Improvement/arsn 362 implicit deny #2181
Conversation
As the evaluateAllPolicies function is using the result of the standardEvaluateAllPolicies , the redundant tests are removed. The test that was kept is only to show that we use the result.verdict in old flow evaluation.
Hello benzekrimaha,My role is to assist you with the merge of this Status report is not available. |
Incorrect fix versionThe
Considering where you are trying to merge, I ignored possible hotfix versions and I expected to find:
Please check the |
|
ping |
Request integration branchesWaiting for integration branch creation to be requested by the user. To request integration branches, please comment on this pull request with the following command: Alternatively, the |
|
/create_integration_branches |
Integration data createdI have created the integration data for the additional destination branches.
The following branches will NOT be impacted:
You can set option The following options are set: create_integration_branches |
Waiting for approvalThe following approvals are needed before I can proceed with the merge:
The following options are set: create_integration_branches |
|
@bert-e create_pull_requests |
Integration data createdI have created the integration data for the additional destination branches.
The following branches will NOT be impacted:
Follow integration pull requests if you would like to be notified of The following options are set: create_pull_requests, create_integration_branches |
Waiting for approvalThe following approvals are needed before I can proceed with the merge:
The following options are set: create_pull_requests, create_integration_branches |
|
ping |
| allPolicies: any[], | ||
| log: Logger, | ||
| ): { | ||
| verdict: string; |
There was a problem hiding this comment.
After a discussion about this some time ago with William maybe in a PR (I can't find the ref) it was about returning a single state string like ImplicitDeny or ExplicitDeny rather than an object with a boolean, to make it simpler and more visual, forcing to handle all states explicitly. There could have been reasons to stick to using a boolean maybe for backward-compatibility, since I'm not aware of this just want to make sure it was a conscious decision.
There was a problem hiding this comment.
I indeed found the comment you are refering to here : https://github.com/scality/citadel/pull/165#discussion_r1276904304
I'm looping @williamlardier in for more insight on this
There was a problem hiding this comment.
Yes, this is for backward compatibility, that we use the boolean, given that we want to keep both flows. With a boolean, we can minimize the changes applied to our code base.
But our last discussion was about the request contexts responses (i.e., in Vault), not the internal logic. The request context API must be updated as stated in the design, but the evaluation logic can stay like that, unless we see benefits of having a uniform authz result starting at Arsenal level (maybe by creating a new typescript type or enum). Then in cloudserver we can check the authz result using string comparisons, and update the functions here (and associated tests).
As discussed with Maha already, if we want to deviate from the design (with good reasons), we must update the design. Here, the current code looks compatible with it, but I think having a unified implementation would be better indeed. It will require creating the new authz types in arsenal, update the functions, and then reuse them in Vault/Cloudserver.
|
@bert-e approve |
In the queueThe changeset has received all authorizations and has been added to the The changeset will be merged in:
The following branches will NOT be impacted:
There is no action required on your side. You will be notified here once IMPORTANT Please do not attempt to modify this pull request.
If you need this pull request to be removed from the queue, please contact a The following options are set: approve, create_pull_requests, create_integration_branches |
|
I have successfully merged the changeset of this pull request
The following branches have NOT changed:
Please check the status of the associated issue ARSN-362. Goodbye benzekrimaha. |
Opened after closed PR here
Adds ImplicitDeny logic to policy checks, where an ImplicitDeny will be sent back in case no policy validates an action, but does not explicitly Deny it either, allowing for bucket policies and other authorization mechanisms to grant permission.
Part of the bucket policy redo epic: https://scality.atlassian.net/jira/software/c/projects/OS/boards/214?selectedIssue=S3C-7756
Green build in Vault and CS:
https://github.com/scality/Vault/actions/runs/6694175632/job/18186886853?pr=2135
https://github.com/scality/cloudserver/actions/runs/6693681174/job/18185346914?pr=5322
Would appreciate reviews on Integration branches as well
Arsenal version has been bumped lastly