Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rework auth to include scopes as well as groups #2092

Merged
merged 29 commits into from
Jun 4, 2020
Merged

Rework auth to include scopes as well as groups #2092

merged 29 commits into from
Jun 4, 2020

Conversation

ssalinas
Copy link
Member

@ssalinas ssalinas commented May 13, 2020
edited
Loading

The previous setup was originally meant for a very simple auth scheme. We now need a bit more granularity, since a set of groups only allows us to do things at a mostly global level for permissioning.

This PR initially refactors the authorization helper to an interface with a groups as well as a groups+scopes implementation. Still TODO:

  • Actually write the groups + scopes authorizer
  • Unit tests for ^^
  • Wire up an operation mode for the groups and scopes authorizer or additional implementation that logs one and falls back to the other. Ideally we could do something like be able to run the new code and old code at once and just log if they are different. This may or may not be possible easily since they would have separate api endpoints for webhooks
  • Wire up jita with increased logging for all jita-ed actions

cc @pschoenfelder

@ssalinas
Copy link
Member Author

@pschoenfelder mind taking a look on this one? Biggest open question I have is if we should keep the defaultReadOnlyGroups config around or not. Need to check if our setup is creating requests with top level groups as the default read only, or if Singularity is adding that right now. Not sure if we want that default behavior to be that permissive (though it is current I guess)

pschoenfelder
pschoenfelder reviewed May 14, 2020
View reviewed changes
SingularityService/src/main/java/com/hubspot/singularity/auth/SingularityDualAuthorizer.java
}

@Override
public void checkAdminAuthorization(SingularityUser user) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like this and several other methods below follow the same patten of checkGrantedByScopes -> check groups authorizer -> maybe warn. Is there a way to factor the pattern out?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yeah, I can take another pass at slimming it down after I do a few initial tests in staging. Did one pass already to factor some things out, but I think you're right that I can DRY it up a bit more

@pschoenfelder
Copy link
Contributor

Looks good to me. Nice unit tests 👍 Always happy to see that. As far as removing defaultReadOnlyGroups goes, I would lean towards keeping it, at least for now while these changes get rolled out.

@ssalinas
Copy link
Member Author

Bug in here somewhere still, dual authorizer returned all 401s on staging

@ssalinas ssalinas added the hs_qa label May 18, 2020
@ssalinas ssalinas marked this pull request as ready for review May 18, 2020 18:55
@pschoenfelder
Copy link
Contributor

🚢

@ssalinas ssalinas mentioned this pull request Jun 4, 2020
Merged
@ssalinas ssalinas merged commit 10eb704 into master Jun 4, 2020
@ssalinas ssalinas deleted the groups_scopes_rework branch June 4, 2020 16:34
@ssalinas ssalinas mentioned this pull request Sep 24, 2020
Closed
@ssalinas ssalinas added this to the 1.3.0 milestone Sep 24, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pschoenfelder pschoenfelder pschoenfelder left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
1.3.0
Development

Successfully merging this pull request may close these issues.
2 participants
@ssalinas @pschoenfelder