feat(AWS OIDC): deleting integration removes associated resources#59607
feat(AWS OIDC): deleting integration removes associated resources#59607alexhemard merged 1 commit intomasterfrom
Conversation
alexhemard
force-pushed
the
alexhemard/aws-oidc-cleanup
branch
from
28fa1c3 to
fe5ad9e
Compare
r0mant
requested review from
marcoandredinis
and removed request for
flyinghermit
|
@marcoandredinis @kimlisa Can you folks review this? |
alexhemard
force-pushed
the
alexhemard/aws-oidc-cleanup
branch
2 times, most recently
from
3e2fd5f to
c36ae03
Compare
| func (s *Service) deleteAWSOIDCAssociatedResources(ctx context.Context, authCtx *authz.Context, ig types.Integration) error { | ||
| s.logger.DebugContext(ctx, "Deleting DiscoveryConfig associated with integration", "integration", ig.GetName()) | ||
|
|
||
| if err := authCtx.CheckAccessToKind(types.KindDiscoveryConfig, types.VerbDelete, types.VerbList); err != nil { |
There was a problem hiding this comment.
This raises a couple of questions:
A) let's say a user only has integration.create and integration.delete access (no discovery_config.delete/list/update).
They can create an integration but cannot delete it.
It will be weird to see access denied to list discovery_config when trying to delete an integration
I'm not sure what we could do here.
I think we have a couple of options:
- do not remove the resources which you don't have access to (this is, hopefully, an edge case)
- require
discovery_config.*permissions when users try to create an integration - return an error but return a better error message explaining that they need the
discovery_config.delete/list/updatepermissions in order to delete the integration.
B) it's missing the discovery_config.update verb, given that we might end up updating the resource (in case it has other matchers)
Can we add that verb as well?
C) We are also listing and, possibly, deleting an AppServer.
I think we should also add that as a pre-req.
There was a problem hiding this comment.
do not remove the resources which you don't have access to (this is, hopefully, an edge case)
seems 'not great' to silently skip this given there's a parameter to delete associated resources needed
require discovery_config.* permissions when users try to create an integration
seems like this could be removed after the fact
return an error but return a better error message explaining that they need the discovery_config.delete/list/update permissions in order to delete the integration.
👍 I think a better error message is appropriate here
B) it's missing the discovery_config.update verb
I'll add the missing verbs, app server check
alexhemard
force-pushed
the
alexhemard/aws-oidc-cleanup
branch
3 times, most recently
from
341a2ab to
998e4fa
Compare
r0mant
left a comment
r0mant
left a comment
There was a problem hiding this comment.
Looks reasonable with a few comments/suggestions.
| if err := authCtx.CheckAccessToKind(types.KindDiscoveryConfig, | ||
| types.VerbList, types.VerbUpdate, types.VerbDelete); err != nil { | ||
| return trace.AccessDenied( | ||
| `deleting AWS OIDC integration requires 'list', 'update', and 'delete' ` + | ||
| `permissions for 'discovery_config' kind to remove associated resources`) | ||
| } | ||
|
|
||
| if err := authCtx.CheckAccessToKind(types.KindAppServer, | ||
| types.VerbList, types.VerbDelete); err != nil { | ||
| return trace.AccessDenied( | ||
| `deleting AWS OIDC integration requires 'list' and 'delete' ` + | ||
| `permissions for 'app_server' kind to remove associated resources`) | ||
| } |
There was a problem hiding this comment.
All the other methods here check access to KindIntegration which I think we should follow here as well. It would be weird if creating the integration requires you to have access to one resource and deleting it to another. Since this only removes resources specific to this integration, it should be ok to check against integration kind.
There was a problem hiding this comment.
This is meant to be called from DeleteIntegration following the pattern from deleteGitHubAssociatedResources https://github.com/gravitational/teleport/blob/master/lib/auth/integration/integrationv1/service.go#L505-L527
The integration delete check occurs here https://github.com/gravitational/teleport/blob/master/lib/auth/integration/integrationv1/service.go#L384-L386
Would it suffice to add a comment that an access check to KindIntegration is expected ?
There was a problem hiding this comment.
Hmm I see. In that case it is probably fine, and yeah, a comment would be helpful. Do we require permissions to create/update KindDiscoveryConfig and KindAppServer when creating the integration? @marcoandredinis
There was a problem hiding this comment.
We don't require those permissions when creating the integration.
They are only checked when using the flows:
discovery_config.<verb>when setting up auto discoverapp_server.<verb>when enabling AWS App Access
alexhemard
force-pushed
the
alexhemard/aws-oidc-cleanup
branch
from
998e4fa to
01178e2
Compare
| // Update discovery_config if any AWSMatchers were removed | ||
| if len(filteredAWSMatchers) != len(config.Spec.AWS) { | ||
| config.Spec.AWS = filteredAWSMatchers | ||
| if _, err := s.backend.UpdateDiscoveryConfig(ctx, config); err != nil { | ||
| return trace.Wrap(err) | ||
| } | ||
| } |
There was a problem hiding this comment.
TBH I feel like updating discovery config to remove integration-related rules is a bit wonky.
Per my understanding this can only happen if someone explicitly creates a discovery config that has rules that reference an integration and other rules that don't. Our guided flows don't do that so you can only get a discovery config that has integration-specific matchers.
Given this is created by users, I don't think that silently removing the rules from it is good UX, even though I don't imagine this is a common use-case. I would recommend that we return an error to users in this case saying "this integration X is referenced by discovery config Y, please use the command Z to see the config and update it before removing this integration".
In general, we should not be removing or modifying stuff that users created. @marcoandredinis do we have any indicator that a discovery config was created by the guided flow? We should only be deleting the resources created by the integration and leaving others in place (and potentially blocking integration deletion with a message like I mentioned above).
There was a problem hiding this comment.
do we have any indicator that a discovery config was created by the guided flow?
We don't, but I agree we should.
We could add a label which indicates a direct relation with the integration:
teleport.dev/integration: <integration-name>
teleport.dev/remove-on-integration-deletion: true
We could start implementing this (or a variation of it).
Then, it would be obvious to the user that this discovery config will be deleted if the integration is deleted.
For existing discovery configs, we still need to be smart about whether to delete them or not:
- delete them if it only has integration-based matchers
- return an error if there's at least one discovery config which uses another integration, or no integration at all
alexhemard
force-pushed
the
alexhemard/aws-oidc-cleanup
branch
2 times, most recently
from
5ea58a4 to
cd6f55c
Compare
| _, err := uuid.Parse(config.GetName()) | ||
| if err != nil { | ||
| continue | ||
| } |
There was a problem hiding this comment.
More of a nit, but I would move this down under if config.IsMatchersEmpty() condition so we don't do parsing work unless we know this is a config we want to remove. And with a comment explaining that if this is not a valid UUID then it wasn't created by the guided flow so we shouldn't touch it.
| // Delete discovery configs with | ||
| // 1. valid UUID name | ||
| // 2. only contains an AWSMatcher associated with integration | ||
| for config, err := range clientutils.Resources(ctx, s.backend.ListDiscoveryConfigs) { |
There was a problem hiding this comment.
s.backend.ListDiscoveryConfigs
We should be using cache, not backend directly for reads.
I also looked at how AWS OIDC Service is being initialized and I don't think it's initialized correctly:
teleport/lib/auth/grpcserver.go
Line 5788 in cd6f55c
It gets passed Auth directly, not Auth's caching client like for example here:
teleport/lib/auth/grpcserver.go
Line 5774 in cd6f55c
cc @marcoandredinis Any idea why?
There was a problem hiding this comment.
You are right 👍
Just raised a PR to start using the cache in AWS OIDC Service: #59855
| } | ||
|
|
||
| // Delete AWS access app_server associated with this integration | ||
| appServers, err := s.backend.GetApplicationServers(ctx, defaults.Namespace) |
There was a problem hiding this comment.
This also should be using cache, not backend. A cluster can have tens (or even hundreds) of thousands of application servers and this decimate backend.
alexhemard
force-pushed
the
alexhemard/aws-oidc-cleanup
branch
4 times, most recently
from
bb1d993 to
855b380
Compare
|
changes:
|
alexhemard
force-pushed
the
alexhemard/aws-oidc-cleanup
branch
from
855b380 to
5a8ebf1
Compare
r0mant
left a comment
r0mant
left a comment
There was a problem hiding this comment.
lgtm with a couple remaining comments
alexhemard
force-pushed
the
alexhemard/aws-oidc-cleanup
branch
from
5a8ebf1 to
a94fec2
Compare
marcoandredinis
left a comment
marcoandredinis
left a comment
There was a problem hiding this comment.
I'll defer to @kimlisa the frontend changes, but backend looks good, thank you.
| // TODO(alexhemard): follow up work needed to add explicit labels for | ||
| // resources created by integration rather than rely on implicit rules |
There was a problem hiding this comment.
Can we create an issue to track this instead?
public-teleport-github-review-bot
bot
removed the request for review
from kimlisa
alexhemard
force-pushed
the
alexhemard/aws-oidc-cleanup
branch
from
a94fec2 to
7f7d2c4
Compare
| <Alert | ||
| kind="warning" | ||
| primaryAction={{ | ||
| content: 'AWS Resource Explorer', | ||
| href: awsResourceExplorerUrl, | ||
| }} | ||
| > | ||
| There may be AWS resources created by this integration that require | ||
| manual clean up. Visit the AWS Resource Explorer to see resources with | ||
| tags matching this integration. | ||
| </Alert> |
There was a problem hiding this comment.
is it implied that users will be on the correct AWS account when clicking on the link? i just happened to have integrated two different aws accounts, and it could look like an empty list, if the integration we're trying to delete is not the one we are signed into?
There was a problem hiding this comment.
maybe we can emphasize the aws account ID somewhere like in the title perhaps
| Teleport resources used for auto-discovery that reference this | ||
| integration will also be removed. |
There was a problem hiding this comment.
in case user doesn't read to the end 😆 (like me)
| Teleport resources used for auto-discovery that reference this | |
| integration will also be removed. | |
| Teleport will also remove resources used for auto-discovery that reference this | |
| integration. |
| <Alert kind="info"> | ||
| Teleport resources used for auto-discovery that reference this | ||
| integration will also be removed. |
There was a problem hiding this comment.
not a blocker, but i'd consult with UX folks and get consistent design. for git server this similar message "Teleport will delete" is inside a warning banner instead and is at the bottom of the dialogue.
alexhemard
force-pushed
the
alexhemard/aws-oidc-cleanup
branch
from
7f7d2c4 to
b2a8b05
Compare
|
@alexhemard See the table below for backport results.
|
4 participants
Description
Issue: #42287
This PR will remove associated resources when removing an AWS OIDC Integration.
Screenshots
Delete AWS OIDC Integration Dialog
changelog: Deleting an AWS OIDC integration will remove associated Teleport Discovery Configs and App servers that reference the integration