beam icon indicating copy to clipboard operation
beam copied to clipboard
verified publisher icon apache

GCP Access Control

Open ksobrenat32 opened this issue 7 months ago • 1 comments

This PR has the purpose of implementing a GCP resource access control using a system managed through Git and Terraform

The idea is to have 5 roles:

  • Beam Viewer -> GCP Viewer permissions based on the services used by Beam and excluding secretmanager permissions.
  • Beam Commiter -> GCP Viewer permissions based on the services used by Beam and excluding secretmanager permissions. Its like Beam Viewer but for people actively contributing code.
  • Beam Infra Manager -> GCP Editor permissions based on the services used by Beam Administrators without destructive permissions.
  • Beam Admin -> Permissions similar to GCP Editor based on the services used by Beam, but with destructive capabilities.
  • Beam Owner -> This is currently a placeholder; use the GCP Owner role directly if needed.

New contributors need to add their user and desired role to the users.yml file and receive the assigned access once the PR is merged using terraform and github actions.

This would help with the administrative workflow of managing permissions and force the use of a simple set of roles.

Open for any feedback :)

ksobrenat32 avatar May 30 '25 21:05 ksobrenat32

Right now the users.yml file is mapped to the things we have right now but the idea would be to migrate them to the new roles set.

ksobrenat32 avatar Jun 11 '25 16:06 ksobrenat32

Assigning reviewers:

R: @Abacn added as fallback since no labels match configuration

Note: If you would like to opt out of this review, comment assign to next reviewer.

Available commands:

  • stop reviewer notifications - opt out of the automated review tooling
  • remind me after tests pass - tag the comment author after tests pass
  • waiting on author - shift the attention set back to the author (any comment or push by the author will return the attention set to the reviewers)

The PR bot will only process comments in the main thread (not review comments).

github-actions[bot] avatar Jul 01 '25 19:07 github-actions[bot]

Reminder, please take a look at this pr: @Abacn

github-actions[bot] avatar Jul 09 '25 12:07 github-actions[bot]

Assigning new set of reviewers because Pr has gone too long without review. If you would like to opt out of this review, comment assign to next reviewer:

R: @Abacn added as fallback since no labels match configuration

Available commands:

  • stop reviewer notifications - opt out of the automated review tooling
  • remind me after tests pass - tag the comment author after tests pass
  • waiting on author - shift the attention set back to the author (any comment or push by the author will return the attention set to the reviewers)

github-actions[bot] avatar Jul 17 '25 12:07 github-actions[bot]

Added base roles on the custom roles generation script. Now the roles can have multiple base roles and not just viewer and editor, to add more permissions.

Also added some permissions roles to a new commiter role, the idea is to use it when you need resource access as a user but not as editor

ksobrenat32 avatar Jul 21 '25 19:07 ksobrenat32

@damccorm - @ksobrenat32 has added the capability to select google roles, which should help have a backwards-compatible migration.

pabloem avatar Jul 24 '25 20:07 pabloem

I think this still results in a huge diff between what we have today and what we're migrating to - https://github.com/apache/beam/blob/b26ecbadb35c2876b50fa29ddd49b1470163ed9d/infra/apache-beam-testing.permission-differences.yaml is quite large.

I think we should be targeting exact 1:1 permission parity for a migration like this. If we want to update/prune permissions later, that seems fine, but I don't think we should do that as part of this.

damccorm avatar Jul 25 '25 18:07 damccorm

I think this still results in a huge diff between what we have today and what we're migrating to - https://github.com/apache/beam/blob/b26ecbadb35c2876b50fa29ddd49b1470163ed9d/infra/apache-beam-testing.permission-differences.yaml is quite large.

I think we should be targeting exact 1:1 permission parity for a migration like this. If we want to update/prune permissions later, that seems fine, but I don't think we should do that as part of this.

the file is large because it adds a lot of permissions, but it only removes one. We should target to remove zero, right? so this way the migration is backwards compatible.

@ksobrenat32 can we investigate why dcrhodes is losing that one permission?

pabloem avatar Jul 25 '25 18:07 pabloem

I think this still results in a huge diff between what we have today and what we're migrating to - https://github.com/apache/beam/blob/b26ecbadb35c2876b50fa29ddd49b1470163ed9d/infra/apache-beam-testing.permission-differences.yaml is quite large. I think we should be targeting exact 1:1 permission parity for a migration like this. If we want to update/prune permissions later, that seems fine, but I don't think we should do that as part of this.

the file is large because it adds a lot of permissions, but it only removes one. We should target to remove zero, right? so this way the migration is backwards compatible.

@ksobrenat32 can we investigate why dcrhodes is losing that one permission?

I think we should target adding 0 permissions as well

damccorm avatar Jul 25 '25 19:07 damccorm

The idea is to start with the original permissions, which is a 1:1 copy to the permissions on the gcp protect.

Then move to the migrated permissions, which are the ones based on the custom roles. This migration can be made gradually based on the permissions each user has.

The migration plan is explained at the end of the readme

I think this still results in a huge diff between what we have today and what we're migrating to - https://github.com/apache/beam/blob/b26ecbadb35c2876b50fa29ddd49b1470163ed9d/infra/apache-beam-testing.permission-differences.yaml is quite large.

I think we should be targeting exact 1:1 permission parity for a migration like this. If we want to update/prune permissions later, that seems fine, but I don't think we should do that as part of this.

the file is large because it adds a lot of permissions, but it only removes one. We should target to remove zero, right? so this way the migration is backwards compatible.

@ksobrenat32 can we investigate why dcrhodes is losing that one permission?

I think we should target adding 0 permissions as well

ksobrenat32 avatar Jul 25 '25 19:07 ksobrenat32

The idea is to start with the original permissions, which is a 1:1 copy to the permissions on the gcp protect.

Then move to the migrated permissions, which are the ones based on the custom roles. This migration can be made gradually based on the permissions each user has.

The migration plan is explained at the end of the readme

I think this still results in a huge diff between what we have today and what we're migrating to - https://github.com/apache/beam/blob/b26ecbadb35c2876b50fa29ddd49b1470163ed9d/infra/apache-beam-testing.permission-differences.yaml is quite large.

I think we should be targeting exact 1:1 permission parity for a migration like this. If we want to update/prune permissions later, that seems fine, but I don't think we should do that as part of this.

the file is large because it adds a lot of permissions, but it only removes one. We should target to remove zero, right? so this way the migration is backwards compatible.

@ksobrenat32 can we investigate why dcrhodes is losing that one permission?

I think we should target adding 0 permissions as well

Ok, looking at that, users.yml should match apache-beam-testing.original-roles.yaml, then right?

If there are 2 distinct parts to this migration could we split this into those pieces? I think migrating the initial set of roles to terraform management is reasonable, but I do not think we should bundle that with changing permissions (including at the review stage)

damccorm avatar Jul 25 '25 19:07 damccorm

The idea is to start with the original permissions, which is a 1:1 copy to the permissions on the gcp protect. Then move to the migrated permissions, which are the ones based on the custom roles. This migration can be made gradually based on the permissions each user has. The migration plan is explained at the end of the readme

I think this still results in a huge diff between what we have today and what we're migrating to - https://github.com/apache/beam/blob/b26ecbadb35c2876b50fa29ddd49b1470163ed9d/infra/apache-beam-testing.permission-differences.yaml is quite large.

I think we should be targeting exact 1:1 permission parity for a migration like this. If we want to update/prune permissions later, that seems fine, but I don't think we should do that as part of this.

the file is large because it adds a lot of permissions, but it only removes one. We should target to remove zero, right? so this way the migration is backwards compatible.

@ksobrenat32 can we investigate why dcrhodes is losing that one permission?

I think we should target adding 0 permissions as well

Ok, looking at that, users.yml should match apache-beam-testing.original-roles.yaml, then right?

If there are 2 distinct parts to this migration could we split this into those pieces? I think migrating the initial set of roles to terraform management is reasonable, but I do not think we should bundle that with changing permissions (including at the review stage)

I have done just that. Created a smaller PR that has only the 1:1 migration at #35701

ksobrenat32 avatar Jul 25 '25 22:07 ksobrenat32

Reminder, please take a look at this pr: @Abacn

github-actions[bot] avatar Aug 02 '25 12:08 github-actions[bot]

This PR now follows #35701. Now that user roles are generated through a yaml file, the objective is to migrate most users to custom roles that cover most of beam's GCP usage.

ksobrenat32 avatar Aug 02 '25 22:08 ksobrenat32

Assigning new set of reviewers because Pr has gone too long without review. If you would like to opt out of this review, comment assign to next reviewer:

R: @Abacn added as fallback since no labels match configuration

Available commands:

  • stop reviewer notifications - opt out of the automated review tooling
  • remind me after tests pass - tag the comment author after tests pass
  • waiting on author - shift the attention set back to the author (any comment or push by the author will return the attention set to the reviewers)

github-actions[bot] avatar Aug 06 '25 12:08 github-actions[bot]

@pabloem could you please take a look?

damccorm avatar Aug 07 '25 15:08 damccorm

ill take a look...

pabloem avatar Aug 11 '25 21:08 pabloem

Reminder, please take a look at this pr: @Abacn

github-actions[bot] avatar Aug 19 '25 12:08 github-actions[bot]

Assigning new set of reviewers because Pr has gone too long without review. If you would like to opt out of this review, comment assign to next reviewer:

R: @Abacn added as fallback since no labels match configuration

Available commands:

  • stop reviewer notifications - opt out of the automated review tooling
  • remind me after tests pass - tag the comment author after tests pass
  • waiting on author - shift the attention set back to the author (any comment or push by the author will return the attention set to the reviewers)

github-actions[bot] avatar Aug 21 '25 12:08 github-actions[bot]

okay - the contents of this PR do not perform the migration. They are the utilities necessary to perform it. These look good. My proposal for the migration is to do a small subset of people each time in a new PR. I can work with @ksobrenat32 to make these changes.

The utilities LGTM and I think we can proceed to merge. The actual changes will come afterwards.

pabloem avatar Aug 22 '25 02:08 pabloem

I will merge this PR next Tuesday. FYI @damccorm

pabloem avatar Aug 22 '25 02:08 pabloem

Sounds good, thank you

damccorm avatar Aug 22 '25 13:08 damccorm