sensu-go icon indicating copy to clipboard operation
sensu-go copied to clipboard

Published 20 hours ago verified publisher icon sensu

AdhocRequest permissions are aliased to CheckConfig permissions

Open jspaleta opened this issue 5 years ago • 11 comments

Goal create Role with a rules that give narrow access to execute a specifc unpublished check.

Currently with existing RBAC I have to grant 'create' verb permissions to the full check resource.

What's needed is to extend the resource-name logic to work with the 'create' verb so that the POST to a specific check execute endpoint can be covered via role rule

jspaleta avatar Dec 11 '19 12:12 jspaleta

It sounds straightforward.

echlebek avatar Dec 17 '19 20:12 echlebek

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Dec 05 '20 18:12 stale[bot]

This issue has been mentioned on Sensu Community. There might be relevant details there:

https://discourse.sensu.io/t/could-not-impliment-check-execute-only-privileges/2450/2

sensu-discourse avatar Feb 17 '21 13:02 sensu-discourse

It would be useful to have an execute verb for the checks. I have users that need to re-run the checks but I don't want them to be able to change/delete the checks by accident.

cimere avatar Apr 06 '21 16:04 cimere

I'm guessing that ExecuteCheck() needs to get its own checkExecuteAttributes() method instead of calling checkCreateAttributes() that uses Verb: "create".

mjiderhamn avatar May 18 '21 09:05 mjiderhamn

For us this issue is related to https://github.com/sensu/sensu-docs/issues/2968 , because without OIDC we cannot have 2FA login and therefore cannot trust users to create or update checks, since they may contain malicious commands (partially related to https://github.com/sensu/sensu-go/issues/3243 ). This means for security reasons we are forced to "involuntarily" block users from ad-hoc check execution :-(

mjiderhamn avatar May 18 '21 13:05 mjiderhamn

So, I feel really silly for not thinking about this sooner, but I actually think the system already supports doing this... because to adhoc execute a check, you need permission to create an AdhocRequest. This means that we don't need any special new RBAC verb or anything, users just need create permissions on AdhocRequest.

@jspaleta is going to confirm, and if I'm right, this will become a docs issue.

echlebek avatar Apr 28 '22 18:04 echlebek

@echlebek, Looks like its not working as expected. I don't think AdhocRequest is wired up to RBAC Also its not listed in sensuctl describe-type all nor does sensuctl describe-type AdhocRequest work

Here's the test I did, using fresh sensu-go-workshop environment, using sensuctl as workshop's 'sensu' user using SENSU_API_KEY envvar from .envrc file.

  1. Create cluster role for check-execute 
type: ClusterRole
api_version: core/v2
metadata:
  created_by: sensu
  labels:
    sensu.io/managed_by: sensuctl
  name: check-execute
spec:
  rules:
  - resources:
    - adhoc_request
    verbs:
    - get
    - list
    - create
    - update
  1. Create cluster-role-binding to bind to similarly named group
type: ClusterRoleBinding
api_version: core/v2
metadata:
  created_by: sensu
  name: check-execute
spec:
  role_ref:
    name: check-execute
    type: ClusterRole
  subjects:
  - name: check-excute
    type: Group
  1. Create cluster-role-binding for the view cluster-role to the viewers group
type: ClusterRoleBinding
api_version: core/v2
metadata:
  created_by: sensu
  name: viewers
spec:
  role_ref:
    name: view
    type: ClusterRole
  subjects:
  - name: viewers
    type: Group
  1. Create user check-execute who in the groups viewers and check-execute 
$ sensuctl user  list
    Username               Groups            Enabled  
──────────────── ────────────────────────── ──────────
  agent           system:agents              true     
  check-execute   viewers,check-execute      true     
  sensu           cluster-admins             true
  1. Create a simple echo string check with workshop subscription
type: CheckConfig
api_version: core/v2
metadata:
  created_by: sensu
  name: test
  namespace: default
spec:
  check_hooks: null
  command: echo "test execution check"
  env_vars: null
  handlers: []
  high_flap_threshold: 0
  interval: 60
  low_flap_threshold: 0
  output_metric_format: ""
  output_metric_handlers: null
  pipelines: []
  proxy_entity_name: ""
  publish: false
  round_robin: false
  runtime_assets: null
  secrets: null
  stdin: false
  subdue: null
  subscriptions:
  - workshop
  timeout: 0
  ttl: 0
  1. execute check with sensuctl (as 'sensu' cluster admin)
  2. confirm event(s) are created for the test check
  3. delete all test check events.
  4. Login to workshop web-ui as check-execute user, attempt to execute a check.
  5. Watch web-ui tell you it executed the check, but no event is generated.
  6. Cry.
  7. log out of web-ui
  8. using sensuctl as cluster admin user remove viewers group from user 'check-execute' and confirm with login to web-ui user no longer has read access to anything.. its just a big sad lizy with a 404 message.

jspaleta avatar Apr 29 '22 01:04 jspaleta

Also note... using the test procedure above.
If I remove the check-execute group for the user leaving it only in the viewers group and re-test the web-ui will let me attempt a test execute and will tell me it went through (green box in ui telling me to go to events) instead of a red auth error.

So either this is a bug in the api endpoint not returning an errror when it should, or its a bug in the web-ui.

Need to retest the api endpoint directly with curl with an api key. I'll get to that Monday if noone else beats me to it.

jspaleta avatar Apr 29 '22 17:04 jspaleta

This issue has become a bug, that we don't support the correct RBAC setup for AdhocRequest. We simply need to do so.

echlebek avatar Apr 29 '22 19:04 echlebek

jspaleta avatar Apr 29 '22 20:04 jspaleta