Skip to content

agent: user auth APIs accept and verify request capability, and add user prefix authorization API #2133

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
May 9, 2025
Merged

agent: user auth APIs accept and verify request capability, and add user prefix authorization API #2133

merged 1 commit into from
May 9, 2025

Conversation

jgraettinger
Copy link
Member

@jgraettinger jgraettinger commented May 8, 2025
edited
Loading

User authorization APIs can now escalate the capability of a signed token if the user has sufficient privilege. This can be used for administrative actions like journal splitting.

Also add a new prefix authorization API which signs an authorization token valid for a requested and authorized prefix and capability, directed at a specific data-plane.

Add a new, advanced flowctl subcommand for authorizing and printing environment variables for direct gazette access of an authorized prefix.

Workflow steps:

Use flowctl to obtain a temporary authorization to an entire (authorized) prefix:

johnny@johnny-desktop:~/estuary/flow$ flowctl --profile local raw gazctl-env --data-plane ops/dp/public/local-cluster --prefix ops.us-central1.v1/ 
2025-05-08T16:38:44.477413Z  WARN flow_client::client: authorization service tentatively rejected our request, but we'll retry before failing secs=5.692
export BROKER_ADDRESS=https://gazette.flow.localhost:8080
export BROKER_AUTH_TOKEN=(trim)
export CONSUMER_ADDRESS=https://reactor.flow.localhost:9000
export CONSUMER_AUTH_TOKEN=(trim)

Then use it with gazctl or flowctl-go corresponding Gazette PR:

johnny@johnny-desktop:~/gazette$ .build/amd64/gazctl  shards list -l ''
+--------------------------------------------------------------------------------------+---------+
|                                          ID                                          | STATUS  |
+--------------------------------------------------------------------------------------+---------+
| derivation/ops.us-central1.v1/catalog-stats-L2/1114a1376c000046/00000000-00000000    | PRIMARY |
| derivation/ops.us-central1.v1/events/L2/1114a1376c000046/00000000-00000000           | PRIMARY |
| derivation/ops.us-central1.v1/inferred-schemas/L2/1114a1376c000046/00000000-00000000 | PRIMARY |
| materialize/ops.us-central1.v1/stats-view/1114a13f78800046/00000000-00000000         | PRIMARY |
+--------------------------------------------------------------------------------------+---------+
johnny@johnny-desktop:~/gazette$ .build/amd64/gazctl  journals list -l ''
+-----------------------------------------------------------------------------------------------+
|                                             NAME                                              |
+-----------------------------------------------------------------------------------------------+
| ops.us-central1.v1/catalog-stats-L2/1114a1376c000046/pivot=00                                 |
| ops.us-central1.v1/events/L2/1114a1376c000046/event_type=connectorStatus/pivot=00             |
| ops.us-central1.v1/inferred-schemas/L2/1114a1376c000046/pivot=00                              |
| recovery/derivation/ops.us-central1.v1/catalog-stats-L2/1114a1376c000046/00000000-00000000    |
| recovery/derivation/ops.us-central1.v1/events/L2/1114a1376c000046/00000000-00000000           |
| recovery/derivation/ops.us-central1.v1/inferred-schemas/L2/1114a1376c000046/00000000-00000000 |
| recovery/materialize/ops.us-central1.v1/stats-view/1114a13f78800046/00000000-00000000         |
+-----------------------------------------------------------------------------------------------+

Example of a prefix which is not allowed at the requested capability:

johnny@johnny-desktop:~/estuary/flow$ flowctl --profile local raw gazctl-env --data-plane ops/dp/public/local-cluster --prefix ops.us-central1.v1/ --admin
2025-05-08T16:39:44.150048Z  WARN flow_client::client: authorization service tentatively rejected our request, but we'll retry before failing secs=3.523
2025-05-08T16:39:47.676877Z ERROR flow_client::client: error=POST /authorize/user/prefix: 403 Forbidden: {"status":403,"error":"johnny@foobar is not authorized to ops.us-central1.v1/ for Admin"}
Error: POST /authorize/user/prefix: 403 Forbidden: {"status":403,"error":"johnny@foobar is not authorized to ops.us-central1.v1/ for Admin"}

Documentation links affected:

(list any documentation links that you created, or existing ones that you've identified as needing updates, along with a brief description)

Notes for reviewers:

(anything that might help someone review this PR)

This change is Reviewable

@jgraettinger
agent: user auth APIs accept and verify request capability
c846b67 
User authorization APIs can now escalate the capability of a signed
token if the user has sufficient privilege. This can be used for
administrative actions like journal splitting.

Also add a new prefix authorization API which signs an authorization
token valid for a requested and authorized prefix and capability,
directed at a specific data-plane.

Add a new, advanced flowctl subcommand for authorizing and printing
environment variables for direct gazette access of an authorized prefix.
@jgraettinger jgraettinger requested a review from jshearer May 8, 2025 16:54
jshearer
jshearer approved these changes May 8, 2025
View reviewed changes
crates/agent/src/api/authorize_user_prefix.rs
models::Capability::Read,
) {
return Err(anyhow::anyhow!(
"{} is not authorized to {data_plane_name}",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure if we care about being able to guess private data-plane names, but this message+status code being different from the "not found" error below would let a potential bad actor check whether a guessed data-plane exists or not.

Copy link
Member Author

@jgraettinger jgraettinger May 8, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We're verifying their authorization to the requested data-plane name before we check whether the name actually exists. They will always get a FORBIDDEN if they don't have RBAC access, regardless of whether it exists.

@jgraettinger jgraettinger merged commit c2bf679 into master May 9, 2025
4 checks passed
@jgraettinger jgraettinger deleted the johnny/prefix-auth branch May 9, 2025 03:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jshearer jshearer jshearer approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jgraettinger @jshearer