-
Notifications
You must be signed in to change notification settings - Fork 491
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use domain when checking login credentials #17292
base: main
Are you sure you want to change the base?
Conversation
39f5a7e
to
25ebd84
Compare
/build |
4833e3e
to
92ffea6
Compare
92ffea6
to
04aa010
Compare
@@ -271,37 +276,43 @@ func (a *Authenticator) checkCreds( | |||
} | |||
|
|||
func (a *Authenticator) checkPerms(ctx context.Context, modelAccess permission.UserAccess, userTag names.UserTag) error { | |||
// If the user tag is not local, we don't need to check for the model user | |||
// permissions. This is generally the case for macaroon-based logins. | |||
if !userTag.IsLocal() { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This was added to the top of this block in a prior refactoring, but it is incorrect. We check this situation further into the method.
apiserver/admin_test.go
Outdated
when, err := model.LastModelConnection(modelUser.UserTag) | ||
c.Assert(err, jc.ErrorIsNil) | ||
c.Assert(when, jc.Almost, now) | ||
/* |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We'll need to restore this as part of @Aflynn50's work.
1a0de1e
to
3b30e99
Compare
is part of login authentication.
ReadUserAccessForTarget to UserService interface in apiserver auth.
We rely instead on the name validation from the names package as the legacy state did. We use IsValidUser instead of IsValidUserName, because we allow external users of the form "user@domain".
accommodate the fact that this is where the authentication logic now looks. Authenticator logic uses tag.Id instead of tag.Name for users, so that the domain is preserved for locating users by name.
indicating JWT usage.
new Dqlite-backed access domain. At this stage we a hijacking the permission check for controller access, because we don't currently grant access based on controller UUID.
access, check for the specific NotFound variants emitted by the access domain. We need to do this in order to limit the information we return for failed auth actions.
incorrectly from admin.checkUserPermissions in a prior patch. That method now uses the Dqlite-backed access service for authorisation checks.
instead of the legacy state.
265b2d7
to
be5b59a
Compare
be5b59a
to
2ea6715
Compare
This patch constitutes some progress towards using the permissions domain for login authorisation.
We use the
ID
method instead of theName
method on user tags in order to preserve the@domain
section for external users. Such users will reside in the user table, where under Mongo they had an entry only in the model or controller users collections.In several places we have migrated permission checks to the new access service backing.
There are a couple of to-do comments regarding:
everyone@external
by direct service access.The commented block for testing the last user login will be reinstated in a patch to come.
To keep this patch manageable, these changes should follow:
QA steps
Bootstrap and login to a controller.
Documentation changes
None.
Links
Jira card: JUJU-5913