Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Policy API: Enable admins to perform unsafe mutations on data in their platform #115

Closed
jrschumacher opened this issue Feb 1, 2024 · 8 comments · Fixed by #1066
Closed

Policy API: Enable admins to perform unsafe mutations on data in their platform #115

jrschumacher opened this issue Feb 1, 2024 · 8 comments · Fixed by #1066
Assignees
@jakedoublev
Labels
comp:policy Policy Configuration ( attributes, subject mappings, resource mappings, kas registry)

Comments

@jrschumacher
Copy link
Member

jrschumacher commented Feb 1, 2024
edited
Loading

Implement the unsafe mutation RPCs so that admins can have an audit trail when they need to make unsafe changes to their platform

Depends on

Acceptance Criteria

  • Create an UnsafeService which captures the unsafe update RPC to empower platform admins
    • e.g. UnsafeService.UnsafeUpdateAttributeName()
    • e.g. UnsafeService.UnsafeDeleteAttribute()
  • Every unsafe property should require passing a value that would provoke the user to question what they are doing or why the platform requires it
@jrschumacher jrschumacher added the comp:policy Policy Configuration ( attributes, subject mappings, resource mappings, kas registry) label Feb 1, 2024
@strantalis strantalis added this to the POC to Alpha milestone Feb 1, 2024
@jrschumacher jrschumacher removed this from the POC to Alpha milestone Feb 1, 2024
@jrschumacher jrschumacher mentioned this issue Feb 2, 2024
Closed
@jakedoublev jakedoublev mentioned this issue Feb 6, 2024
Merged
@jakedoublev jakedoublev added this to the Finalize protos and SDK milestone Feb 6, 2024
@jakedoublev jakedoublev mentioned this issue Feb 13, 2024
Closed
@jakedoublev
Copy link
Contributor

jakedoublev commented Feb 14, 2024
edited
Loading

Suggesting we add the following rpc's, which are also dangerous if a deactivation was intentional and restoration could give new access where it had previously been blocked (see discussion in 108)

  • UnsafeService.RestoreDeactivatedNamespace()
  • UnsafeService.RestoreDeletedAttribute()
  • UnsafeService.RestoreDeletedAttributeValue()

They will intentionally not bubble up or cascade down to avoid unintended consequences. In other words, restoring a deactivated namespace will not restore any of its deactivated child attributes, and restoring an attribute will not restore any of its deactivated values.

@jakedoublev
Copy link
Contributor

Along with those:

  • UnsafeService.UpdateNamespace() // name is the only value that can be mutated and it should be dangerous to mutate
  • UnsafeService.UpdateAttributeValue()

Any of these should be prevented and/or removed if currently implemented and reserved for specific calls by the unsafe service:

  1. reactivation of any inactive state by update
  2. mutation of attribute name via update
  3. mutation of attribute value via update

@jakedoublev
Copy link
Contributor

For future discussion

Scenario:
I create the following: namespace: namespace.com, attribute: attr-xyz on that namespace, value: value-123 on that attribute. I then deactivate attribute attr-xyz, which cascades down to value-123. Then I create value: value-456 on deactivated attribute attr-xyz. What is the API contract a PEP will need so that a subject mapping or resource mapping with that newly created active value value-456 on inactive attribute attr-xyz will be properly entitled/enforced?

Questions:

  1. is creation/update of an attribute on a namespace that is inactive something to prevent?
  2. likewise, is creation/update of an attribute value on an attribute that is inactive something to prevent?
  3. is that a user error considered out of scope?
  4. should we enable simple boolean rpc's on the resources that check their entire "validity chain" for active state? (i.e. getIsValidSubjectMapping which checks value -> attribute -> namespace for active state?

The goal is to prevent data loss and prevent a blocking experience via user error, but these flows probably need to be considered.

@jakedoublev jakedoublev mentioned this issue Feb 14, 2024
Merged
jrschumacher added a commit that referenced this issue Feb 17, 2024
@jakedoublev @jrschumacher
feat(policy): add soft-delete/deactivation to namespaces, attribute d…
02e92a6 
…efinitions, attribute values #96 #108 (#191)

This work encompasses the following (including multiple breaking changes):
1. Tables `namespaces`, `attribute_definitions`, `attribute_values` updated via migration to add `active` boolean state
2. cascading deactivation from namespace -> attr -> values (in DB implementation via SQL trigger function provided in migration up/down)
3. integration tests:
    - cascading behavior ns -> attr -> val
    - integration tests proving no deactivation bubbling up behavior val -> attr -> ns
4. protos:
    - updated to provide a state enum back on all 3 resources (with helpful comments about defaults)
    - new example grpcurl requests/responses with these updates
    - all three LIST rpc's filterable by state as a common Message type (including an ANY enum option that returns both active TRUE and FALSE rows) and defaulting to ACTIVE if not specified
5. preservation of DB delete functionality/tests which will be exposed in newly separate rpc's

This PR does _not_ include:
1. Unsafe RPCs for actual deletion: #115
2. Unsafe RPCs for dangerous mutations (same issue)
3. Prevention of update mutation of INACTIVE namespaces/attributes/attributeValues
4. Prevention of creation of new attributes/values on a prior created then deactivated namespace
5. Provision of parent or child state in GET responses beyond that of the resource requested (i.e. namespace & value state are not given in a GET for an attribute, even though the attribute's state is given)

---------

Co-authored-by: Ryan Schumacher <jschumacher@virtru.com>
@jrschumacher jrschumacher modified the milestones: Finalize protos and SDK , Platform hardening Mar 6, 2024
@jrschumacher jrschumacher mentioned this issue Mar 6, 2024
Open
@jrschumacher
Copy link
Member Author

With this work, we will need to see how to remain DRY in our DB funcs. The unsafe properties were removed in the update funcs for the time being.

@jrschumacher jrschumacher mentioned this issue Mar 8, 2024
Merged
@jakedoublev
Copy link
Contributor

Unsafe updates should also include:

  1. reactivation (probably without cascades, but could be discussed)
  2. attribute definition update with full replacement of values order on an attribute (enabled by feat(policy): preserve values order within an attribute #496), which will require validation that the supplied list of value UUIDs contains only ids for values on that attribute and that the quantity includes all values under the definition (both active & inactive)

@jakedoublev jakedoublev self-assigned this Apr 29, 2024
@jakedoublev
Copy link
Contributor

Moved back to todo and unassigned myself as other priorities consistently took precedence this week.

@jakedoublev jakedoublev removed their assignment May 3, 2024
@jrschumacher jrschumacher self-assigned this May 21, 2024
@jrschumacher jrschumacher reopened this May 21, 2024
tech-guru42 added a commit to tech-guru42/TDF that referenced this issue Jun 3, 2024
@tech-guru42 @jrschumacher
feat(policy): add soft-delete/deactivation to namespaces, attribute d…
dcca38c 
…efinitions, attribute values #96 #108 (#191)

This work encompasses the following (including multiple breaking changes):
1. Tables `namespaces`, `attribute_definitions`, `attribute_values` updated via migration to add `active` boolean state
2. cascading deactivation from namespace -> attr -> values (in DB implementation via SQL trigger function provided in migration up/down)
3. integration tests:
    - cascading behavior ns -> attr -> val
    - integration tests proving no deactivation bubbling up behavior val -> attr -> ns
4. protos:
    - updated to provide a state enum back on all 3 resources (with helpful comments about defaults)
    - new example grpcurl requests/responses with these updates
    - all three LIST rpc's filterable by state as a common Message type (including an ANY enum option that returns both active TRUE and FALSE rows) and defaulting to ACTIVE if not specified
5. preservation of DB delete functionality/tests which will be exposed in newly separate rpc's

This PR does _not_ include:
1. Unsafe RPCs for actual deletion: opentdf/platform#115
2. Unsafe RPCs for dangerous mutations (same issue)
3. Prevention of update mutation of INACTIVE namespaces/attributes/attributeValues
4. Prevention of creation of new attributes/values on a prior created then deactivated namespace
5. Provision of parent or child state in GET responses beyond that of the resource requested (i.e. namespace & value state are not given in a GET for an attribute, even though the attribute's state is given)

---------

Co-authored-by: Ryan Schumacher <jschumacher@virtru.com>
passion-127 added a commit to passion-127/TDF that referenced this issue Jun 6, 2024
@passion-127 @jrschumacher
feat(policy): add soft-delete/deactivation to namespaces, attribute d…
27491dc 
…efinitions, attribute values #96 #108 (#191)

This work encompasses the following (including multiple breaking changes):
1. Tables `namespaces`, `attribute_definitions`, `attribute_values` updated via migration to add `active` boolean state
2. cascading deactivation from namespace -> attr -> values (in DB implementation via SQL trigger function provided in migration up/down)
3. integration tests:
    - cascading behavior ns -> attr -> val
    - integration tests proving no deactivation bubbling up behavior val -> attr -> ns
4. protos:
    - updated to provide a state enum back on all 3 resources (with helpful comments about defaults)
    - new example grpcurl requests/responses with these updates
    - all three LIST rpc's filterable by state as a common Message type (including an ANY enum option that returns both active TRUE and FALSE rows) and defaulting to ACTIVE if not specified
5. preservation of DB delete functionality/tests which will be exposed in newly separate rpc's

This PR does _not_ include:
1. Unsafe RPCs for actual deletion: opentdf/platform#115
2. Unsafe RPCs for dangerous mutations (same issue)
3. Prevention of update mutation of INACTIVE namespaces/attributes/attributeValues
4. Prevention of creation of new attributes/values on a prior created then deactivated namespace
5. Provision of parent or child state in GET responses beyond that of the resource requested (i.e. namespace & value state are not given in a GET for an attribute, even though the attribute's state is given)

---------

Co-authored-by: Ryan Schumacher <jschumacher@virtru.com>
@jakedoublev jakedoublev mentioned this issue Jun 10, 2024
Merged
35 tasks
@cassandrabailey293 cassandrabailey293 removed this from the Platform hardening milestone Jun 11, 2024
@jakedoublev
Copy link
Contributor

jakedoublev commented Jun 18, 2024
edited
Loading

Namespaces

  • reactivate (no cascade)
  • update name (and fqn)
  • delete (cascading)

Definitions

  • reactivate (no cascade)
  • update name (and fqn)
  • update rule
  • reorder values
  • delete (cascading)

Values

  • reactivate
  • update value (and fqn)
  • delete

@jakedoublev jakedoublev mentioned this issue Jun 18, 2024
Merged
@jakedoublev
Copy link
Contributor

Out of scope: audit events for unsafe policy events, which will be handled in a separate issue to follow.

@jakedoublev jakedoublev mentioned this issue Jun 18, 2024
Closed
github-merge-queue bot pushed a commit that referenced this issue Jun 18, 2024
@jakedoublev
feat(policy): add unsafe service protos and unsafe service proto Go g…
55cc045 
…encode (#1003)

First PR related to #115
@jakedoublev jakedoublev mentioned this issue Jun 19, 2024
Merged
github-merge-queue bot pushed a commit that referenced this issue Jun 20, 2024
@jakedoublev
feat(policy): service stubs and registration for unsafe service (#1009)
9145491 
PR Number 2 for #115
This was referenced Jun 21, 2024
Merged
Merged
Closed
github-merge-queue bot pushed a commit that referenced this issue Jul 1, 2024
@jakedoublev
feat(policy): add unsafe attribute RPC db connectivity (#1022)
fbc02f3 
3rd PR for #115 

 - [x] reactivate (no cascade down)
 - [x] update definition name (and upsert fqn)
- [x] upsert name fqn changes from namespaces down and from attribute
definition down to values
 - [X] update rule (changes access)
 - [x] reorder of values (changes hierarchy)
 - [x] delete (cascading)
github-merge-queue bot pushed a commit that referenced this issue Jul 1, 2024
@jakedoublev
feat(policy): attribute values unsafe actions db connectivity (#1030)
4a30426 
PR Number 4 related to #115
This was referenced Jul 1, 2024
Merged
Merged
Merged
github-merge-queue bot pushed a commit that referenced this issue Jul 2, 2024
@jakedoublev @dmihalcik-virtru
fix(policy): rename unsafe rpcs for aligned casbin action determinati…
7861e4a 
…on (#1067)

5th PR for #115 

Makes all RPC names on the unsafe services also start with Update to
drive the casbin action definition matching logic:
[main/service/internal/auth/authn.go#L289-L290](https://github.com/opentdf/platform/blob/main/service/internal/auth/authn.go?rgh-link-date=2024-07-02T00%3A18%3A56Z#L289-L290)

Splitting out from #1066 due to the need to publish `/protocol/go`
module dependency for consumption upstream in `service` and `sdk`
modules.

---------

Co-authored-by: David Mihalcik <dmihalcik@virtru.com>
@jakedoublev jakedoublev mentioned this issue Jul 2, 2024
Merged
github-merge-queue bot pushed a commit that referenced this issue Jul 2, 2024
@jakedoublev
feat(sdk): support unsafe policy service in SDK (#1076)
ca88554 
Relates to #115
github-merge-queue bot pushed a commit that referenced this issue Jul 2, 2024
@jakedoublev
feat(policy): register unsafe service in platform (#1066)
b7796cd 
Relates to #115 

Closes #115 

Drives authorization with existing casbin action definition matching
logic:
https://github.com/opentdf/platform/blob/main/service/internal/auth/authn.go#L289-L290

Middleware casbin tests (with local `test-admin` client given the
`admin` role for validation):

```shell
time=2024-07-01T17:16:31.618-07:00 level=INFO msg="enforcing policy" subject=role:admin resource=policy.unsafe.UnsafeService/UnsafeUpdateNamespace action=unsafe
time=2024-07-01T17:16:31.618-07:00 level=WARN msg="permission denied" azp=b007dc27-e9a5-493b-8d2d-b26a92a6752c error="permission denied"
```

```shell
time=2024-07-01T17:18:08.028-07:00 level=INFO msg="enforcing policy" subject=role:standard resource=policy.unsafe.UnsafeService/UnsafeUpdateNamespace action=unsafe
time=2024-07-01T17:18:08.028-07:00 level=WARN msg="permission denied" azp=d8949062-977b-498a-a640-61865d633121 error="permission denied"
```

```shell
time=2024-07-01T17:18:30.518-07:00 level=INFO msg="enforcing policy" subject=role:org-admin resource=policy.unsafe.UnsafeService/UnsafeUpdateNamespace action=unsafe
time=2024-07-01T17:18:30.519-07:00 level=DEBUG msg=sql sql="SELECT opentdf_policy.attribute_namespaces.id, opentdf_policy.attribute_namespaces.name, opentdf_policy.attribute_namespaces.active, JSON_STRIP_NULLS(JSON_BUILD_OBJECT('labels', metadata->'labels', 'created_at', created_at, 'updated_at', updated_at)) AS metadata, opentdf_policy.attribute_fqns.fqn FROM opentdf_policy
.....
```
jakedoublev added a commit that referenced this issue Jul 7, 2024
@jakedoublev
feat(sdk): support unsafe policy service in SDK (#1076)
60f36c4 
Relates to #115
jakedoublev added a commit that referenced this issue Jul 7, 2024
@jakedoublev
feat(policy): register unsafe service in platform (#1066)
49a6826 
Relates to #115 

Closes #115 

Drives authorization with existing casbin action definition matching
logic:
https://github.com/opentdf/platform/blob/main/service/internal/auth/authn.go#L289-L290

Middleware casbin tests (with local `test-admin` client given the
`admin` role for validation):

```shell
time=2024-07-01T17:16:31.618-07:00 level=INFO msg="enforcing policy" subject=role:admin resource=policy.unsafe.UnsafeService/UnsafeUpdateNamespace action=unsafe
time=2024-07-01T17:16:31.618-07:00 level=WARN msg="permission denied" azp=b007dc27-e9a5-493b-8d2d-b26a92a6752c error="permission denied"
```

```shell
time=2024-07-01T17:18:08.028-07:00 level=INFO msg="enforcing policy" subject=role:standard resource=policy.unsafe.UnsafeService/UnsafeUpdateNamespace action=unsafe
time=2024-07-01T17:18:08.028-07:00 level=WARN msg="permission denied" azp=d8949062-977b-498a-a640-61865d633121 error="permission denied"
```

```shell
time=2024-07-01T17:18:30.518-07:00 level=INFO msg="enforcing policy" subject=role:org-admin resource=policy.unsafe.UnsafeService/UnsafeUpdateNamespace action=unsafe
time=2024-07-01T17:18:30.519-07:00 level=DEBUG msg=sql sql="SELECT opentdf_policy.attribute_namespaces.id, opentdf_policy.attribute_namespaces.name, opentdf_policy.attribute_namespaces.active, JSON_STRIP_NULLS(JSON_BUILD_OBJECT('labels', metadata->'labels', 'created_at', created_at, 'updated_at', updated_at)) AS metadata, opentdf_policy.attribute_fqns.fqn FROM opentdf_policy
.....
```
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jakedoublev jakedoublev

Labels
comp:policy Policy Configuration ( attributes, subject mappings, resource mappings, kas registry)
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat(policy): register unsafe service in platform opentdf/platform
4 participants
@jrschumacher @strantalis @cassandrabailey293 @jakedoublev