adam/org-notes
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Permissions docs

Browse Source
This commit is contained in:
Adam Mohammed
2024-09-18 12:34:32 -04:00
parent 1da31679cb
commit 09d18e5d3a
4 changed files with 408 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
equinix/design/permissions-migration/home.org Normal file
View File

@@ -0,0 +1,11 @@
#+TITLE: Permissions Migration Home
#+AUTHOR: Adam Mohammed
#+DATE: September 18, 2024
* Initial Design Doc
* Test Plan
* Architecture Design Review doc
* Permissions Overview for Handbook

88
equinix/design/permissions-migration/permissions-initial-design.org Normal file
View File

@@ -0,0 +1,88 @@
#+TITLE: Permissions Redesign
#+AUTHOR: Adam Mohammed
* Overview
This document describes what granularity we'll have available for MVP
when using permissions-api as the policy decision point (PDP).
* Top-Level Resources
** User Based Resources
- User
- APIKeys (bound to user)
** Project Level Resources
- Project (Read/update/delete)
- Instances
- Appliances
- Reservations (aka Hardware Reservations)
- Document
- IP Reservation
- IP Address
- IP Assignment
- Virtual Network
- Virtual Circuit
- Interconnection (Read/update)
- VRF
- Membership
- Invitations
- BGP Sessions
- BGP Configs
- Project API Keys
*** Lower-tier resources
- BGPDynamicNeighbors authorizes through MetalGateway
- ElasticIps authorizes through MetalGateway
- VRFIPReservation authorizes through VRF
- VRFLearnedRoutes authorizes through VRF
- VRFBGPNeighbors authorizes through VRF
- VRFStaticRoutes authorizes Through VRF
- Authorizes through Instance:
- Actions (reboot/power-cycle) (create, list)
- Ip Assignments (create, list only)
- Traffic (index only)
- Termination (POST only)
- BGPSessions (CRUD)
- BGPNeighbors (index only)
- Bandwidth (index only)
- SSH-keys (index only)
- Diagnostics (Read only)
- Metadata (read only)
- Userdata (read only)
- Error reports (create, read)
** Organization Level Resources
- Organization
- Project (create-only)
- Interconnection (create/delete)
** Weird ones
BGP Config Requestss
2FA enforce
* Phase 2
We decided to just throw actions on organizations/projects/user
ok, so I can configure the check access to dump out the context I need.
For every controller + action, I need:
The resource type the permission check is on
The action name that the check requires
With that I can produce the policy that we need on the Permissions API side

286
equinix/design/permissions-migration/policy.org Normal file
View File

@@ -0,0 +1,286 @@
#+TITLE: Metal API Policy
#+AUTHOR: Adam Mohammed
* How to produce this information?
Using this snippet placed in =config/initializers/packet.rb=
#+begin_src ruby
def permission_logger
Class.new do
def initialize(db)
@db = db
end
def permissions_sql
<<-SQL
INSERT INTO metal_permissions (
controller_name, path, resource, action
) VALUES ( ?, ?, ?, ?);
SQL
end
def check_access(*args, **kwargs)
context = kwargs[:context]
controller = context[:controller]
path = controller.request.path
controller_action = "#{controller.class.name}##{controller.action_name}"
@db.execute(permissions_sql, [controller_action, path, args[1], args[2]])
true
end
end
end
def permissions_checker
::Authorization::PolicyEngine::IAMChecker.new(client: permission_logger.new(sqlite_db))
end
#+end_src
I then pushed a branch so the standard CI pipeline build would spit out
a DB with the results:
#+begin_src diff
modified .buildkite/pipeline.yaml
@@ -96,6 +96,8 @@ steps:
commands:
- /home/packet/api/.buildkite/script/parallel_test_setup.sh
- /home/packet/api/.buildkite/script/cucumber-container.sh
+ artifact_paths:
+ - 'test.db'
retry:
automatic:
- exit_status: "*"
@@ -109,6 +111,7 @@ steps:
env:
BUILD_NUMBER: ${BUILDKITE_BUILD_NUMBER}
API_BUILD_IMAGE: ${API_BUILD_IMAGE}
+ POLICY_ENGINE: "cancancan_wins"
- label: Rspec
key: "rspec"
@@ -117,6 +120,8 @@ steps:
commands:
- /home/packet/api/.buildkite/script/parallel_test_setup.sh
- /home/packet/api/.buildkite/script/rspec-container.sh
+ artifact_paths:
+ - 'test.db'
retry:
automatic:
- exit_status: "*"
@@ -132,6 +137,7 @@ steps:
env:
BUILD_NUMBER: ${BUILDKITE_BUILD_NUMBER}
API_BUILD_IMAGE: ${API_BUILD_IMAGE}
+ POLICY_ENGINE: "cancancan_wins"
- label: Build spec image
key: "spec-build"
#+end_src
If later you want to combine these dbs you can do so as follows:
1. Download =test.db= from the rspec step and name it =test-rspec.db=
2. Download =test.db= from the cucumber step and name it =test-cucumber.db=
3. Create the merged =test-full-suite.db=
#+begin_src bash
$ cp test-rspec.db test-full-suite.db
$ sqlite3 'test-full-suite.db'
sqlite> ATTACH 'test-cucumber' AS cuke
sqlite> BEGIN;
sqlite> INSERT INTO metal_permissions SELECT * FROM cuke.metal_permissions;
sqlite> COMMIT;
sqlite> DETACH cuke;
sqlite> .quit
#+end_src
* Organization actions
#+begin_src
metal_billing_information_get
metal_billing_information_update
metal_capability_list
metal_coupon_usage_list
metal_coupon_usage_redeem
metal_credit_create
metal_credit_delete
metal_credit_list
metal_discount_create
metal_enforce_2fa_create
metal_instances_listing_list
metal_interconnection_create
metal_interconnection_delete
metal_interconnection_get
metal_interconnection_list
metal_interconnection_port_get
metal_interconnection_port_list
metal_interconnection_update
metal_interconnection_virtual_circuit_create
metal_interconnection_virtual_circuit_list
metal_interconnection_virtual_circuit_update
metal_invitation_create
metal_invitation_delete
metal_invitation_get
metal_invitation_list
metal_invitation_resend
metal_invitation_update
metal_ip_address_delete
metal_ip_address_get
metal_lab_get
metal_leave_organization_create
metal_member_delete
metal_member_list
metal_member_update
metal_membership_delete
metal_membership_update
metal_organization_create
metal_organization_delete
metal_organization_get
metal_organization_logos
metal_organization_update
metal_payment_get
metal_payment_method_create
metal_payment_method_delete
metal_payment_method_get
metal_payment_method_list
metal_payment_method_update
metal_project_create
metal_search_search_plans
metal_tier_inquiry_create
metal_vendor_list
#+end_src
* Project actions
#+begin_src
metal_acl_list
metal_activate_create
metal_allocation_list
metal_batch_delete
metal_batch_get
metal_batch_list
metal_bgp_config_delete
metal_bgp_config_request_create
metal_bgp_config_update
metal_bgp_config_view
metal_bgp_dynamic_neighbor_create
metal_bgp_dynamic_neighbor_list
metal_bgp_neighbor_list
metal_bgp_session_create
metal_bgp_session_delete
metal_bgp_session_get
metal_bgp_session_list
metal_bgp_session_update
metal_discount_create
metal_dn_create
metal_dn_list
metal_ecx_connection_create
metal_ecx_connection_list
metal_error_report_create
metal_error_report_get
metal_event_alert_configuration_create
metal_event_alert_configuration_get
metal_event_alert_configuration_update
metal_firmware_set_get
metal_global_bgp_range_list
metal_hardware_reservation_get
metal_health_get
metal_instance_action_create
metal_instance_action_list
metal_instance_batch_create
metal_instance_create
metal_instance_delete
metal_instance_get
metal_instance_list
metal_instance_metadatum_show_by_ip
metal_instance_password_create
metal_instance_update
metal_instances_listing_list
metal_interconnection_create
metal_interconnection_list
metal_interconnection_virtual_circuit_create
metal_interconnection_virtual_circuit_list
metal_interconnection_virtual_circuit_update
metal_invitation_create
metal_invitation_list
metal_ip_address_delete
metal_ip_address_get
metal_ip_address_update
metal_ip_assignment_create
metal_ip_assignment_list
metal_ip_availability_available
metal_ip_reservation_create
metal_ip_reservation_list
metal_ip_reservation_request_create
metal_ip_reservation_update
metal_leave_project_create
metal_license_activation_get
metal_license_create
metal_license_delete
metal_license_get
metal_license_list
metal_license_update
metal_membership_delete
metal_membership_get
metal_membership_list
metal_membership_update
metal_metal_gateway_create
metal_metal_gateway_delete
metal_metal_gateway_elastic_ip_create
metal_metal_gateway_elastic_ip_list
metal_metal_gateway_get
metal_metal_gateway_list
metal_metering_limit_create
metal_move_create
metal_project_api_key_create
metal_project_api_key_list
metal_project_create
metal_project_delete
metal_project_get
metal_project_update
metal_reservation_create
metal_reservation_get
metal_reservation_list
metal_screenshot_get
metal_spot_market_request_create
metal_spot_market_request_delete
metal_spot_market_request_get
metal_spot_market_request_list
metal_subscribed_event_create
metal_subscribed_event_delete
metal_subscribed_event_get
metal_subscribed_event_list
metal_subscribed_events_all_create
metal_subscribed_events_all_delete
metal_traffic_list
metal_transfer_request_create
metal_transfer_request_delete
metal_transfer_request_get
metal_transfer_request_update
metal_userdatum_show_by_ip
metal_virtual_network_create
metal_virtual_network_delete
metal_virtual_network_get
metal_virtual_network_list
metal_virtual_network_update
metal_vrf_create
metal_vrf_delete
metal_vrf_get
metal_vrf_list
metal_vrf_route_create
metal_vrf_route_delete
metal_vrf_route_get
metal_vrf_route_list
metal_vrf_route_update
metal_vrf_update
#+end_src
* User actions
#+begin_src
metal_discount_create
metal_metering_limit_create
metal_sales_report_get
metal_user_avatars
metal_user_force_verify
metal_user_get
metal_user_update
#+end_src

23
equinix/design/permissions-migration/test-plan.org Normal file
View File

@@ -0,0 +1,23 @@
#+TITLE: Testing IAM-Runtime checks for Metal API
#+AUTHOR: Adam Mohammed
* What's changed
* Stages of testing
- Initial Canary
- Run terraform against internal canary URL
- Slow roll to production
- Watch for errors
- In-production warn mode
- Observe for discrepancies between cancancan/iam-runtime
- Runtime winning mode
- Completed
* Monitoring
- Trace attributes that are relevant
- Dashboards
- Create dashboard around cancancan disagreements
- Create dashboard where resource was not metal org/project/user
* Handling broken cases