Cover built-in actors and identity-derived access in IAM role policy test#10550
Conversation
Adds IpPool, VpcRouter, RouterRoute, ConsoleSession, and UserBuiltin to the policy_test resource universe and removes them from the coverage exemption list. All five are role-gated (FleetChild / InProjectFull) so they fit the existing matrix; no new test machinery needed.
Add the constant built-in actors (db-init, internal-api, external-authn) and a roleless self-owner actor to the policy_test matrix, so it exercises the fixed-Polar-rule and equals_silo_user self-access paths that role-grant actors never reach.
| @@ -399,12 +491,16 @@ resource: SiloUser "silo1-user" | |||
| silo1-collaborator ✘ ✔ ✔ ✔ ✘ ✘ ✘ ✘ | |||
| silo1-limited-collaborator ✘ ✔ ✔ ✔ ✘ ✘ ✘ ✘ | |||
| silo1-viewer ✘ ✔ ✔ ✔ ✘ ✘ ✘ ✘ | |||
| silo1-user-self ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ | |||
There was a problem hiding this comment.
User has all perms on self. Come to think of it, it's kind of weird that they can delete?
| silo1-proj1-admin ✔ ✘ ✘ ✘ ✘ ✘ ✘ ✘ | ||
| silo1-proj1-collaborator ✔ ✘ ✘ ✘ ✘ ✘ ✘ ✘ | ||
| silo1-proj1-limited-collaborator ✔ ✘ ✘ ✘ ✘ ✘ ✘ ✘ | ||
| silo1-proj1-viewer ✔ ✘ ✘ ✘ ✘ ✘ ✘ ✘ | ||
| unauthenticated ! ! ! ! ! ! ! ! | ||
| scim ✔ ✘ ✘ ✘ ✘ ✘ ✘ ✘ | ||
| db-init ✔ ✘ ✘ ✘ ✔ ✔ ✘ ✔ |
There was a problem hiding this comment.
db-init can init the DB!
| silo1-proj1-admin ✘ ✘ ✘ ✘ ✘ ✘ ✘ ✘ | ||
| silo1-proj1-collaborator ✘ ✘ ✘ ✘ ✘ ✘ ✘ ✘ | ||
| silo1-proj1-limited-collaborator ✘ ✘ ✘ ✘ ✘ ✘ ✘ ✘ | ||
| silo1-proj1-viewer ✘ ✘ ✘ ✘ ✘ ✘ ✘ ✘ | ||
| unauthenticated ! ! ! ! ! ! ! ! | ||
| scim ✘ ✘ ✘ ✘ ✘ ✘ ✘ ✘ | ||
| db-init ✘ ✘ ✘ ✘ ✘ ✘ ✘ ✘ | ||
| internal-api ✘ ✔ ✔ ✔ ✔ ✔ ✔ ✔ | ||
| external-authn ✘ ✔ ✘ ✔ ✔ ✔ ✘ ✔ |
There was a problem hiding this comment.
external-authn makes sense here because it's creating sessions. And internal-api has the fleet admin role.
| silo1-proj1-admin ✘ ✔ ✘ ✔ ✘ ✘ ✘ ✘ | ||
| silo1-proj1-collaborator ✘ ✔ ✘ ✔ ✘ ✘ ✘ ✘ | ||
| silo1-proj1-limited-collaborator ✘ ✔ ✘ ✔ ✘ ✘ ✘ ✘ | ||
| silo1-proj1-viewer ✘ ✔ ✘ ✔ ✘ ✘ ✘ ✘ | ||
| unauthenticated ! ! ! ! ! ! ! ! | ||
| scim ✘ ✘ ✘ ✘ ✘ ✘ ✘ ✘ | ||
| db-init ✘ ✔ ✔ ✔ ✔ ✔ ✔ ✔ | ||
| internal-api ✘ ✔ ✔ ✔ ✔ ✔ ✔ ✔ |
There was a problem hiding this comment.
In addition to getting fleet admin, internal-api also has silo admin on every silo. So this is probably the most interesting internal-api entry in the file.
omicron/nexus/auth/src/authz/omicron.polar
Lines 815 to 816 in a298dfb
| silo1-proj1-admin ✘ ✔ ✔ ✔ ✘ ✘ ✘ ✘ | ||
| silo1-proj1-collaborator ✘ ✔ ✔ ✔ ✘ ✘ ✘ ✘ | ||
| silo1-proj1-limited-collaborator ✘ ✔ ✔ ✔ ✘ ✘ ✘ ✘ | ||
| silo1-proj1-viewer ✘ ✔ ✔ ✔ ✘ ✘ ✘ ✘ | ||
| unauthenticated ! ! ! ! ! ! ! ! | ||
| scim ✘ ✘ ✘ ✘ ✘ ✘ ✘ ✘ | ||
| db-init ✘ ✘ ✘ ✘ ✘ ✘ ✘ ✘ | ||
| internal-api ✘ ✘ ✘ ✘ ✘ ✘ ✘ ✘ | ||
| external-authn ✘ ✘ ✘ ✘ ✘ ✘ ✘ ✘ |
There was a problem hiding this comment.
It turns out MulticastGroup is weird in that its perms have nothing to do with roles. We just grant all authenticated users read and list children, and nobody else gets anything else. Looking into how these get created.
Edit: they get implicitly created when instance join/leave a group, and that is gated by instance modify.
omicron/nexus/auth/src/authz/omicron.polar
Lines 514 to 521 in a298dfb
| silo1-proj1-admin ✘ ✘ ✘ ✘ ✘ ✘ ✘ ✘ | ||
| silo1-proj1-collaborator ✘ ✘ ✘ ✘ ✘ ✘ ✘ ✘ | ||
| silo1-proj1-limited-collaborator ✘ ✘ ✘ ✘ ✘ ✘ ✘ ✘ | ||
| silo1-proj1-viewer ✘ ✘ ✘ ✘ ✘ ✘ ✘ ✘ | ||
| unauthenticated ! ! ! ! ! ! ! ! | ||
| scim ✘ ✘ ✘ ✘ ✘ ✘ ✘ ✘ | ||
| db-init ✘ ✘ ✘ ✘ ✘ ✘ ✘ ✘ | ||
| internal-api ✘ ✘ ✘ ✘ ✘ ✘ ✘ ✘ | ||
| external-authn ✘ ✘ ✘ ✘ ✘ ✘ ✔ ✘ |
There was a problem hiding this comment.
Creating children of the session list (i.e., sessions) is the point of external-authn.
1 participant
Built on top of #10549. I'm trying to get as much test coverage as possible for the existing authz setup to increase confidence in a conversion from Oso to Cedar I'm prototyping.
Prior to this change,
test_iam_roles_behaviormatrix only tests actors with roles, but there are a few cases where the Polar policy grants permissions based directly on the identity of the actor rather than based on a role. For example, a user can modify their own SSH keys just by virtue of being the owner of those keys. There are also three constant built-in actors (db-init,internal-api,external-authn), whose privileges come from fixed Polar rules and seeded fleet role assignments rather than per-resource roles.This PR adds coverage for the role-less user and the three built-in actors to the big authz snapshot test. It definitely adds noise to the snapshot (+500 lines on top of 2200), but I think it's worth it.