Implement global images

common/src/api/external/mod.rs

@@ -518,7 +518,6 @@ pub enum ResourceType {
     SiloUser,
     ConsoleSession,
     GlobalImage,
-    GlobalImageList,
     Organization,
     Project,
     Dataset,

common/src/sql/dbinit.sql

@@ -442,11 +442,8 @@ CREATE TABLE omicron.public.image (
     project_id UUID NOT NULL,
     volume_id UUID NOT NULL,
 
-    /* Optional URL: Images may be backed by either a URL or a volume */
     url STRING(8192),
-    /* Optional version */
     version STRING(64),
-    /* Optional digest */
     digest TEXT,
     block_size omicron.public.block_size NOT NULL,
     size_bytes INT NOT NULL
@@ -470,11 +467,8 @@ CREATE TABLE omicron.public.global_image (
 
     volume_id UUID NOT NULL,
 
-    /* Optional URL: Images may be backed by either a URL or a volume */
     url STRING(8192),
-    /* Optional version */
     version STRING(64),
-    /* Optional digest */
     digest TEXT,
     block_size omicron.public.block_size NOT NULL,
     size_bytes INT NOT NULL

nexus/src/authz/api_resources.rs

@@ -191,12 +191,69 @@ impl AuthorizedResource for Fleet {
     }
 }
 
-#[derive(Clone, Copy, Debug)]
-pub struct GlobalImageList {
-    fleet: Fleet,
+/// ConsoleSessionList is a synthetic resource used for modeling who has access
+/// to create sessions.
+#[derive(Clone, Copy, Debug, Eq, PartialEq)]
+pub struct ConsoleSessionList;
+
+pub const CONSOLE_SESSION_LIST: ConsoleSessionList = ConsoleSessionList {};
+
+impl oso::PolarClass for ConsoleSessionList {
+    fn get_polar_class_builder() -> oso::ClassBuilder<Self> {
+        // Roles are not directly attached to ConsoleSessionList.
+        oso::Class::builder()
+            .with_equality_check()
+            .add_method(
+                "has_role",
+                |_: &ConsoleSessionList,
+                 _actor: AuthenticatedActor,
+                 _role: String| false,
+            )
+            .add_attribute_getter("fleet", |_| FLEET)
+    }
 }
+
+impl AuthorizedResource for ConsoleSessionList {
+    fn load_roles<'a, 'b, 'c, 'd, 'e, 'f>(
+        &'a self,
+        opctx: &'b OpContext,
+        datastore: &'c DataStore,
+        authn: &'d authn::Context,
+        roleset: &'e mut RoleSet,
+    ) -> futures::future::BoxFuture<'f, Result<(), Error>>
+    where
+        'a: 'f,
+        'b: 'f,
+        'c: 'f,
+        'd: 'f,
+        'e: 'f,
+    {
+        load_roles_for_resource(
+            opctx,
+            datastore,
+            authn,
+            ResourceType::Fleet,
+            *FLEET_ID,
+            roleset,
+        )
+        .boxed()
+    }
+
+    fn on_unauthorized(
+        &self,
+        _: &Authz,
+        error: Error,
+        _: AnyActor,
+        _: Action,
+    ) -> Error {
+        error
+    }
+}
+
+#[derive(Clone, Copy, Debug)]
+pub struct GlobalImageList;
 /// Singleton representing the [`GlobalImageList`] itself for authz purposes
-pub const GLOBAL_IMAGE_LIST: GlobalImageList = GlobalImageList { fleet: FLEET };
+pub const GLOBAL_IMAGE_LIST: GlobalImageList = GlobalImageList;
 
 impl Eq for GlobalImageList {}
 impl PartialEq for GlobalImageList {
@@ -210,7 +267,7 @@ impl oso::PolarClass for GlobalImageList {
     fn get_polar_class_builder() -> oso::ClassBuilder<Self> {
         oso::Class::builder()
             .with_equality_check()
-            .add_attribute_getter("fleet", |x: &GlobalImageList| x.fleet)
+            .add_attribute_getter("fleet", |_x: &GlobalImageList| FLEET)
     }
 }
 
@@ -399,5 +456,5 @@ authz_resource! {
     parent = "Fleet",
     primary_key = Uuid,
     roles_allowed = false,
-    polar_snippet = Custom,
+    polar_snippet = FleetChild,
 }

nexus/src/authz/omicron.polar

@@ -79,8 +79,11 @@ has_role(actor: AuthenticatedActor, role: String, resource: Resource)
 # The complete set of predefined roles:
 #
 # - fleet.admin           (superuser for the whole system)
-# - fleet.collaborator    (can create and own orgs)
+# - fleet.collaborator    (can create and own silos)
 # - fleet.viewer          (can read fleet-wide data)
+# - silo.admin            (superuser for the silo)
+# - silo.collaborator     (can create and own orgs)
+# - silo.viewer           (can read silo-wide data)
 # - organization.admin    (complete control over an organization)
 # - organization.collaborator (can create, modify, and delete projects)
 # - project.admin         (complete control over a project)
@@ -230,19 +233,22 @@ resource GlobalImageList {
 has_relation(fleet: Fleet, "parent_fleet", global_image_list: GlobalImageList)
 	if global_image_list.fleet = fleet;
 
-resource GlobalImage {
-	permissions = [
-	    "read",
-	    "modify",
-	];
-
-	# Only admins can modify global images
+# ConsoleSessionList is a synthetic resource used for modeling who has access
+# to create sessions.
+resource ConsoleSessionList {
+	permissions = [ "create_child" ];
 	relations = { parent_fleet: Fleet };
-	"modify" if "admin" on "parent_fleet";
-
-	# Anyone with viewer can read global images
-	"read" if "viewer" on "parent_fleet";
+	"create_child" if "external-authenticator" on "parent_fleet";
 }
-has_relation(fleet: Fleet, "parent_fleet", global_image: GlobalImage)
-	if global_image.fleet = fleet;
-
+has_relation(fleet: Fleet, "parent_fleet", collection: ConsoleSessionList)
+	if collection.fleet = fleet;
+
+# These rules grants the external authenticator role the permissions it needs to
+# read silo users and modify their sessions.  This is necessary for login to
+# work.
+has_permission(actor: AuthenticatedActor, "read", user: SiloUser)
+	if has_role(actor, "external-authenticator", user.fleet);
+has_permission(actor: AuthenticatedActor, "read", session: ConsoleSession)
+	if has_role(actor, "external-authenticator", session.fleet);
+has_permission(actor: AuthenticatedActor, "modify", session: ConsoleSession)
+	if has_role(actor, "external-authenticator", session.fleet);

nexus/src/authz/oso_generic.rs

@@ -44,6 +44,7 @@ pub fn make_omicron_oso(log: &slog::Logger) -> Result<Oso, anyhow::Error> {
         Database::get_polar_class(),
         Fleet::get_polar_class(),
         GlobalImageList::get_polar_class(),
+        ConsoleSessionList::get_polar_class(),
     ];
     for c in classes {
         trace!(log, "registering Oso class"; "class" => &c.name);