authz: protect various endpoints

[davepacheco]

This started as a small PR to protect a handful of miscellaneous unprotected endpoints (in categories that were too small for their own PR). But it grew much larger than expected. If it would be helpful for me to break this up, I can do that.

I annotated the changes with some context to help sort through them. Key ones:

• Added a new "internal-read" user for reading control plane data from Nexus
• Added new "fleet viewer" role for the new user
• Added authz::Sled
• Added protection for the following endpoints:

hardware_racks_get
hardware_racks_get_rack
hardware_sleds_get
hardware_sleds_get_sled
sagas_get
sagas_get_saga
timeseries_schema_get
updates_refresh

[davepacheco]

The changes in this file are all part of adding a new "internal-read" user (described later).

[davepacheco]

I wanted to keep things simple and put sled permissions under read permission on the fleet, but that doesn't trigger the correct 404 behavior when you ask for a Sled that doesn't exist (because it would say the fleet doesn't exist). So then I wanted to use authz::FleetChild, but that doesn't include an id (and can't, because it's used for built-in roles that don't have one). So I created a real new struct for Sled.

Note that I want to refactor all the authz API resources to be more type-safe, but that'll be a bigger (future) change.

[davepacheco]

I added this new "Fleet Viewer" role for the new "internal-read" user (described later).

[davepacheco]

@iliana here's one of the couple of authz checks added for updates. I started as restrictive as possible: you basically have to have a near-superuser privilege on the fleet-level ("Fleet Collaborator" or "Fleet Admin") to have this permission. I imagine we'll want to rethink this but I hope this will work for now.

[davepacheco]

CC @iliana

[davepacheco]

CC @iliana

[davepacheco]

Added a new built-in user called "internal-read". This is used by Nexus when it needs to read control plane data that an ordinary user wouldn't have access to. For example, when a user provisions an Instance (or really any time we need to make a request to a Sled Agent), we need to look up information about the Sled in the database. That's now protected by authz. But the end user making the request probably doesn't have permission to read information about sleds. Instead, Nexus uses this new "internal-read" user.

[davepacheco]

Racks are faked-up -- not in the database -- so their access check is right in nexus.rs.

[davepacheco]

CC @iliana I put this check here to avoid querying the tuf repo unless the user is authorized. The database queries are separately authorized in datastore.rs.

[iliana]

I think this works for now. In the future, this code path will be called within Nexus when automatic updates are enabled (perhaps once every few hours, or some other regular cadence). What might this look like when we start doing that?

[davepacheco]

For that, we could create an OpContext when Nexus starts up specifically for use to do automatic updates, similar to what we do for saga recovery:

omicron/nexus/src/nexus.rs

Lines 211 to 216 in c66d2f6

	let opctx = OpContext::for_background(
	log.new(o!("component" => "SagaRecoverer")),
	Arc::clone(&authz),
	authn::Context::internal_saga_recovery(),
	Arc::clone(&db_datastore),
	);

This uses OpContext::for_background:

omicron/nexus/src/context.rs

Line 349 in c66d2f6

pub fn for_background(

We could create a separate built-in user for that context that would only have whatever privileges are needed for it. Then whenever we did any of these operations, we'd use that background OpContext that's associated with that user.

[iliana]

I think this works for now. In the future, this code path will be called within Nexus when automatic updates are enabled (perhaps once every few hours, or some other regular cadence). What might this look like when we start doing that?

[davepacheco]

Thanks for the reviews!