-
Notifications
You must be signed in to change notification settings - Fork 517
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
implement role-based RBAC for Talos API #3421
Milestone
Comments
|
AlekSi
added a commit
to AlekSi/talos
that referenced
this issue
May 25, 2021
Minimal change for backporting into 0.10. Refs siderolabs#3421. Signed-off-by: Alexey Palazhchenko <alexey.palazhchenko@gmail.com>
AlekSi
added a commit
to AlekSi/talos
that referenced
this issue
May 25, 2021
Minimal change for backporting into 0.10. Refs siderolabs#3421. Signed-off-by: Alexey Palazhchenko <alexey.palazhchenko@gmail.com>
talos-bot
pushed a commit
that referenced
this issue
May 25, 2021
Minimal change for backporting into 0.10. Refs #3421. Signed-off-by: Alexey Palazhchenko <alexey.palazhchenko@gmail.com>
AlekSi
added a commit
to AlekSi/talos
that referenced
this issue
May 25, 2021
Minimal change for backporting into 0.10. Refs siderolabs#3421. Signed-off-by: Alexey Palazhchenko <alexey.palazhchenko@gmail.com>
talos-bot
pushed a commit
that referenced
this issue
May 25, 2021
Minimal change for backporting into 0.10. Refs #3421. Signed-off-by: Alexey Palazhchenko <alexey.palazhchenko@gmail.com>
Can you add the role |
sounds good, probably we should make it more specific for now, like |
AlekSi
added a commit
to AlekSi/talos
that referenced
this issue
Jun 2, 2021
It is not enforced yet. Refs siderolabs#3421. Signed-off-by: Alexey Palazhchenko <alexey.palazhchenko@gmail.com>
AlekSi
added a commit
to AlekSi/talos
that referenced
this issue
Jun 3, 2021
It is not enforced yet. Refs siderolabs#3421. Signed-off-by: Alexey Palazhchenko <alexey.palazhchenko@gmail.com>
AlekSi
added a commit
to AlekSi/talos
that referenced
this issue
Jun 3, 2021
It is not enforced yet. Refs siderolabs#3421. Signed-off-by: Alexey Palazhchenko <alexey.palazhchenko@gmail.com>
talos-bot
pushed a commit
to AlekSi/talos
that referenced
this issue
Jun 4, 2021
It is not enforced yet. Refs siderolabs#3421. Signed-off-by: Alexey Palazhchenko <alexey.palazhchenko@gmail.com>
AlekSi
added a commit
to AlekSi/talos
that referenced
this issue
Jun 4, 2021
It is not enforced yet. Refs siderolabs#3421. Signed-off-by: Alexey Palazhchenko <alexey.palazhchenko@gmail.com>
AlekSi
added a commit
to AlekSi/talos
that referenced
this issue
Jun 4, 2021
It is not enforced yet. Refs siderolabs#3421. Signed-off-by: Alexey Palazhchenko <alexey.palazhchenko@gmail.com>
AlekSi
added a commit
to AlekSi/talos
that referenced
this issue
Jun 7, 2021
It is not enforced yet. Refs siderolabs#3421. Signed-off-by: Alexey Palazhchenko <alexey.palazhchenko@gmail.com>
talos-bot
pushed a commit
to AlekSi/talos
that referenced
this issue
Jun 7, 2021
It is not enforced yet. Refs siderolabs#3421. Signed-off-by: Alexey Palazhchenko <alexey.palazhchenko@gmail.com>
talos-bot
pushed a commit
to AlekSi/talos
that referenced
this issue
Jun 7, 2021
It is not enforced yet. Refs siderolabs#3421. Signed-off-by: Alexey Palazhchenko <alexey.palazhchenko@gmail.com>
talos-bot
pushed a commit
that referenced
this issue
Jun 7, 2021
It is not enforced yet. Refs #3421. Signed-off-by: Alexey Palazhchenko <alexey.palazhchenko@gmail.com>
AlekSi
added a commit
to AlekSi/talos
that referenced
this issue
Jun 7, 2021
Refs siderolabs#3421. Signed-off-by: Alexey Palazhchenko <alexey.palazhchenko@gmail.com>
AlekSi
added a commit
to AlekSi/talos
that referenced
this issue
Jun 8, 2021
Refs siderolabs#3421. Signed-off-by: Alexey Palazhchenko <alexey.palazhchenko@gmail.com>
AlekSi
added a commit
to AlekSi/talos
that referenced
this issue
Jun 8, 2021
Refs siderolabs#3421. Signed-off-by: Alexey Palazhchenko <alexey.palazhchenko@gmail.com>
AlekSi
added a commit
to AlekSi/talos
that referenced
this issue
Jun 8, 2021
Refs siderolabs#3421. Signed-off-by: Alexey Palazhchenko <alexey.palazhchenko@gmail.com>
AlekSi
added a commit
to AlekSi/talos
that referenced
this issue
Jun 16, 2021
Refs siderolabs#3421. Signed-off-by: Alexey Palazhchenko <alexey.palazhchenko@gmail.com>
AlekSi
added a commit
to AlekSi/talos
that referenced
this issue
Jun 16, 2021
Refs siderolabs#3421. Signed-off-by: Alexey Palazhchenko <alexey.palazhchenko@gmail.com>
AlekSi
added a commit
to AlekSi/talos
that referenced
this issue
Jun 16, 2021
Refs siderolabs#3421. Signed-off-by: Alexey Palazhchenko <alexey.palazhchenko@gmail.com>
AlekSi
added a commit
to AlekSi/talos
that referenced
this issue
Jun 16, 2021
Refs siderolabs#3421. Signed-off-by: Alexey Palazhchenko <alexey.palazhchenko@gmail.com>
AlekSi
added a commit
to AlekSi/talos
that referenced
this issue
Jun 16, 2021
Refs siderolabs#3421. Signed-off-by: Alexey Palazhchenko <alexey.palazhchenko@gmail.com>
AlekSi
added a commit
to AlekSi/talos
that referenced
this issue
Jun 16, 2021
Refs siderolabs#3421. Signed-off-by: Alexey Palazhchenko <alexey.palazhchenko@gmail.com>
AlekSi
added a commit
to AlekSi/talos
that referenced
this issue
Jun 17, 2021
Refs siderolabs#3421. Signed-off-by: Alexey Palazhchenko <alexey.palazhchenko@gmail.com>
AlekSi
added a commit
to AlekSi/talos
that referenced
this issue
Jun 17, 2021
Refs siderolabs#3421. Signed-off-by: Alexey Palazhchenko <alexey.palazhchenko@gmail.com>
AlekSi
added a commit
to AlekSi/talos
that referenced
this issue
Jun 17, 2021
Refs siderolabs#3421. Signed-off-by: Alexey Palazhchenko <alexey.palazhchenko@gmail.com>
AlekSi
added a commit
to AlekSi/talos
that referenced
this issue
Jun 17, 2021
Refs siderolabs#3421. Signed-off-by: Alexey Palazhchenko <alexey.palazhchenko@gmail.com>
talos-bot
pushed a commit
that referenced
this issue
Jun 17, 2021
Refs #3421. Signed-off-by: Alexey Palazhchenko <alexey.palazhchenko@gmail.com>
AlekSi
added a commit
to AlekSi/talos
that referenced
this issue
Jun 18, 2021
Refs siderolabs#3421. Signed-off-by: Alexey Palazhchenko <alexey.palazhchenko@gmail.com>
AlekSi
added a commit
to AlekSi/talos
that referenced
this issue
Jun 18, 2021
Refs siderolabs#3421. Signed-off-by: Alexey Palazhchenko <alexey.palazhchenko@gmail.com>
talos-bot
pushed a commit
that referenced
this issue
Jun 18, 2021
Refs #3421. Signed-off-by: Alexey Palazhchenko <alexey.palazhchenko@gmail.com>
AlekSi
added a commit
to AlekSi/talos
that referenced
this issue
Jun 21, 2021
Refs siderolabs#3421. Signed-off-by: Alexey Palazhchenko <alexey.palazhchenko@gmail.com>
AlekSi
added a commit
to AlekSi/talos
that referenced
this issue
Jun 21, 2021
Refs siderolabs#3421. Signed-off-by: Alexey Palazhchenko <alexey.palazhchenko@gmail.com>
talos-bot
pushed a commit
that referenced
this issue
Jun 21, 2021
Refs #3421. Signed-off-by: Alexey Palazhchenko <alexey.palazhchenko@gmail.com>
AlekSi
added a commit
to AlekSi/talos
that referenced
this issue
Jun 24, 2021
* `talosctl config new` now sets endpoints in the generated config. * Avoid duplication of roles in metadata. * Remove method name prefix handling. All methods should be set explicitly. * Add tests. Closes siderolabs#3421. Signed-off-by: Alexey Palazhchenko <alexey.palazhchenko@gmail.com>
AlekSi
added a commit
to AlekSi/talos
that referenced
this issue
Jun 24, 2021
* `talosctl config new` now sets endpoints in the generated config. * Avoid duplication of roles in metadata. * Remove method name prefix handling. All methods should be set explicitly. * Add tests. Closes siderolabs#3421. Signed-off-by: Alexey Palazhchenko <alexey.palazhchenko@gmail.com>
AlekSi
added a commit
to AlekSi/talos
that referenced
this issue
Jun 25, 2021
* `talosctl config new` now sets endpoints in the generated config. * Avoid duplication of roles in metadata. * Remove method name prefix handling. All methods should be set explicitly. * Add tests. Closes siderolabs#3421. Signed-off-by: Alexey Palazhchenko <alexey.palazhchenko@gmail.com>
AlekSi
added a commit
to AlekSi/talos
that referenced
this issue
Jun 25, 2021
* `talosctl config new` now sets endpoints in the generated config. * Avoid duplication of roles in metadata. * Remove method name prefix handling. All methods should be set explicitly. * Add tests. Closes siderolabs#3421. Signed-off-by: Alexey Palazhchenko <alexey.palazhchenko@gmail.com>
talos-bot
pushed a commit
that referenced
this issue
Jun 25, 2021
* `talosctl config new` now sets endpoints in the generated config. * Avoid duplication of roles in metadata. * Remove method name prefix handling. All methods should be set explicitly. * Add tests. Closes #3421. Signed-off-by: Alexey Palazhchenko <alexey.palazhchenko@gmail.com>
smira
pushed a commit
to smira/talos
that referenced
this issue
Jun 28, 2021
* `talosctl config new` now sets endpoints in the generated config. * Avoid duplication of roles in metadata. * Remove method name prefix handling. All methods should be set explicitly. * Add tests. Closes siderolabs#3421. Signed-off-by: Alexey Palazhchenko <alexey.palazhchenko@gmail.com> (cherry picked from commit ad047a7)
smira
pushed a commit
to smira/talos
that referenced
this issue
Jun 28, 2021
* `talosctl config new` now sets endpoints in the generated config. * Avoid duplication of roles in metadata. * Remove method name prefix handling. All methods should be set explicitly. * Add tests. Closes siderolabs#3421. Signed-off-by: Alexey Palazhchenko <alexey.palazhchenko@gmail.com> (cherry picked from commit ad047a7)
smira
pushed a commit
that referenced
this issue
Jun 28, 2021
* `talosctl config new` now sets endpoints in the generated config. * Avoid duplication of roles in metadata. * Remove method name prefix handling. All methods should be set explicitly. * Add tests. Closes #3421. Signed-off-by: Alexey Palazhchenko <alexey.palazhchenko@gmail.com> (cherry picked from commit ad047a7)
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
This is initial implementation which will be extended in the future versions of Talos.
tl;dr:
Flow
Organization
field.apid
receives the request, validates TLS cert and extractsOrganization
field as a list of roles.apid
uses its own special client certificate generated with roleos:impersonate
and encodes original roles in the gRPC metadata.machined
, roles are passed via gRPC metadata.machined
with role encoded in the gRPC metadata. Each API verifies whether the role if sufficient to execute the call, otherwiseAccessDenied
is returned.Implementation
talosctl gen config
Config generation code should be updated to output
talosconfig
withos:admin
role by default always.talosctl talosconfig
commandThis new command generates talosconfig on the server with given params and returns back a file in
talosconfig
format:$ talosctl talosconfig --roles=os:admin [--lifetime=1h] [path]
apid
apid
should extract roles from theOrganization
field and store them in gRPC metadata.apid
should never accept roles passed in from the user in gRPC metadata as they can't be trusted. If roleos:impersonate
is in the certificate, actual roles are extracted from the gRPC metadata.apid
should generate its own client certificate used to proxy requests to other nodes withos:impersonate
role.apid
should pass roles down tomachined
.machined
We need a generic helper to verify roles in machined gRPC server. For example,
ensureRoles(ctx, requiredRoles..) error
which returns gRPC error if required role is missing.Most of read-only APIs should be safe for
os:reader
with the exception of resources (secrets
namespace +machienconfiguration
resource), andread
API which might read files which contain secrets.All APIs which involve changes (reboot, reset, upgrade, ...) should require
os:admin
.Transitioning to RBAC
Actual RBAC checks should be disabled in
machined
unless feature gateapiRBAC
is enabled.Feature gates should be implemented with the following format for the machine configuration:
For new config generation, this feature gate should be enabled by default.
When upgrading from 0.9, feature gate is not enabled, so
talosconfig
without role works, but it can be enabled once newtalosconfig
is generated viatalosctl talosconfig
.Misc TODO items
The text was updated successfully, but these errors were encountered: