-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Stable UNIX users: storage and auth API #51102
base: master
Are you sure you want to change the base?
Conversation
0fb9265
to
d0943ca
Compare
This comment was marked as off-topic.
This comment was marked as off-topic.
39de628
to
b7c7571
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there a way to specify the stable unix user config via teleport.yaml?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this is still not quite right? If following the existing pattern the package should be lib/auth/stableunixusersv1
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think I'd ever version the implementation like that unless I really had to - I'm almost sure there's going to be overlap in functionality, etc. - and all you'd need is a newtype to implement both services with "the same" object, which would strongly benefit from being in the same go package.
// Validate implements [AuthPreference]. | ||
func (c *AuthPreferenceV2) Validate() error { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should CASD defer to Validate?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If you mean that CheckAndSetDefaults
should call Validate
, no - Validate
is specifically intended to not get called after UnmarshalAuthPreference
.
If you mean the opposite I'm not sure - I like the guarantee that Validate
is read-only, and the intended usecase is to validate after getting the AuthPreferenceV2
out of storage which would've already done a CASD.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should this be a free function, services.ValidateAuthPreference
, to mirror validation functions of other resources?
Line 36 in 63537e3
func ValidateUser(u types.User) error { Line 253 in 63537e3
func ValidateRole(r types.Role, opts ...validateRoleOption) error { teleport/lib/services/authority.go
Line 62 in 63537e3
func ValidateCertAuthority(ca types.CertAuthority) (err error) {
ap, err := s.clusterConfiguration.GetAuthPreference(ctx) | ||
if err != nil { | ||
return 0, trace.Wrap(err) | ||
} | ||
authPref = ap |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why doesn't the readonly cache sufice on subsequent attempts?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The readonly cache has a TTL, and we don't have a way to distinguish the specific condition that failed in Backend.AtomicWrite
(dynamodb doesn't return that, iirc) so on our subsequent attempts we should fetch the freshest possible AuthPreference with the freshest possible revision.
func (s *server) createNewStableUNIXUser(ctx context.Context, username string, authPref readonly.AuthPreference) (int32, error) { | ||
cfg := authPref.GetStableUNIXUserConfig() | ||
if cfg == nil || !cfg.Enabled { | ||
return 0, trace.LimitExceeded("stable UNIX users are not enabled") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this a limit exceeded because when the feature is disabled the UID range is 0? Would a concrete error be a better marker for this condition?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I changed the logic to rely on returned boolean flags instead in 02cac25
@@ -48,6 +48,8 @@ type ClusterConfigurationService struct { | |||
backend.Backend | |||
} | |||
|
|||
var _ services.ClusterConfigurationInternal = (*ClusterConfigurationService)(nil) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The appearance of the blank identifier in this construct indicates that the declaration exists only for the type checking, not to create a variable. Don't do this for every type that satisfies an interface, though. By convention, such declarations are only used when there are no static conversions already present in the code, which is a rare event.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There's no such conversion in the file or package, AFAICT, and I personally really like that the assertion shows which interface I intended to implement and if it's by pointer or value.
Backend backend.Backend | ||
} | ||
|
||
var _ services.StableUNIXUsersInternal = (*StableUNIXUsersService)(nil) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The appearance of the blank identifier in this construct indicates that the declaration exists only for the type checking, not to create a variable. Don't do this for every type that satisfies an interface, though. By convention, such declarations are only used when there are no static conversions already present in the code, which is a rare event.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There's no such conversion in the file or package, AFAICT.
@eriktate @bernardjkim @ravicious friendly ping |
// Validate implements [AuthPreference]. | ||
func (c *AuthPreferenceV2) Validate() error { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should this be a free function, services.ValidateAuthPreference
, to mirror validation functions of other resources?
Line 36 in 63537e3
func ValidateUser(u types.User) error { Line 253 in 63537e3
func ValidateRole(r types.Role, opts ...validateRoleOption) error { teleport/lib/services/authority.go
Line 62 in 63537e3
func ValidateCertAuthority(ca types.CertAuthority) (err error) {
uid1, err := svc.obtainUIDForUsernameUncached(ctx, "user1") | ||
require.NoError(t, err) | ||
require.Equal(t, firstUID, uid1) | ||
|
||
uid1, err = svc.obtainUIDForUsernameUncached(ctx, "user1") | ||
require.NoError(t, err) | ||
require.Equal(t, firstUID, uid1) | ||
|
||
uid2, err := svc.obtainUIDForUsernameUncached(ctx, "user2") | ||
require.NoError(t, err) | ||
require.Equal(t, firstUID+1, uid2) | ||
|
||
uid1, err = svc.obtainUIDForUsernameUncached(ctx, "user1") | ||
require.NoError(t, err) | ||
require.Equal(t, firstUID, uid1) | ||
|
||
uid2, err = svc.obtainUIDForUsernameUncached(ctx, "user2") | ||
require.NoError(t, err) | ||
require.Equal(t, firstUID+1, uid2) | ||
|
||
uid3, err := svc.obtainUIDForUsernameUncached(ctx, "user3") | ||
require.NoError(t, err) | ||
require.Equal(t, firstUID+2, uid3) | ||
|
||
uid4, err := svc.obtainUIDForUsernameUncached(ctx, "user4") | ||
require.NoError(t, err) | ||
require.Equal(t, firstUID+3, uid4) | ||
|
||
_, err = svc.obtainUIDForUsernameUncached(ctx, "user5") | ||
require.ErrorAs(t, err, new(*trace.LimitExceededError)) | ||
|
||
resp, err := svc.listStableUNIXUsers(ctx, &stableunixusersv1.ListStableUNIXUsersRequest{ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is it possible to write this test in such a way that it doesn't need to reach for the private API? Could this test be moved to the stableunixusers_test
package?
This RFD implements the storage and storage manipulation in the auth server, and defines and implements the auth API to store and fetch stable UIDs for automatically provisioned UNIX users.
Related RFD: #50414
Part of #50292