Fix ip pool policy for instance allocation #2113
Conversation
| NexusRequest::objects_post(client, &url_instances, &instance_params) | ||
| .authn_as(AuthnMode::SiloUser(user_id)) | ||
| .execute() | ||
| .await | ||
| .expect("Failed to create instance") | ||
| .parsed_body::<Instance>() | ||
| .expect("Failed to parse instance"); |
There was a problem hiding this comment.
Before updating the polar policy, this failed.
The instance creation pathway checks for authz::Action::CreateChild on the target IP pool, which works fine for AuthnMode::PrivilegedUser, but fails for a silo user.
For example:
| populate_ip_pool(&client, "default", None).await; | ||
|
|
||
| // Create test organization and projects. | ||
| NexusRequest::objects_post( |
There was a problem hiding this comment.
Not really part of this PR, but it would be neat if the resource_helpers used a builder pattern to make these calls a little easier to customize. They currently hard-code "privileged user", which means I need to do the request myself.
| populate_ip_pool(&client, "default", None).await; | ||
|
|
||
| // Create test organization and projects. | ||
| NexusRequest::objects_post( |
nexus/src/authz/omicron.polar
Outdated
| @@ -373,6 +373,10 @@ resource IpPoolList { | |||
| has_relation(fleet: Fleet, "parent_fleet", ip_pool_list: IpPoolList) | |||
| if ip_pool_list.fleet = fleet; | |||
|
|
|||
| # Any authenticated user can create a child of a provided IP Pools. | |||
| # This is necessary to use the pools when provisioning instances. | |||
| has_permission(_actor: AuthenticatedActor, "create_child", _ip_pool: IpPool); | |||
There was a problem hiding this comment.
I don't think it matters much right now since we don't really support fleets yet, but for consistency with other policy rules I think there should probably be an additional restriction here:
has_permission(actor: AuthenticatedActor, "create_child", ip_pool: IpPool)
if actor.silo.fleet = ip_pool.fleet;
There was a problem hiding this comment.
Hrm, this appears to actually break the parsing of the oso file:
error_message_internal: failed to compute authorization: trace (most recent evaluation last):
009: allow(oso::host::value::PolarValue TYPE `oso::host::value::PolarValue`, oso::host::value::PolarValue TYPE `oso::host::value::PolarValue`, oso::host::value::PolarValue TYPE `oso::host::value::PolarValue`)
008: actor.authenticated and
has_permission(actor.authn_actor.unwrap(), action.to_perm(), resource)
in rule allow at line 21, column 5
007: actor.authn_actor
in rule allow at line 22, column 20
006: actor.authn_actor.unwrap()
in rule allow at line 22, column 20
005: action.to_perm()
in rule allow at line 22, column 48
004: has_permission(actor.authn_actor.unwrap(), action.to_perm(), resource)
in rule allow at line 22, column 5
003: actor.silo.fleet = ip_pool.fleet
in rule has_permission at line 379, column 6
002: actor.silo.fleet = ip_pool.fleet
in rule has_permission at line 379, column 6
001: actor.silo.fleet
in rule has_permission at line 379, column 6
Application error: Attribute fleet not found on type Option. at line 379, column 6:
379: if actor.silo.fleet = ip_pool.fleet;
There was a problem hiding this comment.
I'm unwrapping in a11fc26 , though I'm open to a safer way to do this in polar.
Fixes a regression introduced by #2056
Updates polar policy to allow instance creation from regular Silo users, and adds a regression test