SCC sorting by priority

[pweil-]

Sorts SCCs by a priority field and then by name. Adds a priority to the privileged SCC so that if you have administrative access you will use that SCC by default (though this is largely unnecessary since the first commit allows authenticated users to run as any uid).

Builds on #5498 which is hanging out in the merge queue right now so only the last three commits need reviewed.

Fixes #5317

@liggitt @smarterclayton

[pweil-]

fixing commits so I don't incur rebase wrath, I packaged v1beta3 in with non-v1beta3.

edit: fixed. Last 3 commits need reviewed

[liggitt]

Ones with priority specified should come before ones without. Equal priority should maybe sort by the current sort behavior, rather than name, for backwards compatibility

[liggitt]

In the case of a tie between priority AND old security score, name is fine to break the tie

[liggitt]

"determines which SCC is used when multiple SCCs allow a particular pod; higher priority SCCs are preferred"

[liggitt]

I would prefer priority over sortPriority... priority implies a sort, I think

[deads2k]

I was wondering this during SCC review as well. Why not simply merge all the user's available SCCs together, taking the highest privilege and preserving ranges alongside the "any's" for defaulting purposes. Then attempt to fill in the default pod a single time instead of once per SCC with the full set of available options. Wouldn't that solve the union problem, the separate of SCCs without specifying all combinations problem, the improper priority problem, and make the code easier to understand all at the same time? Seems like that would only become weird if you wanted crazy things like, "you can use these GIDs, but only as this UID".

I'm guessing you guys considered and discarded this, but I'd like to understand why.

[liggitt]

Why not simply merge all the user's available SCCs together, taking the highest privilege and preserving ranges alongside the "any's" for defaulting purposes. Then attempt to fill in the default pod a single time instead of once per SCC with the full set of available options. Wouldn't that solve the union problem, the separate of SCCs without specifying all combinations problem, the improper priority problem, and make the code easier to understand all at the same time?

Mixing and matching bits of different SCCs isn't a good idea... privileges can combine to allow things that weren't intended. For example:

• SCC A lets you host mount, but only as a particular user and with a specific selinux context
• SCC B does not let you host mount, but lets you run as any non-root user

Mixing and matching would let someone host mount without getting the accompanying uid and selinux restriction the admin specified.

[deads2k]

Maybe there's a better structure to use for constraints or the bindings. Having to specify every possible combination is pretty ridiculous and scales horribly as more options are added. Even just assuming on/off, we have 11 options making 2048 different potential policies to manage instead of 11.

Also for amusement, 2048 options taken 2048 at a time where order matters yields 1.6x10^5894 options. A simple, predictable system, :).

[liggitt]

1.6x10^5894 options.

Sounds pretty powerful to me :)

[smarterclayton]

I doubt you're going to see more than 10 in use at any one site. And we
can survive until then.

On Oct 31, 2015, at 8:25 AM, David Eads [email protected] wrote:

Maybe there's a better structure to use for constraints or the bindings.
Having to specify every possible combination is pretty ridiculous and
scales horribly as more options are added. Even just assuming on/off, we
have 11 options making 2048 different potential policies to manage instead
of 11.

—
Reply to this email directly or view it on GitHub
#5543 (comment).

[pweil-]

@liggitt - round 2 ready for your eyes

1. sort by priority first
2. if priorities are equal, sort by score in the old behavior
3. if priorities and score are equal sort by name
4. admin has access to privileged and anyuid
5. anyuid is given priority 1
6. changed field and descriptions according to comments

[liggitt]

change json field name to priority

[pweil-]

Damn, you're too quick. I just caught it. Fixed.

[liggitt]

don't you need a more restrictive SCC that also matches to actually check that you're matching on sort priority, and not just the secondary pointScore sort?

[pweil-]

actually, I don't need this priority at all. The SCC below it is more restrictive (a MustRunAs uid strategy rather than a MustRunAsRange) that is in scc-sa. Removing the priority they would have equal priorities. The scores should ensure that scc-sa-exact is tried before scc-sa but it should be failing to validate. We check the matched name in the test run which will ensure we're matching against what we expect....removing.

[liggitt]

LGTM

[liggitt]

it matters when we want to set defaults if the admin hasn't expressed a priority intent. Also, validate priority to be >= 0.

[liggitt]

I would expect the following behavior:

Missing priority behaves like priority=0 for purposes of sorting
Missing priority gets set on reconcile
Present priority only gets set on reconcile if they explicitly do --overwrite-priority or similar

[pweil-]

Missing priority gets set on reconcile
Present priority only gets set on reconcile if they explicitly do --overwrite-priority or similar

I see what you're saying here. I was considering it an option of either "overwrite all priorities" or "don't touch priorities" during reconcile but if the options are really "set missing" or "overwrite all" then nil makes sense. That was my disconnect.

In that case, the first reconcile run (regardless of option) will set all the missing priorities on bootstrapped commands and subsequent changes to the bootstrap SCC priorities will never update until --overwrite-priority is used. Sound about right to you?

[liggitt]

In that case, the first reconcile run (regardless of option) will set all the missing priorities on bootstrapped commands and subsequent changes to the bootstrap SCC priorities will never update until --overwrite-priority is used. Sound about right to you?

Yes, so choose priorities carefully (or just set the one we care about to 1?)

[pweil-]

@liggitt - updated to be a pointer, added checks in sorting, and a nil vs non-nil test. Also updated the printer so that nil priority doesn't show as 0 which would be confusing since 0 > nil now. Please take another pass.

[pweil-]

oh, btw, I set anyuid to 10 to give wiggle room if an admin wants to adjust other priorities (so they don't have to immediately adjust anyuid just to keep it prioritized).

[liggitt]

0 should equal nil for sorting purposes, imo

[liggitt]

add validation to make sure non-nil priority is >= 0

[liggitt]

10 PRINT "HELLO"
20 PRINT "WORLD"

[pweil-]

parse exception. Do you want the lower score (except 0) to be considered higher priority?

[liggitt]

I was just amused at setting to 10 to allow space... took me back...

[pweil-]

made nil == 0 for sorting, added in the printer, added validation method for negative priorities.

[liggitt]

LGTM

[smarterclayton]

[test]

[openshift-bot]

Evaluated for origin test up to 4c9aeb1

[openshift-bot]

continuous-integration/openshift-jenkins/test SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pull_requests_origin/6827/)