✨ Add user warrants #3156

sttts · 2024-08-22T11:57:37Z

TODO:

flatten the warrants and apply scopes before webhook authorizers are called.
~~[ ] add request user warrant to initializer VW.~~ moved to feature: add supplementary group to initializingworkspaces impersonation #3271

Summary

From Slack:

🧵 long ago @sur presented a problem (if I remember right) in our current auth model of serviceaccounts only being valid locally, and with that the inability to create workspaces through an APIExport virtual workspace. The steps are these:

a user U creates a workspace W2 in logicalcluster L1 through an APIExport virtual workspace (that has a permission claim on Workspaces).
the VW forwards the requests by impersonating its system:masters user with a fake system:kcp:admin serviceaccount (S1) for L1 named system:serviceaccount:default:rest.
the forwarded requests hits kcp and kcp authorizes the workspace creation with that S1 serviceaccount. It uses that identity to authorize the use of workspace types. By giving use permission to everybody, this goes through.
workspace admission sticks S1 as owner on the workspace object, to be used by initialization later.
the workspace scheduler creates a logicalclusters L2 for W2 and gives S1 admin permissions through a clusterrole+binding.
the initializers kick in and access the initializer VW for L2 where W2 has been scheduled to. Their requests are impersonated as S1 by the VW.
these requests hit kcp and the authorizer denies access because S1 is a foreign service account 💥

Now assume a modified system that

understands serviceaccounts from other workspaces, but does not give them permissions by default.
does not use a fake serviceaccount S1 identity to pass through the APIExport VW requests, but preserves the actual controller user and only attaches a warrant that gives the requires access of the claim.

The steps from above would turn into:

a user U creates a workspace W2 in logicalcluster L1 through an APIExport virtual workspace (that has a permission claim on Workspaces).
the VW forwards the requests by impersonating its system:masters user as U with a warrant for a fake system:kcp:admin serviceaccount (S1) for L1 named system:serviceaccount:default:rest.
the forwarded requests hits kcp and kcp authorizes the workspace creation with that warrant S1 serviceaccount because U is not enough. It uses the U identity to authorize the use of workspace types. ~~By giving use permission to everybody, t~~This goes through.
workspace admission sticks U with warrant S1 as owner on the workspace object, to be used by initialization later.
the workspace scheduler creates a logicalclusters L2 for W2 and gives U with warrant S1 admin permissions through a clusterrole+binding.
the initializers kick in and access the initializer VW for L2 where W2 has been scheduled to. Their requests are impersonated as U with warrant S1 by the VW.
these requests hit kcp and the authorizer ~~denies access because S1 is a foreign service account~~ grants access because U with warrant S1 is admin in L2.

Now assume in addition that U is actually a controller serviceaccount S0 in workspace root. Step (7) would 💥 because S0 is foreign for L2. We further modify the system to authenticate serviceaccount as system:kcp:serviceaccount:<logicalcluster>:<ns>:<name> with a warrant for system:serviceaccount:<ns>:<name> restricted to their defining logicalcluster.

Now, U becomes system:kcp:serviceaccount:root:default:controller with warrant system:serviceaccount:default:controller restricted to root. With that (4) becomes

workspace admission sticks system:kcp:serviceaccount:root:default:controller with warrant system:serviceaccount:default:controller restricted to root with warrant S1 as owner on the workspace object, to be used by initialization later.

I.e. the user has two warrants. With that (7) becomes:

these requests hit kcp and the authorizer grants access because system:kcp:serviceaccount:root:default:controller with the TWO warrants including S1 is admin in L2.

Related issue(s)

Fixes #

Release Notes

Pass through original identity of controllers accessing a logical cluster through the APIExport virtual workspace. To get the required permissions, a warrant mechanism is added through user extra fields that attaches secondary user identities purely used for authorization.

docs/content/concepts/authorization.md

pkg/authorization/decorator.go

pkg/server/options/authorization.go

pkg/virtual/apiexport/builder/build.go

mjudeikis · 2024-11-23T10:13:04Z

In general just a questions. looks good,

pkg/authorization/maximal_permission_policy_authorizer.go

Signed-off-by: Dr. Stefan Schimanski <stefan.schimanski@gmail.com>

…for the target workspace Signed-off-by: Dr. Stefan Schimanski <stefan.schimanski@gmail.com>

…nts and scoping Signed-off-by: Dr. Stefan Schimanski <stefan.schimanski@gmail.com>

embik · 2025-01-26T13:37:34Z

/retest

looks like a flake to me.

embik · 2025-01-26T13:39:59Z

pkg/server/options/authorization.go

@@ -173,6 +173,7 @@ func (s *Authorization) ApplyTo(ctx context.Context, config *genericapiserver.Co
 		if err != nil {
 			return err
 		}
+		authorizer = authz.WithWarrantsAndScopes(authorizer)


For my understanding here: We are only wrapping the (optional) webhook authorizer because the RBAC-based ones (the whole chain thing) got warrant support by amending the rule resolver in the kube fork, correct?

Correct. And we don't want that external, third party authorizers have to understand scopes and warrants.

mjudeikis · 2025-01-26T15:23:34Z

/retest
/lgtm
/approve
/hold
until @embik gets his question sorted :)

kcp-ci-bot · 2025-01-26T15:23:38Z

LGTM label has been added.

Git tree hash: ec0e8108e30e6e12d6320ecebdfc209511d4b631

kcp-ci-bot · 2025-01-26T15:23:42Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: mjudeikis

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

~~OWNERS~~ [mjudeikis]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

embik · 2025-01-26T16:26:21Z

/hold cancel

sttts changed the title ~~✨ PoC: Implement user warrents~~ ✨ PoC: Implement user warrants Aug 22, 2024

sttts force-pushed the sttts-warrants branch from 0de78d6 to 12b4ee2 Compare August 22, 2024 12:30

kcp-ci-bot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Aug 22, 2024

sttts force-pushed the sttts-warrants branch 2 times, most recently from 00dd36e to ebb5114 Compare August 22, 2024 13:00

mjudeikis reviewed Aug 22, 2024

View reviewed changes

docs/content/concepts/authorization.md Outdated Show resolved Hide resolved

docs/content/concepts/authorization.md Outdated Show resolved Hide resolved

docs/content/concepts/authorization.md Outdated Show resolved Hide resolved

sttts force-pushed the sttts-warrants branch from ebb5114 to 76d5096 Compare August 23, 2024 06:33

kcp-ci-bot added size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. and removed size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. labels Aug 23, 2024

sttts mentioned this pull request Aug 23, 2024

✨ Add original user/group as extra to the impersonating client used by virtual workspace #3155

Merged

sttts force-pushed the sttts-warrants branch 4 times, most recently from 4b188ca to 2ca96c3 Compare August 26, 2024 09:29

kcp-ci-bot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Sep 13, 2024

xrstf mentioned this pull request Nov 13, 2024

UPSTREAM: <carry>: include cluster name in authz SubjectAccessReview in webhooks kcp-dev/kubernetes#151

Merged