@ resource Project {
 	"modify" if "admin";
 
 	relations = { parent_organization: Organization };
-	"admin" if "admin" on "parent_organization";
+	"admin" if "collaborator" on "parent_organization";
+
+	"viewer" if "list_children" on "parent_organization";
 }
 has_relation(organization: Organization, "parent_organization", project: Project)
 	if project.organization = organization;

diff --git a/nexus/src/db/datastore.rs b/nexus/src/db/datastore.rs
@@ -676,7 +676,7 @@ impl DataStore {
         pagparams: &DataPageParams<'_, Name>,
     ) -> ListResultVec<Organization> {
         let authz_silo = opctx.authn.silo_required()?;
-        opctx.authorize(authz::Action::ListChildren, &authz::FLEET).await?;
+        opctx.authorize(authz::Action::ListChildren, &authz_silo).await?;
 
         use db::schema::organization::dsl;
         paginated(dsl::organization, dsl::name, pagparams)
-Original file line number
+Diff line change
@@ Expand Up / @@ -273,6 +273,7 @@ CREATE TABLE omicron.public.organization ( @@
     );
     CREATE UNIQUE INDEX ON omicron.public.organization (
+        silo_id,
         name
     ) WHERE
         time_deleted IS NULL;
@@ Expand Down @@