403 when creating roles/groups

huwshimi commented 5 months ago

This may be user error, but when I try to create a role or a group (e.g. POST to /api/v0/groups with {id: "newgroup"}) I get a 403 response:

{"data":null,"message":"insufficient permissions to execute operation","status":403,"_meta":null}

I only started getting this error once I enabled authorisation in my configmap.

I'm setting the auth header to the superuser "johndoe" (see tuples below): X-Authorization: am9obmRvZQ==

The tuples are set to the same values as the seeding doc.

fga tuple read --output-format=simple-json --max-pages 0 --store-id $STORE_ID
[
  {
    "object":"group:c-level",
    "relation":"member",
    "user":"user:joe"
  },
  {
    "object":"role:administrator",
    "relation":"assignee",
    "user":"user:joe"
  },
  {
    "object":"privileged:superuser",
    "relation":"admin",
    "user":"user:shipperizer"
  },
  {
    "object":"group:c-level",
    "relation":"privileged",
    "user":"privileged:superuser"
  },
  {
    "object":"role:administrator",
    "relation":"privileged",
    "user":"privileged:superuser"
  },
  {
    "object":"identity:user-1",
    "relation":"privileged",
    "user":"privileged:superuser"
  },
  {
    "object":"identity:user-2",
    "relation":"privileged",
    "user":"privileged:superuser"
  },
  {
    "object":"scheme:identity-social",
    "relation":"privileged",
    "user":"privileged:superuser"
  },
  {
    "object":"client:github-canonical",
    "relation":"privileged",
    "user":"privileged:superuser"
  },
  {
    "object":"privileged:superuser",
    "relation":"admin",
    "user":"user:johndoe"
  },
  {
    "object":"identity:user-1",
    "relation":"can_delete",
    "user":"user:joe"
  },
  {
    "object":"client:github-canonical",
    "relation":"can_view",
    "user":"role:administrator#assignee"
  },
  {
    "object":"client:okta",
    "relation":"can_delete",
    "user":"role:administrator#assignee"
  },
  {
    "object":"client:github-canonical",
    "relation":"can_edit",
    "user":"group:c-level#member"
  },
  {
    "object":"client:okta",
    "relation":"can_view",
    "user":"group:c-level#member"
  },
  {
    "object":"role:janitor",
    "relation":"assignee",
    "user":"group:c-level#member"
  },
  {
    "object":"role:administrator",
    "relation":"assignee",
    "user":"group:c-level#member"
  },
  {
    "object":"client:okta",
    "relation":"can_delete",
    "user":"group:c-level#member"
  },
  {
    "object":"client:okta",
    "relation":"can_edit",
    "user":"group:c-level#member"
  },
  {
    "object":"role:global",
    "relation":"can_view",
    "user":"user:*"
  },
  {
    "object":"provider:global",
    "relation":"can_view",
    "user":"user:*"
  },
  {
    "object":"group:global",
    "relation":"can_view",
    "user":"user:*"
  },
  {
    "object":"client:global",
    "relation":"can_view",
    "user":"user:*"
  },
  {
    "object":"identity:global",
    "relation":"can_view",
    "user":"user:*"
  },
  {
    "object":"scheme:global",
    "relation":"can_view",
    "user":"user:*"
  }
]

My model is:

$ fga model get --store-id=$STORE_ID
model
  schema 1.1

type user

type privileged
  relations
    define admin: [user]

type role
  relations
    define assignee: [user, group#member] or admin from privileged
    define can_create: [user, role#assignee, group#member] or admin from privileged
    define can_delete: [user, role#assignee, group#member] or admin from privileged
    define can_edit: [user, role#assignee, group#member] or admin from privileged
    define can_view: [user, user:*, role#assignee, group#member] or admin from privileged
    define privileged: [privileged]

type group
  relations
    define can_create: [user, role#assignee, group#member] or admin from privileged
    define can_delete: [user, role#assignee, group#member] or admin from privileged
    define can_edit: [user, role#assignee, group#member] or admin from privileged
    define can_view: [user, user:*, role#assignee, group#member] or admin from privileged
    define member: [user, group#member]
    define privileged: [privileged]

type identity
  relations
    define can_create: [user, role#assignee, group#member] or admin from privileged
    define can_delete: [user, role#assignee, group#member] or admin from privileged
    define can_edit: [user, role#assignee, group#member] or admin from privileged
    define can_view: [user, user:*, role#assignee, group#member] or admin from privileged
    define privileged: [privileged]

type scheme
  relations
    define can_create: [user, role#assignee, group#member] or admin from privileged
    define can_delete: [user, role#assignee, group#member] or admin from privileged
    define can_edit: [user, role#assignee, group#member] or admin from privileged
    define can_view: [user, user:*, role#assignee, group#member] or admin from privileged
    define privileged: [privileged]

type client
  relations
    define can_create: [user, role#assignee, group#member] or admin from privileged
    define can_delete: [user, role#assignee, group#member] or admin from privileged
    define can_edit: [user, role#assignee, group#member] or admin from privileged
    define can_view: [user, user:*, role#assignee, group#member] or admin from privileged
    define privileged: [privileged]

type provider
  relations
    define can_create: [user, role#assignee, group#member] or admin from privileged
    define can_delete: [user, role#assignee, group#member] or admin from privileged
    define can_edit: [user, role#assignee, group#member] or admin from privileged
    define can_view: [user, user:*, role#assignee, group#member] or admin from privileged
    define privileged: [privileged]

type rule
  relations
    define can_create: [user, role#assignee, group#member] or admin from privileged
    define can_delete: [user, role#assignee, group#member] or admin from privileged
    define can_edit: [user, role#assignee, group#member] or admin from privileged
    define can_view: [user, user:*, role#assignee, group#member] or admin from privileged
    define privileged: [privileged]

type application
  relations
    define can_create: [user, role#assignee, group#member] or admin from privileged
    define can_delete: [user, role#assignee, group#member] or admin from privileged
    define can_edit: [user, role#assignee, group#member] or admin from privileged
    define can_view: [user, user:*, role#assignee, group#member] or admin from privileged
    define privileged: [privileged]

syncronize-issues-to-jira[bot] commented 5 months ago

Thank you for reporting us your feedback!

The internal ticket has been created: https://warthogs.atlassian.net/browse/IAM-845.

This message was autogenerated

shipperizer commented 5 months ago

dug a bit

issue is we didn't setup the superusers (privileged) properly

what needs to happen is that for each type (role,group,client...) we need to create an association via privileged for the <type>:global tuple

- user: privileged:<privileged user>
  relation: privileged
  object: role:global
- user: privileged:<privileged user>
  relation: privileged
  object: client:global

shipperizer commented 5 months ago

added extra tuples to the wiki page

 #### privileged permissions  
  - user: privileged:superuser
    relation: privileged
    object: provider:global
  - user: privileged:superuser
    relation: privileged
    object: role:global
  - user: privileged:superuser
    relation: privileged
    object: group:global
  - user: privileged:superuser
    relation: privileged
    object: client:global
  - user: privileged:superuser
    relation: privileged
    object: identity:global
  - user: privileged:superuser
    relation: privileged
    object: scheme:global

issue will be addressed in the short term at seeding time, when we create a model we will add these tuples as a start and choose the name of the privileged type

a new issue will be created for this, @BarcoMasile is on it

BarcoMasile commented 5 months ago

https://github.com/canonical/identity-platform-admin-ui/issues/282

canonical / identity-platform-admin-ui

403 when creating roles/groups #281