Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Re-assess policy read Casbin policy #1567

Open
jakedoublev opened this issue Sep 20, 2024 · 0 comments
Open

Re-assess policy read Casbin policy #1567

jakedoublev opened this issue Sep 20, 2024 · 0 comments
Assignees
@jakedoublev
Labels
comp:policy Policy Configuration ( attributes, subject mappings, resource mappings, kas registry)

Comments

@jakedoublev
Copy link
Contributor

jakedoublev commented Sep 20, 2024
edited
Loading

Related to #1559

Policy read is currently wide open to the standard role in Casbin policy which means any authenticated user:

platform/service/internal/auth/casbin.go

Lines 89 to 97 in 7dc0b91

p, role:standard, policy.*, read, allow
p, role:standard, kasregistry.*, read, allow
p, role:standard, kas.AccessService/Rewrap, *, allow
## HTTP routes
p, role:standard, /attributes*, read, allow
p, role:standard, /namespaces*, read, allow
p, role:standard, /subject-mappings*, read, allow
p, role:standard, /resource-mappings*, read, allow
p, role:standard, /key-access-servers*, read, allow

As policy and the platform have matured, review and re-assess whether this is appropriate for the following policy objects, or if more or less privilege is required:

  1. Subject Mappings
  2. Subject Condition Sets
  3. GetAttributesByValueFqns
  4. KAS Grants (which are needed on encrypt and therefore must be widely available)
  5. KAS Registry
  6. Resource Mappings

Acceptance Criteria

  1. read privileges are considered in light of the needs for various encrypt/decrypt flows
  2. read privileges remain for admins and org-admins
  3. defaultPolicy is updated if needed
  4. decisioning around the above is documented in this issue
@jakedoublev jakedoublev added the comp:policy Policy Configuration ( attributes, subject mappings, resource mappings, kas registry) label Sep 20, 2024
@jakedoublev jakedoublev self-assigned this Oct 1, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jakedoublev jakedoublev

Labels
comp:policy Policy Configuration ( attributes, subject mappings, resource mappings, kas registry)
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jakedoublev