-
Notifications
You must be signed in to change notification settings - Fork 40
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Read group permission for fleet users #5746
Comments
While we're brainstorming, I think it would make more sense to move that param to the IDP setup step, since it doesn't make sense without IDP. Also it's more likely that someone is configuring the groups in IDP at that point rather than the initial silo create. So really there are 2 parts here, the visibility of groups for fleet admins, and also the UX flow of setting up the initial group. |
We can always revisit things, but just noting here that the lack of visibility into silo groups from outside the silo was an explicit (security) design goal. I'm not sure where we wrote this down but there are some related notes in #1340, #1681, and RFD 297.
Can you say more about the types of problems we've run into? The obvious one we were worried about is a mismatch between the admin group name that the user configures here and the actual group name in the IdP. We're relying on people to get that right, and if they get it wrong, it just won't work and it won't be obvious why. We've discussed streamlined flows to make it harder to get this wrong. For example, during silo setup, after you configure the IdP, maybe we could have you (in another browser session?) log into the new Silo, and the first screen you get shows you the groups that we found, and you can pick which one you want to be the admin group. Or maybe we don't do anything special in that second session, but we create those groups like we always do, and then you can see those in your first session (the one creating the silo) and then you can pick one there. I imagine there are lots of ways to make this better but it depends on how things are going wrong. |
I'm not sure I understand the concern with giving a fleet admin visibility into the IdP/group configuration of the other silos. The fleet admin is the role that is allowed to create the configuration, and also the only logical (and possible) choice for who can debug/fix any auth issues with a silo. You mentioned the obvious problem which is what I ran into, but I can imagine that over time something could change on the SAML provider side and we need to confirm or change the IdP or group configuration. There must be a way to view or edit the config for a silo if the IdP is broken and there's no way to login to the given silo. (This is also blending into #3125) |
Totally -- fleet administrators definitely need to be able to debug and fix problems with a silo's IdP configuration. At the very least, they need to be able to establish an IdP configuration that allows a silo administrator to log in and make any other changes that are needed. #3125 is important here so that DNS names, IP addresses, keys, and certificates can be changed (both by silo admins and also from outside the silo by a fleet administrator) for cases where an IdP is migrated or certificates get rotated, etc. But there are a couple of reasons it'd be nice if we can limit the privileges that are required to get a silo admin to be able to log in:
These are goals, not constraints, and it's okay if the answer is that we should just directly expose the list of silo groups to fleet admins anyway. But that's why I was asking the question, since in at least some of these cases, there seem to be alternatives that provide a better experience while also avoiding exposing that information. |
When a silo is created we accept a
SiloCreate
struct that defines an optionaladmin_group_name
:omicron/nexus/types/src/external_api/params.rs
Lines 301 to 308 in ecb6214
This group is created at silo creation time as described in the comment. We do not store this value though outside of the group instantiation. This makes it particularly difficult to debug silo IdP connections as groups are not visible to fleet viewers/admins. We've run in to this a few times internally on the preview rack as well as externally.
While we could store this value, it is really only useful for initial silo configuration, and not very useful in the long usage of the silo. Instead should we consider that silo groups be visible to users with fleet level permissions? We already allow for fleet permissions to list cross silo users, and view the opaque group ids via the policy endpoints. Is there a reason to prevent viewing the group display names?
The text was updated successfully, but these errors were encountered: