Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

tracking issue for MVP IAM work #849

Closed
39 of 69 tasks
davepacheco opened this issue Apr 1, 2022 · 8 comments
Closed
39 of 69 tasks

tracking issue for MVP IAM work #849

davepacheco opened this issue Apr 1, 2022 · 8 comments
Assignees
Milestone

Comments

@davepacheco
Copy link
Collaborator

davepacheco commented Apr 1, 2022

(Original source. NOTE: some of the work in that doc is not part of Omicron (e.g., RSS parts) and so isn't mentioned here.)

NOTE: Unless a bullet item says otherwise, it's talking about support in Nexus and the API, not support in the CLI and console. CLI and console support are covered in separate bullet points towards the bottom.

CC @jmpesp what have I missed?

@david-crespo
Copy link
Contributor

Do any of these bullets represent being able to list users in a group? I don't see one.

Say you're on a project access page and some group has read access on that project. I would want to be able to click on the group and see who is in it. While we're using the JIT model for users, this list would necessarily be limited to users we're aware of because they've logged in. That might be confusing if there's a user you expect to see because you know they're in the group on the IdP side, but they don't show up because they've never logged into Oxide.

@davepacheco
Copy link
Collaborator Author

Good call. I don't think there was anything there that covered that. I added this as "list users in groups, list groups associated with a user".

While we're using the JIT model for users, this list would necessarily be limited to users we're aware of because they've logged in. That might be confusing if there's a user you expect to see because you know they're in the group on the IdP side, but they don't show up because they've never logged into Oxide.

Yup. I don't think there's much we can do in the API to mitigate this but maybe we can do something in the console? e.g., a small "expecting to see somebody else here?" link to a help page?

@david-crespo
Copy link
Contributor

Right, good idea. We can at least explain it.

@smklein smklein added this to the MVP milestone Jan 24, 2023
@askfongjojo askfongjojo modified the milestones: MVP, FCS May 11, 2023
@benjaminleonard
Copy link
Contributor

We need an unauthed endpoint that returns a silo's display name and its associated IdPs to implement the login screen on console. We do need to know which silo you're in right? Will this get unblocked when we have subdomains for silos?

@davepacheco
Copy link
Collaborator Author

We need an unauthed endpoint that returns a silo's display name and its associated IdPs to implement the login screen on console. We do need to know which silo you're in right? Will this get unblocked when we have subdomains for silos?

Yeah, Silos already have their own DNS names, though people don't necessarily use them in development. In a real system, we'll know which Silo you're in based on the DNS name you came in through (really the TLS SNI name, but those are generally the same thing). I'm not yet clear on what we'll do in development for this, where people often aren't using TLS nor DNS.

Even though we should know the Silo name already, for SAML, login starts when you GET /login/{silo_name}/saml/{idp_name} and ends with POST /login/{silo_name}/saml/{idp_name}. For password login, it ends with POST /login/{silo_name}/saml. So I figured we'd serve the password login page at GET /login/{silo_name}/local and we'll know where to POST the credentials. For SAML, we at least discussed having redirects so that GET /login/{silo_name}/saml redirects you to the GET for some default IdP. We could also have redirects from GET /login, since we should know the silo name already. I think these shouldn't be blockers? What do you think?

@benjaminleonard
Copy link
Contributor

In theory we could redirect to the SAML page automatically, but I think it's a better user experience if you're hitting a page where the user triggers it themself. 99% of the time I imagine thats just them clicking the only button there. As I understand it, multiple IdPs on a single silo is uncommon but also trivial to support with this UI:

image

Those login endpoints sound good to me but @david-crespo and @zephraph are much more qualified to speak to that than I am. If we had those then the minimum we could return to serve this page would be: silo_name (which we already have and just need to make accessible without being authed) and associated idp_name[].

For dogfood would be move everything over to the IdP silo? So we don't have two silos on a single DNS name?

@davepacheco
Copy link
Collaborator Author

As I understand it, multiple IdPs on a single silo is uncommon but also trivial to support with this UI:

Yeah, as I understand it, it would be easy from the UI perspective. It's nasty internally and we want to avoid it (see all the stuff in RFD 234). I can still see it being useful to see a landing page like that, though, so you know what you're even logging into.

If we had those then the minimum we could return to serve this page would be: silo_name (which we already have and just need to make accessible without being authed) and associated idp_name[].

I'm not sure how best to convey these. @david-crespo or @zephraph have thoughts about all this?

For dogfood would be move everything over to the IdP silo? So we don't have two silos on a single DNS name?

Yeah...I believe that right now, we have a DNS "A" record that points the dogfood DNS name to the Nexus IP. It works in terms of TLS for whatever Silos we've uploaded that certificate for. But it's working a little bit by accident because we haven't finished this work. Nexus doesn't know what Silo you're coming in for in that configuration. It just doesn't care because it doesn't use that information yet.

(Another reason we don't want customers to do this is that we want to be in charge of DNS so that we can change IPs if we need to. At some point I think we want to change the dogfood DNS name to be a CNAME for the DNS name provided by the rack's own external DNS server. I think that's mostly unrelated, though.)

In order to keep using the same DNS name for Dogfood, we'll have to implement support for what I'd call "DNS aliases", where you can specify that the rack should serve one Silo's endpoints (e.g., "the-silo.sys.some-internal-dns-name.example") at some other DNS name (e.g., "the-silo.company.example"). I believe this is not needed for FCS so we'll have to decide whether we want to do this feature anyway and use it in Dogfood or change the Dogfood DNS name to just use the rack-provided naming scheme.

@davepacheco
Copy link
Collaborator Author

I've created issues for the open non-cleanup items so I think we can close this one.

@benjaminleonard I think we ended up addressing what you wanted?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants