SSHOTCP-7294 Migrate the Slingshot 2.2.0 HPCM/Baremetal FM RBAC polic…

…y into CSM
Cray-HPE · Aug 6, 2024 · 8ef2ec0 · 8ef2ec0
1 parent c634837
commit 8ef2ec0
Show file tree

Hide file tree

Showing 3 changed files with 44 additions and 0 deletions.
diff --git a/kubernetes/cray-opa/templates/policies/keycloak-admin.yaml b/kubernetes/cray-opa/templates/policies/keycloak-admin.yaml
@@ -129,6 +129,14 @@ data:
         regex.match(perm.path, original_path)
     }
 
+    # Slingshot Administrator Allow, only to Fabric Manager endpoints
+    allow {
+        parsed_kc_token.payload.resource_access["system-slingshot-client"].roles[_] == "slingshot-admin"
+        some perm in allowed_slingshot_admin_methods
+        perm.method = http_request.method
+        regex.match(perm.path, original_path)
+    }
+
     # Check if there is an authorization header and split the type from token
     found_auth = {"type": a_type, "token": a_token} {
         [a_type, a_token] := split(http_request.headers.authorization, " ")
@@ -181,5 +189,14 @@ data:
         {"method": "GET",  "path": `^/apis/bos/v2/version$`} # GETs allow views on specific BOS version information
     ]
 
+    allowed_slingshot_admin_methods := [
+        # Fabric Manager
+        {"method": "DELETE", "path": `^/apis/fabric-manager/.*$`},
+        {"method": "GET",    "path": `^/apis/fabric-manager/.*$`},
+        {"method": "PATCH",  "path": `^/apis/fabric-manager/.*$`},
+        {"method": "POST",   "path": `^/apis/fabric-manager/.*$`},
+        {"method": "PUT",    "path": `^/apis/fabric-manager/.*$`}
+    ]
+
 {{- end }}
 {{- end }}
diff --git a/kubernetes/cray-opa/tests/opa/hmn_test.rego.tpl b/kubernetes/cray-opa/tests/opa/hmn_test.rego.tpl
@@ -1,3 +1,5 @@
+# -*- mode: rego -*-
+
 # Copyright 2021-2023 Hewlett Packard Enterprise Development LP
 
 package istio.authz

diff --git a/kubernetes/cray-opa/tests/opa/keycloak-admin_test.rego.tpl b/kubernetes/cray-opa/tests/opa/keycloak-admin_test.rego.tpl
@@ -1,3 +1,5 @@
+# -*- mode: rego -*-
+
 # Copyright 2021-2024 Hewlett Packard Enterprise Development LP
 
 package istio.authz
@@ -383,3 +385,26 @@ test_spire_invalid_sub {
   allow.http_status == 403 with input as {"attributes": {"request": {"http": {"method": "HEAD", "path": hmnfd_subscriptions_path, "headers": {"x-forwarded-access-token": spire_sub}}}}}
   allow.http_status == 403 with input as {"attributes": {"request": {"http": {"method": "PATCH", "path": hmnfd_subscriptions_path, "headers": {"x-forwarded-access-token": spire_sub}}}}}
 }
+
+
+# Slingshot Admin role
+test_slingshot_admin {
+
+  # Verify slingshot-admin role has access to only FM endpoints
+  not allow.http_status with input as {"attributes": {"request": {"http": {"method": "GET", "path": "/apis/fabric-manager/fabric/host-settings", "headers": {"authorization": "Bearer {{ .slingshotAdminToken }}"}}}}}
+
+  not allow.http_status with input as {"attributes": {"request": {"http": {"method": "DELETE", "path": "/apis/fabric-manager/fabric/agents/x0c0r0b0", "headers": {"authorization": "Bearer {{ .slingshotAdminToken }}"}}}}}
+  not allow.http_status with input as {"attributes": {"request": {"http": {"method": "GET", "path": "/apis/fabric-manager/fabric/agents/x0c0r0b0", "headers": {"authorization": "Bearer {{ .slingshotAdminToken }}"}}}}}
+  not allow.http_status with input as {"attributes": {"request": {"http": {"method": "PATCH", "path": "/apis/fabric-manager/fabric/agents/x0c0r0b0", "headers": {"authorization": "Bearer {{ .slingshotAdminToken }}"}}}}}
+  not allow.http_status with input as {"attributes": {"request": {"http": {"method": "POST", "path": "/apis/fabric-manager/fabric/agents/x0c0r0b0", "headers": {"authorization": "Bearer {{ .slingshotAdminToken }}"}}}}}
+  not allow.http_status with input as {"attributes": {"request": {"http": {"method": "PUT", "path": "/apis/fabric-manager/fabric/agents/x0c0r0b0", "headers": {"authorization": "Bearer {{ .slingshotAdminToken }}"}}}}}
+
+  # Verify slingshot-admin role has no access to non-FM endpoints
+  allow.http_status == 403 with input as {"attributes": {"request": {"http": {"method": "GET", "path": "/apis/bos/v2", "headers": {"authorization": "Bearer {{ .slingshotAdminToken }}"}}}}}
+  }
+
+# Slingshot Guest role
+test_slingshot_guest {
+  # Verify non slingshot-admin role has no access to non-FM endpoints
+  allow.http_status == 403 with input as {"attributes": {"request": {"http": {"method": "GET", "path": "/apis/fabric-manager/fabric/host-settings", "headers": {"authorization": "Bearer {{ .slingshotGuestToken }}"}}}}}
+  }