Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Delete builtin_roles #7477

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Delete builtin_roles #7477

wants to merge 2 commits into from

Conversation

david-crespo
Copy link
Contributor

@david-crespo david-crespo commented Feb 4, 2025
edited
Loading

This came up in a meeting with @davepacheco — storing the roles in the DB and letting them be listed through the API is a legacy idea with no practical application that we know of. When I heard that I was curious how much could be deleted.

Fundamentally, all this machinery I've deleted was just in service of the role_view and role_list endpoints, which let you get something like this list:

fleet     admin
fleet     collaborator
fleet     viewer
silo      admin
silo      collaborator
silo      viewer
project   admin
project   collaborator
project   viewer

I think we thought this would be a dynamic list of roles, but all these things are hard-coded. As far as I can tell there is no relationship to the actual authorization system — this is basically just an unrelated copy of that stuff. This claim will (hopefully) borne out by the fact that deleting all this stuff doesn't affect anything else.

@david-crespo
Copy link
Contributor Author

I'll probably want to update this comment too. If the premise of this PR is correct, the comment was wrong to say the role_builtin table is involved in authorization.

omicron/nexus/auth/src/authz/mod.rs

Lines 68 to 115 in ca58574

//! ## Role lookup
//!
//! Users, roles, and API resources are all stored in the database. Naturally,
//! so is the relationship that says a particular user has a particular role for
//! a particular resource.
//!
//! Suppose a built-in user "cookie-monster" has the "viewer" role for a Project
//! "monster-foodies". It looks like this:
//!
//! ```text
//! +---> table: "project"
//! | +-------------------------+-----+
//! | | id | name | ... |
//! | +-------------------------------+
//! | +-> 123 | "monster-foodies" | ... |
//! | | +-------------------------+-----+
//! | |
//! | | table: "user_builtin"
//! | | +------------------------------+
//! | | | id | name | ... |
//! | | +------------------------------|
//! | | | 234 | "cookie-monster" | ... |
//! | | +--^---------------------------+
//! | | |
//! | | +---------------------------------------------------------------+
//! | | |
//! | | table: "role_builtin" |
//! | | primary key: (resource_type, role_name) |
//! | | +---------------+-----------+-----+ |
//! | | | resource_type | role_name | ... | |
//! | | +---------------+-----------+-----+ |
//! +---|-> "project " | "viewer" | ... | |
//! | | +---------------+--^--------+-----+ |
//! | | | |
//! | +-|--------------------+ |
//! | | | |
//! | | | table: "role_assignment" |
//! | | | (assigns built-in roles to users on arbitrary resources) |
//! | | | +---------------+-----------+-------------+-------------+---+ |
//! | | | | resource_type | role_name | resource_id | identity_id |...| |
//! | | | +---------------+-----------+-------------+-------------+---+ |
//! | | | | "project " | "viewer" | 123 | 234 |...| |
//! | | | +--^------------+--^--------+----------^--+-----------^-+---+ |
//! | | | | | | | |
//! +-|-|----+ | | +------------+
//! +-|--------------------+ |
//! +----------------------------------------+
//! ```

davepacheco
davepacheco reviewed Feb 5, 2025
View reviewed changes
schema/crdb/dbinit.sql
Comment on lines -2669 to -2673
* If the set of roles and their permissions are fixed, why store them in the
* database at all? Because what's dynamic is the assignment of roles to users.
* We have a separate table that says "user U has role ROLE on resource
* RESOURCE". How do we represent the ROLE part of this association? We use a
* foreign key into this "role_builtin" table.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't have a strong feeling either way on the PR overall but this note got me thinking: is there value in having this? It'd probably be better if we actually enforced that the (resource_type, role_name) column in role_assignment were a valid foreign key. Given how static this is today, these could as well be enum values instead. 🤷

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, I think converting role to an enum would make a lot of sense.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@davepacheco davepacheco davepacheco left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@david-crespo @davepacheco