Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use domain when checking login credentials #17292

Open
wants to merge 11 commits into
base: main
Choose a base branch
from
Open

Use domain when checking login credentials #17292

wants to merge 11 commits into from

Conversation

manadart
Copy link
Member

@manadart manadart commented Apr 26, 2024
edited

This patch constitutes some progress towards using the permissions domain for login authorisation.

We use the ID method instead of the Name method on user tags in order to preserve the @domain section for external users. Such users will reside in the user table, where under Mongo they had an entry only in the model or controller users collections.

In several places we have migrated permission checks to the new access service backing.

  • The permission delegator now uses the access service.
  • The login authenticator now uses the access service

There are a couple of to-do comments regarding:

  • Checking for controller access by controller tag (UUID).
  • Having to check access for everyone@external by direct service access.

The commented block for testing the last user login will be reinstated in a patch to come.

To keep this patch manageable, these changes should follow:

  • TBC

QA steps

Bootstrap and login to a controller.

Documentation changes

None.

Links

Jira card: JUJU-5913

@hpidcock hpidcock added the 4.0 label Apr 29, 2024
@manadart
Copy link
Member Author

/build

@manadart manadart force-pushed the dqlite-check-creds branch 4 times, most recently from 4833e3e to 92ffea6 Compare May 2, 2024 13:45
manadart
manadart commented May 27, 2024
View reviewed changes
apiserver/stateauthenticator/auth.go
@@ -271,37 +276,43 @@ func (a *Authenticator) checkCreds(
}

func (a *Authenticator) checkPerms(ctx context.Context, modelAccess permission.UserAccess, userTag names.UserTag) error {
// If the user tag is not local, we don't need to check for the model user
// permissions. This is generally the case for macaroon-based logins.
if !userTag.IsLocal() {
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This was added to the top of this block in a prior refactoring, but it is incorrect. We check this situation further into the method.

apiserver/admin_test.go Outdated
when, err := model.LastModelConnection(modelUser.UserTag)
c.Assert(err, jc.ErrorIsNil)
c.Assert(when, jc.Almost, now)
/*
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We'll need to restore this as part of @Aflynn50's work.

@manadart manadart force-pushed the dqlite-check-creds branch 4 times, most recently from 1a0de1e to 3b30e99 Compare May 28, 2024 10:12
@manadart
Ensures that we use the user service where we can in checkCreds, which
a11b90c 
is part of login authentication.
@manadart
Fixes mocks and implemetations for the addition of
3ebe5cc 
ReadUserAccessForTarget to UserService interface in apiserver auth.
@manadart
Removes user name validation logic from access domain.
61ebcbd 
We rely instead on the name validation from the names package as the
legacy state did.

We use IsValidUser instead of IsValidUserName, because we allow external
users of the form "user@domain".
@manadart
Adds domain user insertion to tools integration test suite, to
56d11f9 
accommodate the fact that this is where the authentication logic now
looks.

Authenticator logic uses tag.Id instead of tag.Name for users, so that
the domain is preserved for locating users by name.
@manadart
Fixes typo in comment for ParseTagForID.
8e6ba29
@manadart
Clarifies Token member purpose in RPC and config structs with comments
1d6a7ad 
indicating JWT usage.
@manadart
Replaces legacy state on the API server permission delegator with the
9717be2 
new Dqlite-backed access domain.

At this stage we a hijacking the permission check for controller access,
because we don't currently grant access based on controller UUID.
@manadart
Instead of checking for vanilla NotFound errors when we check user
4483a47 
 access, check for the specific NotFound variants emitted by the access
 domain.

 We need to do this in order to limit the information we return for
failed auth actions.
@manadart
Removes checkPerms from the state authenticator. This was duplicated
df1fe83 
incorrectly from admin.checkUserPermissions in a prior patch.

That method now uses the Dqlite-backed access service for authorisation
checks.
@manadart
Fixes macaroon login suite tests to add users and permissions to Dqlite
e075593 
instead of the legacy state.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
4.0
Projects
None yet
Milestone
No milestone
2 participants
@manadart @hpidcock