Basic scriptlet-based authorizer

lxc / incus

Powerful system container and virtual machine manager

https://linuxcontainers.org/incus

Apache License 2.0

2.73k stars 224 forks source link

Basic scriptlet-based authorizer #188

Open stgraber opened 1 year ago

stgraber commented 1 year ago

We now have OpenFGA for fine grained access control, but not everyone needs to run a full authorization server and for simpler cases, it could be very useful to have a basic built-in option that can still be very flexible.

I'm thinking of a new authorization.scriptlet server config key which takes a scriplet that would then be called with some user context, object context and action and have the ability to allow or deny the request.

sharathsivakumar commented 12 months ago

@stgraber I would be interested to work on this.

stgraber commented 12 months ago

Sounds good!

hi-ko commented 8 months ago

I would be happy to test on this. I guess such a script hook would open for much more scenarios to use incus as remote image server having something like a voter script which could then access external services like ldap or db to block or allow access. Are you thinking of a shell script or a Go construct?

stgraber commented 8 months ago

We're looking at using a scriptlet which is already a technology we use for our scheduler. Those scriptlets are python looking scripts that are run inside of a safe environment directly within the Go daemon.

This uses go-starlark from Google.

stgraber commented 7 months ago

Unassigning due to lack of activity.

christina-zh commented 7 months ago

Im interested in working on this issue, can I be assigned to it please?

stgraber commented 7 months ago

Probably best to tackle last in the current batch of stuff assigned to you as that's a bit trickier than the others. But #652 should help you get familiar with some of that stuff already.

This will need a new kind of scriptlet be defined in internal/server/scriptlet. It will also need a new server configuration key authorization.scriptlet to be added.

The basic infrastructure you can do with:

Add an API extension, let's call it authorization_scriptlet
Add the new config key in internal/server/cluster/config/config.go
Re-generate the documentation keys with make update-metadata
Add the new scriptlet definition to internal/server/scriptlet
Add the new authorizer to internal/server/auth
Add the needed glue (handle the new config key) to cmd/incusd/daemon.go and cmd/incusd/api_1.0.go

stgraber commented 6 months ago

@christina-zh hello, do you still intend to work on this one or should I clear the assignee?

christina-zh commented 6 months ago

hi @stgraber , our group might not have the time to continue working on this issue. You could clear the assignee. Thank you for your help!

bensmrs commented 1 week ago

Hi! I’d like to work on this.

stgraber commented 1 week ago

There you go!