Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[API] Add a RBAC solution #1115

Merged
merged 9 commits into from
Nov 22, 2024
Merged

[API] Add a RBAC solution #1115

merged 9 commits into from
Nov 22, 2024

Conversation

jbygdell
Copy link
Collaborator

@jbygdell jbygdell commented Nov 4, 2024
edited
Loading

Description
A RBAC solution for the admin API.

RBAC is configured through a JSON structure as shown below:

Each endpoint needs an entry or access will be disallowed, a role entry of "*" in the policy section will allow access to any user with a valid token. The action can be a single entry GET/POST/PUT or several separate by | as per example.

Specific roles are mapped to the roles section, where the role is either a role name or a username. the rolebinding allows a role to function as a group where multiple roles/users can be bound to the same role. This simplifies the policy section as only the top level role needs to be specified for an endpoint

{
   "policy": [
      {
         "role": "admin",
         "path": "/c4gh-keys/*",
         "action": "(GET)|(POST)|(PUT)"
      },
      {
         "role": "submission",
         "path": "/file/*",
         "action": "POST"
      },
      {
         "role": "*",
         "path": "/files",
         "action": "GET"
      }
   ],
   "roles": [
      {
         "role": "admin",
         "rolebinding": "submission"
      },
      {
         "role": "[email protected]",
         "rolebinding": "admin"
      },
      {
         "role": "[email protected]",
         "rolebinding": "submission"
      }
   ]
}

@jbygdell jbygdell requested a review from a team November 4, 2024 14:04
@jbygdell jbygdell changed the title Simple RBAC solution for the admin API [API] Add a simple RBAC solution Nov 5, 2024
viklund
viklund previously requested changes Nov 5, 2024
View reviewed changes
Copy link
Member

@viklund viklund left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Role names should not be hardcoded.

It should be possible to define new roles without changing the go source code, and what endpoints they have access to.

@jbygdell
Copy link
Collaborator Author

jbygdell commented Nov 5, 2024

Role names should not be hardcoded.

It should be possible to define new roles without changing the go source code, and what endpoints they have access to.

That would make this extremely complex to almost no gain.
You better come up with some reasonable scenarios where this will be beneficial before we spend the time to implement it.

@viklund
Copy link
Member

viklund commented Nov 6, 2024

Role names should not be hardcoded.
It should be possible to define new roles without changing the go source code, and what endpoints they have access to.

That would make this extremely complex to almost no gain. You better come up with some reasonable scenarios where this will be beneficial before we spend the time to implement it.

The code in this file should not become more complicated (probably less). It's basically one annotation per endpoint. RBAC is a solved problem.

@jbygdell jbygdell marked this pull request as draft November 12, 2024 08:04
@jbygdell jbygdell force-pushed the feature/sda-admin-rbac branch 4 times, most recently from e7d3fd2 to 30bf145 Compare November 20, 2024 09:11
@jbygdell jbygdell marked this pull request as ready for review November 20, 2024 09:46
@jbygdell jbygdell requested a review from a team November 20, 2024 09:46
@jbygdell jbygdell changed the title [API] Add a simple RBAC solution [API] Add a RBAC solution Nov 20, 2024
MalinAhlberg
MalinAhlberg reviewed Nov 21, 2024
View reviewed changes
Copy link
Contributor

@MalinAhlberg MalinAhlberg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good! I added some minor suggestions for the documentaiton. Will do some testing before I approve.

sda/cmd/api/api.md Outdated Show resolved Hide resolved
sda/cmd/api/api.md Outdated Show resolved Hide resolved
sda/cmd/api/api.md Outdated Show resolved Hide resolved
sda/cmd/api/api.md Outdated Show resolved Hide resolved
MalinAhlberg
MalinAhlberg previously approved these changes Nov 21, 2024
View reviewed changes
Copy link
Contributor

@MalinAhlberg MalinAhlberg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good work!

sda/cmd/api/api.md Outdated Show resolved Hide resolved
nanjiangshu
nanjiangshu reviewed Nov 21, 2024
View reviewed changes
sda/cmd/api/api.md Outdated Show resolved Hide resolved
nanjiangshu
nanjiangshu approved these changes Nov 22, 2024
View reviewed changes
Copy link
Contributor

@nanjiangshu nanjiangshu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good!

@jbygdell jbygdell added this pull request to the merge queue Nov 22, 2024
Merged via the queue into main with commit bcfd30d Nov 22, 2024
27 checks passed
@jbygdell jbygdell deleted the feature/sda-admin-rbac branch November 22, 2024 10:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nanjiangshu nanjiangshu nanjiangshu approved these changes

@MalinAhlberg MalinAhlberg MalinAhlberg approved these changes

@viklund viklund Awaiting requested review from viklund

Assignees

@MalinAhlberg MalinAhlberg

@jbygdell jbygdell

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@jbygdell @viklund @MalinAhlberg @nanjiangshu