mirror of
https://github.com/zitadel/zitadel.git
synced 2025-03-01 17:04:22 +00:00
3f6ea78c87
# Which Problems Are Solved Currently ZITADEL defines organization and instance member roles and permissions in defaults.yaml. The permission check is done on API call level. For example: "is this user allowed to make this call on this org". This makes sense on the V1 API where the API is permission-level shaped. For example, a search for users always happens in the context of the organization. (Either the organization the calling user belongs to, or through member ship and the x-zitadel-orgid header. However, for resource based APIs we must be able to resolve permissions by object. For example, an IAM_OWNER listing users should be able to get all users in an instance based on the query filters. Alternatively a user may have user.read permissions on one or more orgs. They should be able to read just those users. # How the Problems Are Solved ## Role permission mapping The role permission mappings defined from `defaults.yaml` or local config override are synchronized to the database on every run of `zitadel setup`: - A single query per **aggregate** builds a list of `add` and `remove` actions needed to reach the desired state or role permission mappings from the config. - The required events based on the actions are pushed to the event store. - Events define search fields so that permission checking can use the indices and is strongly consistent for both query and command sides. The migration is split in the following aggregates: - System aggregate for for roles prefixed with `SYSTEM` - Each instance for roles not prefixed with `SYSTEM`. This is in anticipation of instance level management over the API. ## Membership Current instance / org / project membership events now have field table definitions. Like the role permissions this ensures strong consistency while still being able to use the indices of the fields table. A migration is provided to fill the membership fields. ## Permission check I aimed keeping the mental overhead to the developer to a minimal. The provided implementation only provides a permission check for list queries for org level resources, for example users. In the `query` package there is a simple helper function `wherePermittedOrgs` which makes sure the underlying database function is called as part of the `SELECT` query and the permitted organizations are part of the `WHERE` clause. This makes sure results from non-permitted organizations are omitted. Under the hood: - A Pg/PlSQL function searches for a list of organization IDs the passed user has the passed permission. - When the user has the permission on instance level, it returns early with all organizations. - The functions uses a number of views. The views help mapping the fields entries into relational data and simplify the code use for the function. The views provide some pre-filters which allow proper index usage once the final `WHERE` clauses are set by the function. # Additional Changes # Additional Context Closes #9032 Closes https://github.com/zitadel/zitadel/issues/9014 https://github.com/zitadel/zitadel/issues/9188 defines follow-ups for the new permission framework based on this concept.
135 lines
4.4 KiB
Go
135 lines
4.4 KiB
Go
package setup
|
|
|
|
import (
|
|
"context"
|
|
"database/sql"
|
|
_ "embed"
|
|
"fmt"
|
|
"strings"
|
|
|
|
"github.com/zitadel/logging"
|
|
|
|
"github.com/zitadel/zitadel/internal/api/authz"
|
|
"github.com/zitadel/zitadel/internal/database"
|
|
"github.com/zitadel/zitadel/internal/eventstore"
|
|
"github.com/zitadel/zitadel/internal/repository/instance"
|
|
"github.com/zitadel/zitadel/internal/repository/permission"
|
|
)
|
|
|
|
var (
|
|
//go:embed sync_role_permissions.sql
|
|
getRolePermissionOperationsQuery string
|
|
)
|
|
|
|
// SyncRolePermissions is a repeatable step which synchronizes the InternalAuthZ
|
|
// RolePermissionMappings from the configuration to the database.
|
|
// This is needed until role permissions are manageable over the API.
|
|
type SyncRolePermissions struct {
|
|
eventstore *eventstore.Eventstore
|
|
rolePermissionMappings []authz.RoleMapping
|
|
}
|
|
|
|
func (mig *SyncRolePermissions) Execute(ctx context.Context, _ eventstore.Event) error {
|
|
if err := mig.executeSystem(ctx); err != nil {
|
|
return err
|
|
}
|
|
return mig.executeInstances(ctx)
|
|
}
|
|
|
|
func (mig *SyncRolePermissions) executeSystem(ctx context.Context) error {
|
|
logging.WithFields("migration", mig.String()).Info("prepare system role permission sync events")
|
|
|
|
target := rolePermissionMappingsToDatabaseMap(mig.rolePermissionMappings, true)
|
|
cmds, err := mig.synchronizeCommands(ctx, "SYSTEM", target)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
events, err := mig.eventstore.Push(ctx, cmds...)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
logging.WithFields("migration", mig.String(), "pushed_events", len(events)).Info("pushed system role permission sync events")
|
|
return nil
|
|
}
|
|
|
|
func (mig *SyncRolePermissions) executeInstances(ctx context.Context) error {
|
|
instances, err := mig.eventstore.InstanceIDs(
|
|
ctx,
|
|
eventstore.NewSearchQueryBuilder(eventstore.ColumnsInstanceIDs).
|
|
OrderDesc().
|
|
AddQuery().
|
|
AggregateTypes(instance.AggregateType).
|
|
EventTypes(instance.InstanceAddedEventType).
|
|
Builder().
|
|
ExcludeAggregateIDs().
|
|
AggregateTypes(instance.AggregateType).
|
|
EventTypes(instance.InstanceRemovedEventType).
|
|
Builder(),
|
|
)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
target := rolePermissionMappingsToDatabaseMap(mig.rolePermissionMappings, false)
|
|
for i, instanceID := range instances {
|
|
logging.WithFields("instance_id", instanceID, "migration", mig.String(), "progress", fmt.Sprintf("%d/%d", i+1, len(instances))).Info("prepare instance role permission sync events")
|
|
cmds, err := mig.synchronizeCommands(ctx, instanceID, target)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
events, err := mig.eventstore.Push(ctx, cmds...)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
logging.WithFields("instance_id", instanceID, "migration", mig.String(), "pushed_events", len(events)).Info("pushed instance role permission sync events")
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// synchronizeCommands checks the current state of role permissions in the eventstore for the aggregate.
|
|
// It returns the commands required to reach the desired state passed in target.
|
|
// For system level permissions aggregateID must be set to `SYSTEM`,
|
|
// else it is the instance ID.
|
|
func (mig *SyncRolePermissions) synchronizeCommands(ctx context.Context, aggregateID string, target database.Map[[]string]) (cmds []eventstore.Command, err error) {
|
|
aggregate := permission.NewAggregate(aggregateID)
|
|
err = mig.eventstore.Client().QueryContext(ctx, func(rows *sql.Rows) error {
|
|
for rows.Next() {
|
|
var operation, role, perm string
|
|
if err := rows.Scan(&operation, &role, &perm); err != nil {
|
|
return err
|
|
}
|
|
logging.WithFields("aggregate_id", aggregateID, "migration", mig.String(), "operation", operation, "role", role, "permission", perm).Debug("sync role permission")
|
|
switch operation {
|
|
case "add":
|
|
cmds = append(cmds, permission.NewAddedEvent(ctx, aggregate, role, perm))
|
|
case "remove":
|
|
cmds = append(cmds, permission.NewRemovedEvent(ctx, aggregate, role, perm))
|
|
}
|
|
}
|
|
return rows.Close()
|
|
|
|
}, getRolePermissionOperationsQuery, aggregateID, target)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return cmds, err
|
|
}
|
|
|
|
func (*SyncRolePermissions) String() string {
|
|
return "repeatable_sync_role_permissions"
|
|
}
|
|
|
|
func (*SyncRolePermissions) Check(lastRun map[string]interface{}) bool {
|
|
return true
|
|
}
|
|
|
|
func rolePermissionMappingsToDatabaseMap(mappings []authz.RoleMapping, system bool) database.Map[[]string] {
|
|
out := make(database.Map[[]string], len(mappings))
|
|
for _, m := range mappings {
|
|
if system == strings.HasPrefix(m.Role, "SYSTEM") {
|
|
out[m.Role] = m.Permissions
|
|
}
|
|
}
|
|
return out
|
|
}
|