Rename UserUID to PrincipalUID, make Extras an entity

Signed-off-by: Micah Hausler <mhausler@amazon.com>
micahhausler · Nov 5, 2024 · e8283f8 · e8283f8
1 parent cc8c0af
commit e8283f8
Show file tree

Hide file tree

Showing 9 changed files with 114 additions and 89 deletions.
diff --git a/cedarschema/k8s-authorization.cedarschema b/cedarschema/k8s-authorization.cedarschema
@@ -1,8 +1,4 @@
 namespace k8s {
-	type Extra = {
-		"key": __cedar::String,
-		"values"?: Set < __cedar::String >
-	};
 	type FieldRequirement = {
 		"key": __cedar::String,
 		"op": __cedar::String,
@@ -13,6 +9,10 @@ namespace k8s {
 		"operator": __cedar::String,
 		"values": Set < __cedar::String >
 	};
+	entity Extra = {
+		"key": __cedar::String,
+		"values"?: Set < __cedar::String >
+	};
 	entity Group;
 	entity Node in [Group] = {
 		"extra"?: Set < Extra >,
@@ -21,6 +21,7 @@ namespace k8s {
 	entity NonResourceURL = {
 		"path": __cedar::String
 	};
+	entity PrincipalUID;
 	entity Resource = {
 		"apiGroup": __cedar::String,
 		"fieldSelector"?: Set < FieldRequirement >,
@@ -39,7 +40,6 @@ namespace k8s {
 		"extra"?: Set < Extra >,
 		"name": __cedar::String
 	};
-	entity UserUID;
 	action "approve" appliesTo {
 		principal: [Group, Node, ServiceAccount, User],
 		resource: [Resource],
@@ -87,7 +87,7 @@ namespace k8s {
 	};
 	action "impersonate" appliesTo {
 		principal: [Group, Node, ServiceAccount, User],
-		resource: [Group, Node, ServiceAccount, User, UserUID],
+		resource: [Extra, Group, Node, PrincipalUID, ServiceAccount, User],
 		context: {}
 	};
 	action "list" in [Action::"readOnly"] appliesTo {

diff --git a/cedarschema/k8s-authorization.cedarschema.json b/cedarschema/k8s-authorization.cedarschema.json
@@ -1,6 +1,24 @@
 {
 	"k8s": {
 		"entityTypes": {
+			"Extra": {
+				"shape": {
+					"type": "Record",
+					"attributes": {
+						"key": {
+							"type": "String",
+							"required": true
+						},
+						"values": {
+							"type": "Set",
+							"required": false,
+							"element": {
+								"type": "String"
+							}
+						}
+					}
+				}
+			},
 			"Group": {
 				"shape": {
 					"type": "Record",
@@ -39,6 +57,12 @@
 					}
 				}
 			},
+			"PrincipalUID": {
+				"shape": {
+					"type": "Record",
+					"attributes": {}
+				}
+			},
 			"Resource": {
 				"shape": {
 					"type": "Record",
@@ -125,12 +149,6 @@
 				"memberOfTypes": [
 					"Group"
 				]
-			},
-			"UserUID": {
-				"shape": {
-					"type": "Record",
-					"attributes": {}
-				}
 			}
 		},
 		"actions": {
@@ -267,11 +285,12 @@
 						"User"
 					],
 					"resourceTypes": [
+						"Extra",
 						"Group",
 						"Node",
+						"PrincipalUID",
 						"ServiceAccount",
-						"User",
-						"UserUID"
+						"User"
 					]
 				}
 			},
@@ -418,22 +437,6 @@
 			}
 		},
 		"commonTypes": {
-			"Extra": {
-				"type": "Record",
-				"attributes": {
-					"key": {
-						"type": "String",
-						"required": true
-					},
-					"values": {
-						"type": "Set",
-						"required": false,
-						"element": {
-							"type": "String"
-						}
-					}
-				}
-			},
 			"FieldRequirement": {
 				"type": "Record",
 				"attributes": {

diff --git a/cedarschema/k8s-full.cedarschema b/cedarschema/k8s-full.cedarschema
@@ -27,10 +27,6 @@ namespace k8s::admission {
 }
 
 namespace k8s {
-	type Extra = {
-		"key": __cedar::String,
-		"values"?: Set < __cedar::String >
-	};
 	type FieldRequirement = {
 		"key": __cedar::String,
 		"op": __cedar::String,
@@ -41,6 +37,10 @@ namespace k8s {
 		"operator": __cedar::String,
 		"values": Set < __cedar::String >
 	};
+	entity Extra = {
+		"key": __cedar::String,
+		"values"?: Set < __cedar::String >
+	};
 	entity Group;
 	entity Node in [Group] = {
 		"extra"?: Set < Extra >,
@@ -49,6 +49,7 @@ namespace k8s {
 	entity NonResourceURL = {
 		"path": __cedar::String
 	};
+	entity PrincipalUID;
 	entity Resource = {
 		"apiGroup": __cedar::String,
 		"fieldSelector"?: Set < FieldRequirement >,
@@ -67,7 +68,6 @@ namespace k8s {
 		"extra"?: Set < Extra >,
 		"name": __cedar::String
 	};
-	entity UserUID;
 	action "approve" appliesTo {
 		principal: [Group, Node, ServiceAccount, User],
 		resource: [Resource],
@@ -115,7 +115,7 @@ namespace k8s {
 	};
 	action "impersonate" appliesTo {
 		principal: [Group, Node, ServiceAccount, User],
-		resource: [Group, Node, ServiceAccount, User, UserUID],
+		resource: [Extra, Group, Node, PrincipalUID, ServiceAccount, User],
 		context: {}
 	};
 	action "list" in [Action::"readOnly"] appliesTo {

diff --git a/cedarschema/k8s-full.cedarschema.json b/cedarschema/k8s-full.cedarschema.json
@@ -10670,6 +10670,24 @@
 	},
 	"k8s": {
 		"entityTypes": {
+			"Extra": {
+				"shape": {
+					"type": "Record",
+					"attributes": {
+						"key": {
+							"type": "String",
+							"required": true
+						},
+						"values": {
+							"type": "Set",
+							"required": false,
+							"element": {
+								"type": "String"
+							}
+						}
+					}
+				}
+			},
 			"Group": {
 				"shape": {
 					"type": "Record",
@@ -10708,6 +10726,12 @@
 					}
 				}
 			},
+			"PrincipalUID": {
+				"shape": {
+					"type": "Record",
+					"attributes": {}
+				}
+			},
 			"Resource": {
 				"shape": {
 					"type": "Record",
@@ -10794,12 +10818,6 @@
 				"memberOfTypes": [
 					"Group"
 				]
-			},
-			"UserUID": {
-				"shape": {
-					"type": "Record",
-					"attributes": {}
-				}
 			}
 		},
 		"actions": {
@@ -10936,11 +10954,12 @@
 						"User"
 					],
 					"resourceTypes": [
+						"Extra",
 						"Group",
 						"Node",
+						"PrincipalUID",
 						"ServiceAccount",
-						"User",
-						"UserUID"
+						"User"
 					]
 				}
 			},
@@ -11087,22 +11106,6 @@
 			}
 		},
 		"commonTypes": {
-			"Extra": {
-				"type": "Record",
-				"attributes": {
-					"key": {
-						"type": "String",
-						"required": true
-					},
-					"values": {
-						"type": "Set",
-						"required": false,
-						"element": {
-							"type": "String"
-						}
-					}
-				}
-			},
 			"FieldRequirement": {
 				"type": "Record",
 				"attributes": {

diff --git a/docs/CedarSchemas.md b/docs/CedarSchemas.md
@@ -222,18 +222,6 @@ other-example-secret   Opaque   1      2d20h   owner=prod-user
 
 To make an impersonated request as another user, Kubernetes sends multiple authorization requests to an authorizer: one for each attribute being impersonated: The user's name, the UID (if set), the groups (if set), and the userInfo extra key/value map (entity tags are [not yet supported in cedar-go](https://github.com/cedar-policy/cedar-go/issues/47)). To support this, we define a few types:
 
-* `UserUID`: To allow impersonating a user's UID, the policy's resource type must be `UserUID`. This only functions if the user can also impersonate the requested username.
-    ```cedarschema
-    entity UserUID;
-    ```
-    Examples:
-    ```cedar
-    permit (
-        principal in k8s::Group::"actors",
-        action == k8s::Action::"impersonate",
-        resource == k8s::UserUID::"26A82C8D-CC8B-49BB-B2CF-070B9CF1A4F8"
-    );
-    ```
 * `Group`. This structure is the same from the principal type. This only functions if the user can also impersonate the requested username.:
     ```cedar
     permit (
@@ -253,6 +241,34 @@ To make an impersonated request as another user, Kubernetes sends multiple autho
         resource.name == "lukeskywaker"
     };
     ```
+* `PrincipalUID`: To allow impersonating a Principal's UID, the policy's resource type must be `PrincipalUID`. This only functions if the user can also impersonate the requested username.
+    ```cedarschema
+    entity PrincipalUID;
+    ```
+    Examples:
+    ```cedar
+    permit (
+        principal in k8s::Group::"actors",
+        action == k8s::Action::"impersonate",
+        resource == k8s::PrincipalUID::"26A82C8D-CC8B-49BB-B2CF-070B9CF1A4F8"
+    );
+    ```
+* `Extra`: To allow impersonating a principal's key/values extra info, the policy's resource type must be `Extra`. This only functions if the user can also impersonate the requested username.
+    ```cedarschema
+    entity PrincipalUID;
+    ```
+    Examples:
+    ```cedar
+    permit (
+        principal in k8s::Group::"actors",
+        action == k8s::Action::"impersonate",
+        resource is k8s::Extra
+    ) when {
+        resource.key == "order" &&
+        resource has values &&
+        ["jedi"].containsAll(resource.values)
+    };
+    ```
 * `ServiceAccount` This structure is the same from the principal type:
    ```cedar
     permit (

diff --git a/internal/schema/authorization.go b/internal/schema/authorization.go
@@ -7,20 +7,20 @@ import (
 )
 
 const (
-	UserUIDEntityName        = "UserUID"
+	PrincipalUIDEntityName   = "PrincipalUID"
 	NonResourceURLEntityName = "NonResourceURL"
 	ResourceEntityName       = "Resource"
 	FieldRequirementName     = "FieldRequirement"
 	LabelRequirementName     = "LabelRequirement"
 
 	AuthorizationActionEntityType = cedartypes.EntityType("k8s::Action")
-	UserUIDEntityType             = cedartypes.EntityType("k8s::" + UserUIDEntityName)
+	PrincipalUIDEntityType        = cedartypes.EntityType("k8s::" + PrincipalUIDEntityName)
 	NonResourceURLEntityType      = cedartypes.EntityType("k8s::" + NonResourceURLEntityName)
 	ResourceEntityType            = cedartypes.EntityType("k8s::" + ResourceEntityName)
 )
 
-// UserUIDEntity returns a Cedar Entity for a UserUID
-func UserUIDEntity() Entity {
+// PrincipalUIDEntity returns a Cedar Entity for a PrincipalUID
+func PrincipalUIDEntity() Entity {
 	return Entity{
 		MemberOfTypes: []string{},
 		Shape: EntityShape{
@@ -218,12 +218,12 @@ func GetAuthorizationActions(principalNs, entityNs, actionNs string) map[string]
 		AppliesTo: ActionAppliesTo{
 			PrincipalTypes: AuthorizationPrincipalTypes(principalNs),
 			ResourceTypes: []string{
-				principalPrefix + UserUIDEntityName,
+				principalPrefix + PrincipalUIDEntityName,
 				principalPrefix + UserPrincipalType,
 				principalPrefix + GroupPrincipalType,
 				principalPrefix + ServiceAccountPrincipalType,
 				principalPrefix + NodePrincipalType,
-				// TODO ExtraInfo
+				principalPrefix + ExtraValuesType,
 			},
 		},
 	}
@@ -240,18 +240,18 @@ func GetAuthorizationNamespace(principalNs, entityNs, actionNs string) CedarSche
 	return CedarSchemaNamespace{
 		Actions: GetAuthorizationActions(principalNs, entityNs, actionNs),
 		EntityTypes: map[string]Entity{
-			UserUIDEntityName:           UserUIDEntity(),
+			PrincipalUIDEntityName:      PrincipalUIDEntity(),
 			UserPrincipalType:           UserEntity(),
 			GroupPrincipalType:          GroupEntity(),
 			ServiceAccountPrincipalType: ServiceAccountEntity(),
 			NodePrincipalType:           NodeEntity(),
 			NonResourceURLEntityName:    NonResourceURLEntity(),
 			ResourceEntityName:          ResourceEntity(),
+			ExtraValuesType:             ExtrasEntity(),
 		},
 		CommonTypes: map[string]EntityShape{
 			FieldRequirementName: FieldRequirementEntityShape(),
 			LabelRequirementName: LabelRequirementEntityShape(),
-			ExtraValuesType:      ExtrasEntityShape(),
 		},
 	}
 }