Tighten storage-operator permissions against Salt #2635

gdemonet · 2020-06-18T22:14:15Z

Component: salt, storage-operator

Context: see conversation in #2634

Summary: to do

Acceptance criteria: to do

Closes: #2634
Fixes: #1528
Fixes: #2084

slaperche-scality

LGTM

slaperche-scality · 2020-06-19T07:02:50Z

storage-operator/deploy/role.yaml

@@ -4,36 +4,23 @@ metadata:
  creationTimestamp: null
  name: storage-operator
 rules:
+# For recording transition events


Good idea to add comments in this file 👍

FWIW, if we update operator-sdk/controller-runtime (or move to kubebuilder), the RBAC rules are to be defined in the Go code using annotations, and this file is to be generated by the tooling.

Oh yeah... Debt ticket #2644

slaperche-scality · 2020-06-19T07:05:21Z

salt/metalk8s/salt/master/files/master-99-metalk8s.conf.j2

@@ -45,7 +45,9 @@ external_auth:
    storage-operator:
      - '*':
        - 'disk.dump'
-        - 'state.sls'
+        - 'state.sls':


Ho, this was simpler than I thought ^^

That's the theory, not working atm 😅

OK it looks like it's working actually!

We don't want too open permissions for security reasons that were made obvious in #2634. We thus reduce the rules deployed to the bare minimum, and add some inline comments to better explain why each ruleset is needed. Fixes: #2084

This checks that if not allowed in Salt eauth perms, an authenticated user (using 'storage-operator' as a practical example) cannot run any module (using 'test.ping' as an example). See: #2634

Reduce to only state formulas in `metalk8s.volumes`. Fixes: #1528

NicolasT · 2020-06-19T13:07:19Z

storage-operator/deploy/role.yaml

  verbs:
-  - '*'
+  - get


Why does the storage-operator need to read deployments and replicasets?

It comes from kubemetrics: when creating the Service, it reads its Pod's owner controller (a ReplicaSet) and this controller's controller (a Deployment) to determine the right selector to use, I think. The information is disseminated in several issues and pull requests in operator-sdk, and I found most of them when investigating the Failed to list *unstructured.Unstructured error logs. Could do some digging up my history if you want, but I can confirm that there were unauthorized errors if I remove those permissions.

When changes lead to issues in storage-operator provisioning of Volumes, it is useful to provide the user with appropriate details directly in the logs, instead of requiring manual investigations on the platform.

gdemonet · 2020-06-20T11:20:21Z

/approve

bert-e · 2020-06-20T11:20:30Z

Waiting for approval

The following approvals are needed before I can proceed with the merge:

the author
one peer

Peer approvals must include at least 1 approval from the following list:

The following options are set: approve

bert-e · 2020-06-20T21:01:56Z

In the queue

The changeset has received all authorizations and has been added to the
relevant queue(s). The queue(s) will be merged in the target development
branch(es) as soon as builds have passed.

The changeset will be merged in:

✔️ development/2.4
✔️ development/2.5
✔️ development/2.6

The following branches will NOT be impacted:

development/1.0
development/1.1
development/1.2
development/1.3
development/2.0
development/2.1
development/2.2
development/2.3

There is no action required on your side. You will be notified here once
the changeset has been merged. In the unlikely event that the changeset
fails permanently on the queue, a member of the admin team will
contact you to help resolve the matter.

IMPORTANT

Please do not attempt to modify this pull request.

Any commit you add on the source branch will trigger a new cycle after the
current queue is merged.
Any commit you add on one of the integration branches will be lost.

If you need this pull request to be removed from the queue, please contact a
member of the admin team now.

The following options are set: approve

bert-e · 2020-06-23T13:02:30Z

I have successfully merged the changeset of this pull request
into targetted development branches:

✔️ development/2.4
✔️ development/2.5
✔️ development/2.6

The following branches have NOT changed:

development/1.0
development/1.1
development/1.2
development/1.3
development/2.0
development/2.1
development/2.2
development/2.3

Please check the status of the associated issue None.

Goodbye gdemonet.

gdemonet added topic:security Security-related issues topic:tests What's not tested may be broken release:blocker An issue that blocks a release until resolved topic:salt Everything related to SaltStack in our product labels Jun 18, 2020

gdemonet added this to the MetalK8s 2.4.4 milestone Jun 18, 2020

gdemonet requested review from NicolasT and slaperche-scality June 18, 2020 22:14