Support RBAC for Admin Portal UI

kcbabo commented 1 year ago

Background The Admin Portal UI is currently accessed through port-forwarding the gloo-portal-admin-server service without authentication or authorization for users in the UI. This issue covers the ability to enable authentication of users in the Portal Admin UI and to perform authorization checks to restrict which Portal resources a user can view/modify through the UI.

Authentication The Portal Admin UI should support configuring OIDC as an authentication option for accessing the Portal. When enabled, a login page should be presented in the Portal Admin UI along with a logout function in the menu bar. The IdP used in this OIDC configuration must be the same IdP used in the underlying Kubernetes cluster, which means any user logging in through the Portal Admin UI must be a valid user in the underlying Kubernetes environment. This will require:

Configuring the Kubernetes API Server to use OIDC Authentication
Setting the aud and iss claims for all tokens granted to Portal Admin UI users
Setting the api-audiences flag in the kube-apiserver to match the values in the claims above

The following resources provide additional information: https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/ https://kubernetes.io/docs/reference/access-authn-authz/authorization/

Authorization Authorization in the Portal Admin UI is driven by Kubernetes RBAC. User access to Portal resources is implemented by defining Roles and RoleBindings in the Kubernetes cluster. The Portal Admin UI defaults to the Gloo Portal controller namespace (e.g. gloo-portal) for creating resources, so Role and RoleBinding definitions should be defined for the same namespace. The Role definitions should only provide access to Portal resources that a user can view/modify through the UI.

UI Mapping This section details the behavior of UI pages based on associated Role configuration.

Top Nav Menu

Overview: visible for all authenticated users regardless of permissions
Portals : must have list on portal.gloo.solo.io.Portal
APIs : must have list on portal.gloo.solo.io.Environment or portal.gloo.solo.io.APIProduct or portal.gloo.solo.io.APIDoc
Access Control : must have list on portal.gloo.solo.io.User or portal.gloo.solo.io.Group
Gloo Config : must have list on portal.gloo.solo.io.Portal or portal.gloo.solo.io.Environment

Dashboard (/)

Portals card : must have list on portal.gloo.solo.io.Portal
APIs card : must have list on portal.gloo.solo.io.Environment or portal.gloo.solo.io.APIProduct or portal.gloo.solo.io.APIDoc
Users & Groups card : must have list on portal.gloo.solo.io.User or portal.gloo.solo.io.Group
Gloo Portal Documentation: visible for all authenticated users regardless of permissions

Portals (/portals)

must have get on portal.gloo.solo.io.Portal to show individual Portal cards
must have get on portal.gloo.solo.io.Portal to show individual Portal details
must have update on portal.gloo.solo.io.Portal to edit Portal details
must have delete on portal.gloo.solo.io.Portal to delete Portal
must have create on portal.gloo.solo.io.Portal to create Portal

APIs (/apis)

must have get on portal.gloo.solo.io.Environment to show individual Environment cards
must have update on portal.gloo.solo.io.Environment to edit individual Environment details
must have delete on portal.gloo.solo.io.Environment to delete Environment
must have create on portal.gloo.solo.io.Environment to create Environment
must have get on portal.gloo.solo.io.APIProduct to show individual API Product cards
must have update on portal.gloo.solo.io.APIProduct to edit individual APIProduct details
must have delete on portal.gloo.solo.io.APIProduct to delete APIProduct
must have create on portal.gloo.solo.io.APIProduct to create APIProduct
must have get on portal.gloo.solo.io.APIDoc to show individual API Docs cards
must have update on portal.gloo.solo.io.APIDoc to edit individual APIDoc details
must have delete on portal.gloo.solo.io.APIDoc to delete APIDoc
must have create on portal.gloo.solo.io.APIDoc to create APIDoc
must have get on portal.gloo.solo.io.Route to show individual Route cards
must have update on portal.gloo.solo.io.Route to edit individual Route details
must have delete on portal.gloo.solo.io.Route to delete Route
must have get on Secret to show individual API Key cards
must have delete on Secret to delete APIProduct

Access Control (/access-control)

must have get on portal.gloo.solo.io.User to show individual User cards
must have update on portal.gloo.solo.io.User to edit individual User details
must have delete on portal.gloo.solo.io.User to delete User
must have create on portal.gloo.solo.io.User to create User
must have get on portal.gloo.solo.io.Group to show individual Group cards
must have update on portal.gloo.solo.io.Group to edit individual Group details
must have delete on portal.gloo.solo.io.Group to delete Group
must have create on portal.gloo.solo.io.Group to create Group

Gloo Config (/gloo-configuration)

must have get on portal.gloo.solo.io.Environment to show VS corresponding to Environments
must have get on portal.gloo.solo.io.Portal to show VS corresponding to Portals

kcbabo commented 1 year ago

As an example, here's what the aud and iss claims look like in my local environment:

{
  "aud": [
      "https://kubernetes.default.svc.cluster.local"
    ],
  "iss": "https://kubernetes.default.svc.cluster.local"
}

nfuden commented 1 year ago

Looks like this is done as https://github.com/solo-io/dev-portal/pull/2511 has merged

solo-io / gloo-portal-issues

Support RBAC for Admin Portal UI #187