Skip to content

feat: use different consul service policy rule for service role #4104

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Jul 28, 2022
Merged

feat: use different consul service policy rule for service role #4104

merged 3 commits into from
Jul 28, 2022

Conversation

@jim-wang-yutsung
Copy link

@jim-wang-yutsung jim-wang-yutsung commented Jul 26, 2022
edited
Loading

Closes: #3257

Signed-off-by: Jim Wang (Intel) [email protected]

If your build fails due to your commit message not passing the build checks, please review the guidelines here: https://github.com/edgexfoundry/edgex-go/blob/main/.github/Contributing.md

PR Checklist

Please check if your PR fulfills the following requirements:

  • [x ] I am not introducing a breaking change (if you are, flag in conventional commit message with BREAKING CHANGE: describing the break)
  • [x ] I am not introducing a new dependency (add notes below if you are)
  • I have added unit tests for the new feature or bug fix (if not, why?) same unit test for regression and make test still works
  • [x ] I have fully tested (add details below) this the new feature or bug fix (if not, why?)
  • I have opened a PR for the related docs change (if not, why?)

Testing Instructions

  1. git clone this branch and build security-bootstrapper docker image: make docker_security_bootstrapper

  2. go to edgex-compse repo and use this local built image for security-bootstrapper in the docker-compose file, i.e.: make gen dev or run it with make run dev

  3. run it up with docker-compose or make run dev

  4. once the stack is up, please obtain the consul admin token via make get-consul-acl-token and we will use it to verify policies and tokens were generated by login into consul UI and check them.

  5. Use consul admin token to login consul in any browser at http://localhost:8500

  6. After login, go to Policy view (click on Policies hyperlink on the left panel) and check that policies were generated for all services, something looks like the following:
    consul_policies_per_service

  7. Then go to Token view (click on Tokens hyperlink on the left panel) and check that consul tokens were generated per service policy:
    consul_tokens_per_service

  8. Now we can test the key-value store only accessible to its own service per kv api point of view: copy the app-http-export's consul token and export it and then use it to read some key of its own:

# use http-export's consul token
export CONSUL_TOKEN=057fcff7-2a4e-15ab-a115-e64cda7f28b9
curl -H "X-Consul-Token:${CONSUL_TOKEN}" -X GET "http://localhost:8500/v1/kv/edgex/appservices/2.0/app-http-export/Database/Host"

[{"LockIndex":0,"Key":"edgex/appservices/2.0/app-http-export/Database/Host","Flags":0,"Value":"ZWRnZXgtcmVkaXM=","CreateIndex":548,"ModifyIndex":548}]

as we can see its own consul token works for kv read, now we can also test kv write for its own key:

curl -H "X-Consul-Token:${CONSUL_TOKEN}" -X PUT "http://localhost:8500/v1/kv/edgex/appservices/2.0/app-http-export/Database/Host" -d 'test consul'

true
  1. Now we use different consul token from other service to test if kv read is restricted or not:
export CONSUL_TOKEN=3c7f7fd0-7170-4c8a-4c4c-f36f5a672f15
try to read app-http-export:
curl -H "X-Consul-Token:${CONSUL_TOKEN}" -X GET "http://localhost:8500/v1/kv/edgex/appservices/2.0/app-http-export/Database/Host"
Permission denied: token with AccessorID '154e821e-325b-2681-a45f-6e3ca6141b77' lacks permission 'key:read' on "edgex/appservices/2.0/app-http-export/Database/Host"

so kv read is permission denied when we use other's consul token to access read it.

  1. And we can also test the kv write using other consul token:
curl -H "X-Consul-Token:${CONSUL_TOKEN}" -X PUT "http://localhost:8500/v1/kv/edgex/appservices/2.0/app-http-export/Database/Host" -d 'edgex-redis'
Permission denied: token with AccessorID '154e821e-325b-2681-a45f-6e3ca6141b77' lacks permission 'key:write' on "edgex/appservices/2.0/app-http-export/Database/Host"

again, the kv write permission is denied as we intended it to.

New Dependency Instructions (If applicable)

@jim-wang-yutsung jim-wang-yutsung added enhancement New feature or request security-services levski fall 2022 release labels Jul 26, 2022
@jim-wang-yutsung jim-wang-yutsung self-assigned this Jul 26, 2022
lenny-goodell
lenny-goodell reviewed Jul 26, 2022
View reviewed changes
Copy link
Member

@lenny-goodell lenny-goodell left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, but not expert in this area. Will defer to @bnevis-i

@bnevis-i bnevis-i marked this pull request as draft July 27, 2022 17:57
@bnevis-i bnevis-i added the hold Intended for PRs we want to flag for ongoing review label Jul 27, 2022
@jim-wang-yutsung
Copy link
Author

jim-wang-yutsung commented Jul 27, 2022

Discussed with Bryon, @bnevis-i and we put this on hold in draft because there is no clean way to determine the dynamic structure for key-prefix from security-bootstrapper point of view:

key_value_structure

fix: add consul KV ACL restriction per service and remove service's a…
a0601c7 
…gent related access rights

Signed-off-by: Jim Wang (Intel) <[email protected]>
@jim-wang-yutsung jim-wang-yutsung removed the hold Intended for PRs we want to flag for ongoing review label Jul 27, 2022
@jim-wang-yutsung jim-wang-yutsung marked this pull request as ready for review July 27, 2022 21:52
lenny-goodell
lenny-goodell previously requested changes Jul 28, 2022
View reviewed changes
fix: address Lenny's feedback comment
41dd0d2 
Signed-off-by: Jim Wang (Intel) <[email protected]>
@sonarqubecloud
Copy link

sonarqubecloud bot commented Jul 28, 2022

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 1 Code Smell

No Coverage information No Coverage information
0.0% 0.0% Duplication

lenny-goodell
lenny-goodell reviewed Jul 28, 2022
View reviewed changes
Copy link
Member

@lenny-goodell lenny-goodell left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, deferring to @bnevis-i for final approval

@lenny-goodell lenny-goodell dismissed their stale review July 28, 2022 17:53

changes addressed

@jim-wang-yutsung jim-wang-yutsung mentioned this pull request Jul 28, 2022
Closed
bnevis-i
bnevis-i approved these changes Jul 28, 2022
View reviewed changes
Copy link
Collaborator

@bnevis-i bnevis-i left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Does exactly what I expect it to do.

@jim-wang-yutsung jim-wang-yutsung merged commit 85bfaaf into edgexfoundry:main Jul 28, 2022
@jim-wang-yutsung jim-wang-yutsung deleted the consul-policy-per-service-role branch July 29, 2022 00:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lenny-goodell lenny-goodell lenny-goodell left review comments

@bnevis-i bnevis-i bnevis-i approved these changes

@farshidtz farshidtz Awaiting requested review from farshidtz

@vli11 vli11 Awaiting requested review from vli11

Assignees

@jim-wang-yutsung jim-wang-yutsung

Labels

enhancement New feature or request levski fall 2022 release security-services

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Secure Consul Ph. 3] Create ACL Policies and Roles for all services and per EdgeX service

3 participants

@jim-wang-yutsung @bnevis-i @lenny-goodell