Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Scope operator interaction to namespace #51

Closed
Zerpet opened this issue Mar 11, 2021 · 3 comments · Fixed by #83
Closed

Scope operator interaction to namespace #51

Zerpet opened this issue Mar 11, 2021 · 3 comments · Fixed by #83
Assignees
@ChunyiLyu
Labels
security

Comments

@Zerpet
Copy link
Contributor

Zerpet commented Mar 11, 2021

Looking at the RabbitmqClusterReference property in User kind:

messaging-topology-operator/api/v1alpha1/user_types.go

Lines 18 to 33 in 06637f5

type UserSpec struct {
// Username of the user to create on a RabbitmqCluster.
// +kubebuilder:validation:Required
Name string `json:"name"`
// List of permissions tags to associate with the user. This determines the level of
// access to the RabbitMQ management UI granted to the user. Omitting this field will
// lead to a user than can still connect to the cluster through messaging protocols,
// but cannot perform any management actions.
// For more information, see https://www.rabbitmq.com/management.html#permissions.
Tags []UserTag `json:"tags,omitempty"`
// Reference to the RabbitmqCluster that the user will be created for. This cluster must
// exist for the User object to be created.
// +kubebuilder:validation:Required
RabbitmqClusterReference RabbitmqClusterReference `json:"rabbitmqClusterReference"`
// TODO: Allow the provision of the user with a pre-defined password through a Secret here
}

messaging-topology-operator/api/v1alpha1/queue_types.go

Lines 44 to 49 in 06637f5

type RabbitmqClusterReference struct {
// +kubebuilder:validation:Required
Name string `json:"name"`
// +kubebuilder:validation:Required
Namespace string `json:"namespace"`
}

I noticed that we allow to interact with RabbitmqCluster objects in any namespace in the cluster. I'm concerned that we might be allowing a human user Cody to create RabbitMQ primitives in a RabbitMQ cluster they might not have access to. For example, Cody has access only to namespace cody-dev and they create a User kind which references a RabbitmqCluster with name rabbit in namespace foobar. The topology operator will create the user primitive in RabbitMQ, granting Cody credentials to access said RabbitMQ instance.

My concern is that the operator might allow Cody to access RabbitMQ instances they are not supposed or intended to.

Should we remove the namespace aspect, effectively having a LocalObjectReference-like object?
@Zerpet Zerpet added the sync-up label Mar 11, 2021
@MirahImage
Copy link
Member

MirahImage commented Mar 16, 2021
edited
Loading

This is a breaking change to the API, therefore we need to simultaneously bump the API version to v1alpha2 (issue #63)

@coro
Copy link
Contributor

coro commented Mar 16, 2021

Just to clarify, this affects all topology objects, which all allow for a namespace field in the cluster reference.

@coro
Copy link
Contributor

coro commented Mar 16, 2021

@n3wscott How would this proposed change affect knative?

@coro coro removed the sync-up label Mar 16, 2021
@ChunyiLyu ChunyiLyu mentioned this issue Mar 24, 2021
Merged
@ChunyiLyu ChunyiLyu self-assigned this Mar 25, 2021
@the-smooth-operator the-smooth-operator mentioned this issue May 31, 2021
Closed
@Zerpet Zerpet mentioned this issue Nov 14, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ChunyiLyu ChunyiLyu

Labels
security
Projects
None yet
Milestone
No milestone
4 participants
@Zerpet @ChunyiLyu @coro @MirahImage