implement role-based RBAC for Talos API

[smira]

This is initial implementation which will be extended in the future versions of Talos.

tl;dr:

There are two roles: os:admin and os:reader. Role os:admin gives full access to the APIs. Role os:reader limits access to read-only APIs and doesn't allow calls which might expose secrets (resources in secrets namespace, machineconfiguration resource, read API, etc.). Roles are encoded in the Talos client certificate in the Organization field and used to verify access.

Flow

1. User generates client certificate with some role in the Organization field.
2. User access Talos API with that certificate as client certificate.
3. apid receives the request, validates TLS cert and extracts Organization field as a list of roles.
4. If request involves proxying to other nodes, apid uses its own special client certificate generated with role os:impersonate and encodes original roles in the gRPC metadata.
5. If request is passed down to machined, roles are passed via gRPC metadata.
6. Request hits machined with role encoded in the gRPC metadata. Each API verifies whether the role if sufficient to execute the call, otherwise AccessDenied is returned.

Implementation

talosctl gen config

Config generation code should be updated to output talosconfig with os:admin role by default always.

talosctl talosconfig command

This new command generates talosconfig on the server with given params and returns back a file in talosconfig format:

$ talosctl talosconfig --roles=os:admin [--lifetime=1h] [path]

apid

apid should extract roles from the Organization field and store them in gRPC metadata. apid should never accept roles passed in from the user in gRPC metadata as they can't be trusted. If role os:impersonate is in the certificate, actual roles are extracted from the gRPC metadata.

apid should generate its own client certificate used to proxy requests to other nodes with os:impersonate role.

apid should pass roles down to machined.

machined

We need a generic helper to verify roles in machined gRPC server. For example, ensureRoles(ctx, requiredRoles..) error which returns gRPC error if required role is missing.

Most of read-only APIs should be safe for os:reader with the exception of resources (secrets namespace + machienconfiguration resource), and read API which might read files which contain secrets.

All APIs which involve changes (reboot, reset, upgrade, ...) should require os:admin.

Transitioning to RBAC

Actual RBAC checks should be disabled in machined unless feature gate apiRBAC is enabled.

Feature gates should be implemented with the following format for the machine configuration:

machine:
   featureGates:
      apiRBAC:
         enable: true
         # additional configuration might go here

For new config generation, this feature gate should be enabled by default.

When upgrading from 0.9, feature gate is not enabled, so talosconfig without role works, but it can be enabled once new talosconfig is generated via talosctl talosconfig.

Misc TODO items

• multiple roles per certificate
• check problem with UNIX socket
• enable RBAC by default for new configs
• make RBAC in-method checks work when RBAC enforcement is disabled
• move "sensitivity" to COSI resource definitions (as enum)
• check and update authorisation rules

[smira]

os:admin - generate new certifcate = os:system ?

[sergelogvinov]

Can you add the role os:backup witch can make only etcd backups?

[smira]

Can you add the role os:backup witch can make only etcd backups?

sounds good, probably we should make it more specific for now, like os:etcdbackup