Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

adding where and actions section scripts in rules #1222

Merged
merged 8 commits into from
Aug 27, 2017
Merged

Conversation

klizhentas
Copy link
Contributor

@klizhentas klizhentas commented Aug 25, 2017

The following logic has been added to the roles:

kind: role
version: v3
metadata:
  name: example
spec:
  rules:
    allow:
      # only users with 'groups' trait received from identity server can modify roles
      - resources: ['roles']
        verbs: ['create', 'read', 'update', 'delete']
        where: contains(user.spec.traits["groups"], "prod")
        actions:
          # this will output user information 
          - log("info", "user %v has accessed roles", user.metadata.name)

Behavior:

  • actions will be only triggered for the rule that has matched first, so order is important.
  • where and action blocks are optional
  • if no resource is supplied for the action, resource reference is ignored.

The following is supported/not supported now:

  • contains function is supported and has following signature:
// finds a string in a slice of strings
contains([]string{"a", "b"}, "value")
  • euqals function is supported and has following signature:
// compares two string values
equals("a", "b")
  • property access is supported for user and provides access to the current user to all fields defined in the manifest as validated by schema:
user.spec.traits
user.metadata.labels
  • map key access is supported:
user.spec.traits["key"] -> []string
user.metadata.labels["label"] -> string
  • action log is supported with the following signature
log("info|debug|error", "user %v tried to access resource %v", user.metadata.name)
  • resource property is supported but not currently initialized, as we have to pass the resource for every action, we may do it later when the need arises in certain scenarios.

  • Note for @alex-kovoy : the web/roleaccess.go is completely broken now, I rely on you refactoring it.

@klizhentas klizhentas changed the title WIP: adding where and actions section scripts in rules adding where and actions section scripts in rules Aug 25, 2017
@klizhentas
Copy link
Contributor Author

retest this please

// Context is a default rule context used in teleport
type Context struct {
// User is currently authenticated user
User User
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If users can directly access the internal representation of Teleport objects like this contains(user.spec.traits["groups"], "prod"), that will make migration difficult if/when we change the internal representation of a resource.

For example if we remove or rename traits in the future, roles will break. No only that, because where is a string, migrating it will be non-trivial.

What do you think about a Context with predefined fields in it. That way migrations will be easier in the future.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure I understand your suggestion.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@russjones these are not internal representation of teleport objects, but the API of the versioned objects exposed to the user.

@klizhentas klizhentas merged commit 61a6868 into master Aug 27, 2017
@klizhentas klizhentas deleted the sasha/where2 branch August 27, 2017 20:23
@russjones russjones mentioned this pull request Aug 28, 2017
30 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

2 participants