Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NEOS-1616: [MIGRATION] Adds RBAC engine #2935

Merged
merged 26 commits into from
Dec 16, 2024
Merged

NEOS-1616: [MIGRATION] Adds RBAC engine #2935

merged 26 commits into from
Dec 16, 2024

Conversation

nickzelei
Copy link
Member

@nickzelei nickzelei commented Nov 13, 2024
edited
Loading

This is kind of a large PR but it does a few things here:

  • Adds Casbin RBAC engine
  • On bootup, upserts existing accounts with their permissions. This is to ensure that all accounts have the latest permission set going forward and for legacy accounts created prior to RBAC being enforced
  • On account creation, the following now happens: account policies created, creating user added as account admin
  • Adds new RPC method that allows for updating a user's role in the account
  • Refactors each RPC service with a new userdata service that now encapsulates all of the previous checks we were doing in the user-account.go files, as well as ensures the user is in the requesting resource's account
  • RBAC is an EE feature and is conditionally enabled if neosync api comes online with a EE or neosync cloud license
  • API Keys have now been restricted to account_admins only until we enable fine-grained access to users that is based on their role

Each account now has the following roles:

  1. account_admin
  2. job_developer
  3. job_viewer

@linear Linear
Copy link

linear bot commented Nov 13, 2024

NEOS-1616 Add support for RBAC to Neosync

@vercel Vercel
Copy link

vercel bot commented Nov 13, 2024
edited
Loading

The latest updates on your projects. Learn more about Vercel for Git ↗︎

1 Skipped Deployment
Name Status Preview Comments Updated (UTC)
neosync-docs ⬜️ Ignored (Inspect) Visit Preview Dec 14, 2024 0:59am

@codecov Codecov
Copy link

codecov bot commented Nov 13, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 26.54370% with 916 lines in your changes missing coverage. Please review.

Project coverage is 34.83%. Comparing base (606354f) to head (7e5a080).
Report is 4 commits behind head on main.

Files with missing lines Patch % Lines
backend/internal/ee/rbac/policy.go 0.00% 219 Missing ⚠️
backend/services/mgmt/v1alpha1/job-service/jobs.go 8.00% 158 Missing and 3 partials ⚠️
backend/services/mgmt/v1alpha1/job-service/runs.go 0.00% 131 Missing ⚠️
...rvices/mgmt/v1alpha1/user-account-service/users.go 31.81% 72 Missing and 18 partials ⚠️
...1/transformers-service/userdefined_transformers.go 0.00% 49 Missing ⚠️
backend/internal/cmds/mgmt/serve/connect/cmd.go 0.00% 45 Missing ⚠️
...ces/mgmt/v1alpha1/connection-service/connection.go 39.02% 16 Missing and 9 partials ⚠️
backend/internal/ee/rbac/allow_all_client.go 0.00% 22 Missing ⚠️
...ices/mgmt/v1alpha1/user-account-service/billing.go 56.25% 14 Missing and 7 partials ⚠️
backend/internal/ee/rbac/db.go 0.00% 18 Missing ⚠️
... and 18 more
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #2935      +/-   ##
==========================================
- Coverage   35.16%   34.83%   -0.34%     
==========================================
  Files         346      350       +4     
  Lines       40016    40671     +655     
==========================================
+ Hits        14072    14168      +96     
- Misses      24284    24818     +534     
- Partials     1660     1685      +25

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@nickzelei nickzelei force-pushed the nick/neos-1616-add-support-for-rbac-to-neosync branch from 349d918 to 648ecfa Compare December 10, 2024 21:13
@nickzelei nickzelei added the enhancement New feature or request label Dec 10, 2024
@nickzelei nickzelei force-pushed the nick/neos-1616-add-support-for-rbac-to-neosync branch from 0e36ce4 to 2ed2760 Compare December 13, 2024 17:58
@github-actions GitHub Actions
Copy link

github-actions bot commented Dec 13, 2024
edited
Loading

The latest Buf updates on your PR. Results from workflow Buf / buf (pull_request).

BuildFormatLintBreakingUpdated (UTC)
✅ passed✅ passed✅ passed✅ passedDec 14, 2024, 12:59 AM

@nickzelei nickzelei changed the title Adds initial rbac casbin logic and policy init NEOS-1616: [MIGRATION] Adds RBAC engine Dec 13, 2024
@nickzelei nickzelei marked this pull request as ready for review December 13, 2024 23:24
nickzelei
nickzelei commented Dec 14, 2024
View reviewed changes
backend/internal/ee/rbac/enforcer/rbac_model.conf
@@ -11,4 +11,4 @@ g = _, _, _
e = some(where (p.eft == allow))

[matchers]
m = g(r.sub, p.sub, r.dom) && r.dom == p.dom && keyMatch2(r.obj, p.obj) && keyMatch2(r.act, p.act)
m = g(r.sub, p.sub, r.dom) && r.dom == p.dom && keyMatch(r.obj, p.obj) && keyMatch(r.act, p.act)
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

after more inspection of the functions available, keyMatch is what we actually want.
https://casbin.org/docs/function/

@nickzelei nickzelei merged commit 6ed6d0b into main Dec 16, 2024
19 of 21 checks passed
@nickzelei nickzelei deleted the nick/neos-1616-add-support-for-rbac-to-neosync branch December 16, 2024 18:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@alishakawaguchi alishakawaguchi alishakawaguchi approved these changes

Assignees
No one assigned
Labels
database-migration enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@nickzelei @alishakawaguchi