feat(backend): Refactor authz to perform SubjectAccessReview. Fixes #3513 #4723
Conversation
There was a problem hiding this comment.
Thank you so much @elikatsis for the contribution! I have been looking forward for this for a while!
Some early feedback first. I haven't gone through everything.
|
@elikatsis I've got one general question, what would be the replacement you think for KFAM for namespace discovery? I'm thinking about listing all namespaces with a certain pipelines.kubeflow.org/xxx label and build a new selector using this info collected in backend. I wonder what do you think about it. /cc @yanniszark |
elikatsis
force-pushed
the
feature-subject-access-review
branch
from
36c0eab
to
b570153
Compare
|
/retest |
|
I was kind of busy, will review tomorrow |
There was a problem hiding this comment.
Thank you so much @elikatsis!
I just read through all the code, left some nit pickings. The high-level structure looks awesome to me. Let's follow up with some details and I think we'll be good to go.
Another general nit picking I've seen a few times is that for each resource we defined a canAccessXXX(id) method that takes the ID, so that we needs to first fetch this resource to know its namespace. In cases that we already fetch this resource and know its namespace, we wrote one-off boilerplate code to fetch the resource and check authorization.
I think we can simplify a little bit by defining two utility methods for each resource:
canAccessXxxById(id, verb)--- fetches the resource inside and figures out namespace/namecanAccessXxx(namespace, name, verb)--- we are already fetching the resource, so we can pass namespace and name directly
canAccessXxxById will be straightforward to implement using canAccessXxx and we can avoid quite some duplication there.
| clusterRoleSelectors: | ||
| - matchLabels: | ||
| rbac.authorization.kubeflow.org/aggregate-to-kubeflow-pipeline-edit: "true" | ||
| rules: [] |
There was a problem hiding this comment.
Why do we separate out actual rules to aggregate-to-pipeline-view ClusterRole?
There was a problem hiding this comment.
@Bobgy,
Great question! The answer is this essentially: kubernetes/kubernetes#65171
TL;DR: We can't have both aggregation and rules in a [Cluster]Role. The rules will be ignored. This is why we need to define our rules in some [Cluster]Roles and then have one role to find them, one role to bring them, and in itself bind them 😄
There was a problem hiding this comment.
Thanks for the explanation! Good to know. : )
manifests/kustomize/base/pipeline/cluster-scoped/view-edit-roles.yaml
Outdated
Show resolved
Hide resolved
manifests/gcp_marketplace/chart/kubeflow-pipelines/templates/pipeline.yaml
Outdated
Show resolved
Hide resolved
|
Other than that, can you resolve the conflicts? |
|
We are working on #4197 and I just realized our changes will also have conflicts with this PR. Just for my own planning, will this be merged for the release 1.3? What else will we need to integrate with SubjectAccessReview. I know the CentralDashboard also uses KFam. |
|
Yes, I think as long as @elikatsis gets through the comments, we can merge. It should be ready with kubeflow 1.3 This change is compatible with central dashboard, profile controller and kfam, because profile controller should already give service accounts rolebindings that can aggregate ones in this PR. |
|
It'll be ideal if we can get rid of kfam from central dashboard too, so that we can completely remove it from the manifests, but there are still some unanswered design questions. |
elikatsis
force-pushed
the
feature-subject-access-review
branch
2 times, most recently
from
29827e3
to
a19543e
Compare
|
@Bobgy
As far as having general |
In preparation of SubjectAccessReview, we implement some helpers to create a new Kubernetes Authorization clientset and return the SubjectAccessReview client. We also define some fake clients to be used by future tests.
elikatsis
force-pushed
the
feature-subject-access-review
branch
from
a19543e
to
480adcd
Compare
In preparation of SubjectAccessReview, introduce RBAC groups, resources, and verbs.
elikatsis
force-pushed
the
feature-subject-access-review
branch
2 times, most recently
from
a3a7abd
to
9323c40
Compare
Authorization should be based on performing some action on a resource living in a namespace. This commit refactors the authorization utilities to reflect this and perform SubjectAccessReview. This commit also deletes some tests based on old authn/authz mechanism. A following commit will fix/extend the tests for the new mechanism
elikatsis
force-pushed
the
feature-subject-access-review
branch
from
9323c40
to
53d4e9a
Compare
| } | ||
|
|
||
| glog.Infof("Authorized user %s in namespace %s", userIdentity, namespace) | ||
| glog.Infof("Authorized user '%s': %+v", userIdentity, resourceAttributes) |
There was a problem hiding this comment.
These authorization logs will be very common, every request comes with it.
Shall we change log level to trace or debug?
For most of the cases, users should depend on error message for debugging, rather than api server logs.
There was a problem hiding this comment.
I can only see Info, Warning, Error, and Fatal levels. Can you help me how can I do debug or sth different?
Here's what I found in the repo, not sure if it helps: https://github.com/golang/glog/blob/23def4e6c14b4da8ac2ed8007337bc5eb5007998/glog.go#L91-L115
There was a problem hiding this comment.
OK, sorry I thought there were more. Then let's go with info for now.
There was a problem hiding this comment.
I've only got two comments left. Everything else looks great to me!
Thank you so much @elikatsis!
/lgtm
With KFAM authorization, we passed only the namespace attribute for authorization. With SubjectAccessReview, we need a richer list of attributes. Thus, we adjust endpoints to pass request details (resource attributes) necessary for authorizing the request. We only change the already authorized endpoints, not introducing any new checks.
Since we no longer use KFAM, we may as well purge it
Signed-off-by: Ilias Katsakioris <[email protected]>
* API Server: Allow creating SubjectAccessReviews * Add view/edit roles in a multi-user kustomization
elikatsis
force-pushed
the
feature-subject-access-review
branch
from
53d4e9a
to
6302735
Compare
|
@Bobgy I added the comment and squashed the fixups. If you can help me selecting the logging level, we'll be golden! |
|
Do you need @yanniszark 's review? |
|
@Bobgy we have already reviewed this internally, so we should be good to go. Thank you very much for your comments! 😃 |
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: Bobgy, elikatsis The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
* Update apiserver role to allow creating SubjectAccessReviews * Add roles which get aggregated to kubeflow-view and kubeflow-edit Original PR: kubeflow/pipelines#4723 Signed-off-by: Ilias Katsakioris <[email protected]>
…ubeflow#3513 (kubeflow#4723) * [Backend] Return proper error codes for failures during auth * [Backend] Implement helpers to initialize a SubjectAccessReview client In preparation of SubjectAccessReview, we implement some helpers to create a new Kubernetes Authorization clientset and return the SubjectAccessReview client. We also define some fake clients to be used by future tests. * [Backend] Introduce RBAC-related constants In preparation of SubjectAccessReview, introduce RBAC groups, resources, and verbs. * [Backend] Extend managers with a SubjectAccessReviewClient * [Backend] Refactor the authorization mechanism for requests Authorization should be based on performing some action on a resource living in a namespace. This commit refactors the authorization utilities to reflect this and perform SubjectAccessReview. This commit also deletes some tests based on old authn/authz mechanism. A following commit will fix/extend the tests for the new mechanism * [Backend] Adjust endpoints to pass resource attributes for authz With KFAM authorization, we passed only the namespace attribute for authorization. With SubjectAccessReview, we need a richer list of attributes. Thus, we adjust endpoints to pass request details (resource attributes) necessary for authorizing the request. We only change the already authorized endpoints, not introducing any new checks. * [Backend] Adjust apiserver/server tests to SubjectAccessReview * [Backend] Purge KFAM Since we no longer use KFAM, we may as well purge it * [Backend] Update BUILD files Signed-off-by: Ilias Katsakioris <[email protected]> * [Manifests] Extend manifests for SubjectAccessReview * API Server: Allow creating SubjectAccessReviews * Add view/edit roles in a multi-user kustomization
Description of your changes:
With this PR we implement the refactoring described in #3513.
In the past, KFP used KFAM for its authorization checks, checking only if the user can
viewthe corresponding namespace.We now refactor the authorization mechanism to perform proper and fine-grained authorization via K8s RBAC and SubjectAccessReview.
Closes #3513
/assign @Bobgy
cc @yanniszark
Checklist:
Do you want this pull request (PR) cherry-picked into the current release branch?
Learn more about cherry-picking updates into the release branch.