Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AdhocRequest permissions are aliased to CheckConfig permissions #3458

Open
jspaleta opened this issue Dec 11, 2019 · 11 comments · May be fixed by #4290
Open

AdhocRequest permissions are aliased to CheckConfig permissions #3458

jspaleta opened this issue Dec 11, 2019 · 11 comments · May be fixed by #4290
Assignees
@jspaleta
Labels
bug component:api Sensu API improvements

Comments

@jspaleta
Copy link

Goal create Role with a rules that give narrow access to execute a specifc unpublished check.

Currently with existing RBAC I have to grant 'create' verb permissions to the full check resource.

What's needed is to extend the resource-name logic to work with the 'create' verb so that the POST to a specific check execute endpoint can be covered via role rule
@echlebek
Copy link
Contributor

It sounds straightforward.

@calebhailey calebhailey added the component:api Sensu API improvements label Jun 8, 2020
@stale
Copy link

stale bot commented Dec 5, 2020

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the wontfix label Dec 5, 2020
@stale stale bot closed this as completed Dec 12, 2020
@jspaleta jspaleta reopened this Feb 17, 2021
@stale stale bot removed the wontfix label Feb 17, 2021
@sensu-discourse
Copy link

This issue has been mentioned on Sensu Community. There might be relevant details there:

https://discourse.sensu.io/t/could-not-impliment-check-execute-only-privileges/2450/2

@cimere
Copy link

cimere commented Apr 6, 2021

It would be useful to have an execute verb for the checks. I have users that need to re-run the checks but I don't want them to be able to change/delete the checks by accident.

@mjiderhamn
Copy link
Contributor

I'm guessing that ExecuteCheck() needs to get its own checkExecuteAttributes() method instead of calling checkCreateAttributes() that uses Verb: "create".

@mjiderhamn
Copy link
Contributor

mjiderhamn commented May 18, 2021
edited
Loading

For us this issue is related to sensu/sensu-docs#2968 , because without OIDC we cannot have 2FA login and therefore cannot trust users to create or update checks, since they may contain malicious commands (partially related to #3243 ). This means for security reasons we are forced to "involuntarily" block users from ad-hoc check execution :-(

mjiderhamn pushed a commit to mjiderhamn/sensu-go that referenced this issue May 18, 2021
Introduce execute verb for check sensu#3458
598220e
@mjiderhamn mjiderhamn linked a pull request May 18, 2021 that will close this issue
Draft
mjiderhamn pushed a commit to mjiderhamn/sensu-go that referenced this issue May 19, 2021
Introduce execute verb for check sensu#3458
54eb0fe
mjiderhamn added a commit to mjiderhamn/sensu-go that referenced this issue May 19, 2021
@mjiderhamn
Introduce execute verb for check sensu#3458
0472057 
Signed-off-by: Mattias Jiderhamn <[email protected]>
@calebhailey calebhailey added this to the 6.6.0 milestone Nov 1, 2021
@calebhailey calebhailey modified the milestones: 6.6.0, 6.next Nov 15, 2021
@calebhailey calebhailey modified the milestones: 6.next, 6.7.0 Dec 23, 2021
@calebhailey calebhailey removed this from the 6.7.0 milestone Apr 4, 2022
@echlebek
Copy link
Contributor

So, I feel really silly for not thinking about this sooner, but I actually think the system already supports doing this... because to adhoc execute a check, you need permission to create an AdhocRequest. This means that we don't need any special new RBAC verb or anything, users just need create permissions on AdhocRequest.

@jspaleta is going to confirm, and if I'm right, this will become a docs issue.

@jspaleta jspaleta self-assigned this Apr 28, 2022
@jspaleta
Copy link
Author

@echlebek,
Looks like its not working as expected. I don't think AdhocRequest is wired up to RBAC
Also its not listed in sensuctl describe-type all nor does sensuctl describe-type AdhocRequest work

Here's the test I did, using fresh sensu-go-workshop environment, using sensuctl as workshop's 'sensu' user using SENSU_API_KEY envvar from .envrc file.

  1. Create cluster role for check-execute
type: ClusterRole
api_version: core/v2
metadata:
  created_by: sensu
  labels:
    sensu.io/managed_by: sensuctl
  name: check-execute
spec:
  rules:
  - resources:
    - adhoc_request
    verbs:
    - get
    - list
    - create
    - update
  1. Create cluster-role-binding to bind to similarly named group
type: ClusterRoleBinding
api_version: core/v2
metadata:
  created_by: sensu
  name: check-execute
spec:
  role_ref:
    name: check-execute
    type: ClusterRole
  subjects:
  - name: check-excute
    type: Group
  1. Create cluster-role-binding for the view cluster-role to the viewers group
type: ClusterRoleBinding
api_version: core/v2
metadata:
  created_by: sensu
  name: viewers
spec:
  role_ref:
    name: view
    type: ClusterRole
  subjects:
  - name: viewers
    type: Group
  1. Create user check-execute who in the groups viewers and check-execute
$ sensuctl user  list
    Username               Groups            Enabled  
──────────────── ────────────────────────── ──────────
  agent           system:agents              true     
  check-execute   viewers,check-execute      true     
  sensu           cluster-admins             true
  1. Create a simple echo string check with workshop subscription
type: CheckConfig
api_version: core/v2
metadata:
  created_by: sensu
  name: test
  namespace: default
spec:
  check_hooks: null
  command: echo "test execution check"
  env_vars: null
  handlers: []
  high_flap_threshold: 0
  interval: 60
  low_flap_threshold: 0
  output_metric_format: ""
  output_metric_handlers: null
  pipelines: []
  proxy_entity_name: ""
  publish: false
  round_robin: false
  runtime_assets: null
  secrets: null
  stdin: false
  subdue: null
  subscriptions:
  - workshop
  timeout: 0
  ttl: 0
  1. execute check with sensuctl (as 'sensu' cluster admin)
  2. confirm event(s) are created for the test check
  3. delete all test check events.
  4. Login to workshop web-ui as check-execute user, attempt to execute a check.
  5. Watch web-ui tell you it executed the check, but no event is generated.
  6. Cry.
  7. log out of web-ui
  8. using sensuctl as cluster admin user remove viewers group from user 'check-execute' and confirm with login to web-ui user no longer has read access to anything.. its just a big sad lizy with a 404 message.

@jspaleta
Copy link
Author

Also note... using the test procedure above.
If I remove the check-execute group for the user leaving it only in the viewers group and re-test the web-ui will let me attempt a test execute and will tell me it went through (green box in ui telling me to go to events) instead of a red auth error.

So either this is a bug in the api endpoint not returning an errror when it should, or its a bug in the web-ui.

Need to retest the api endpoint directly with curl with an api key. I'll get to that Monday if noone else beats me to it.

@echlebek echlebek changed the title Fine grained create verb RBAC for check execute (POST) for individual checks AdhocRequest permissions are aliased to CheckConfig permissions Apr 29, 2022
@echlebek
Copy link
Contributor

This issue has become a bug, that we don't support the correct RBAC setup for AdhocRequest. We simply need to do so.

@jspaleta
Copy link
Author

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jspaleta jspaleta

Labels
bug component:api Sensu API improvements
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Introduce execute verb for check #3458 mjiderhamn/sensu-go
6 participants
@jspaleta @calebhailey @mjiderhamn @cimere @echlebek @sensu-discourse