Uploaded image for project: 'Data Management'
  1. Data Management
  2. DM-34781

Add special RSP authorization for Portal admin access

    XMLWordPrintable

    Details

    • Type: Story
    • Status: Reviewed
    • Resolution: Unresolved
    • Fix Version/s: None
    • Component/s: gafaelfawr, SUIT
    • Labels:
      None
    • Team:
      Portal
    • Urgent?:
      No

      Description

      The Portal has a few internal status-monitoring endpoints which are frequently useful when debugging operational issues. Currently these endpoints are protected by HTTPS basic authentication and require a user to know a set of credentials which are not all that easy to determine and which vary from RSP instance to instance.

      Loi Ly and I talked about this today for a while and we have a suggestion to try out on Russ Allbery:

      Can we put these endpoints behind a different authorization capability - a new portal:admin one the existing general RSP admin capability - and just remove Firefly's own use of basic authentication on them?

      This way we could just grant portal:admin admin rights to the appropriate set of people (via our usual group-membership schemes) and no further dedicated authentication would be needed.

      Loi Ly says that the Authentication-Basic control on these endpoints could be removed with a configuration parameter change.


      Update: We are using this ticket for the Portal/Firefly work and DM-35495 for the RSP deployment updates needed to apply the change in practice.

        Attachments

          Issue Links

            Activity

            Hide
            gpdf Gregory Dubois-Felsmann added a comment -

            Discussed at 2022-05-12 RSP Ops meeting and SQuaRE co-work. General direction approved. Suggested that this ticket be used by IPAC to do the Firefly-side work of removing separate A&A for the Portal admin endpoints. SQuaRE (Russ Allbery) will create another ticket for setting up the protected ingress route(s) (or, perhaps, do it without a ticket). Team changed to "Portal" accordingly.

            Completing the present ticket requires IPAC to deliver a release of a Portal application that has the admin A&A turned on by default, but able to be turned off by configuration in the deployment chart, and to inform Russ Allbery of the specific endpoint(s) that require protection.

            As discussed at the meetings, authorization will be based on the existing general RSP admin role, not a new Portal-specific one. Trey Roby and Loi Ly will need to have this role.

            Show
            gpdf Gregory Dubois-Felsmann added a comment - Discussed at 2022-05-12 RSP Ops meeting and SQuaRE co-work. General direction approved. Suggested that this ticket be used by IPAC to do the Firefly-side work of removing separate A&A for the Portal admin endpoints. SQuaRE ( Russ Allbery ) will create another ticket for setting up the protected ingress route(s) (or, perhaps, do it without a ticket). Team changed to "Portal" accordingly. Completing the present ticket requires IPAC to deliver a release of a Portal application that has the admin A&A turned on by default, but able to be turned off by configuration in the deployment chart, and to inform Russ Allbery of the specific endpoint(s) that require protection. As discussed at the meetings, authorization will be based on the existing general RSP admin role, not a new Portal-specific one. Trey Roby and Loi Ly will need to have this role.
            Hide
            gpdf Gregory Dubois-Felsmann added a comment -

            Represented on the Firefly side by FIREFLY-1002 and PR #1231. Expected in the July Firefly release.

            Show
            gpdf Gregory Dubois-Felsmann added a comment - Represented on the Firefly side by FIREFLY-1002 and PR #1231 . Expected in the July Firefly release.
            Hide
            gpdf Gregory Dubois-Felsmann added a comment -

            FIREFLY-1002 is marked done. This will be in the 2022.2 Firefly release, which will be under test in the RSP in the next few days.

            Show
            gpdf Gregory Dubois-Felsmann added a comment - FIREFLY-1002 is marked done. This will be in the 2022.2 Firefly release, which will be under test in the RSP in the next few days.
            Hide
            rra Russ Allbery added a comment -

            SQuaRE work on this is being tracked in DM-35495.

            Show
            rra Russ Allbery added a comment - SQuaRE work on this is being tracked in DM-35495 .
            Hide
            gpdf Gregory Dubois-Felsmann added a comment -

            In that case, we should probably have a Portal-team member as the assignee on this ticket, for the record. Loi Ly?

            Show
            gpdf Gregory Dubois-Felsmann added a comment - In that case, we should probably have a Portal-team member as the assignee on this ticket, for the record. Loi Ly ?
            Hide
            rra Russ Allbery added a comment -

            Reviewed and looks good to me.

            Show
            rra Russ Allbery added a comment - Reviewed and looks good to me.
            Hide
            gpdf Gregory Dubois-Felsmann added a comment -

            Same here. Verified both the accept and reject behaviors.

            Show
            gpdf Gregory Dubois-Felsmann added a comment - Same here. Verified both the accept and reject behaviors.
            Hide
            gpdf Gregory Dubois-Felsmann added a comment -

            Looks good in test build; awaiting only production deployment.

            Show
            gpdf Gregory Dubois-Felsmann added a comment - Looks good in test build; awaiting only production deployment.

              People

              Assignee:
              loi Loi Ly
              Reporter:
              gpdf Gregory Dubois-Felsmann
              Watchers:
              Frossie Economou, Gregory Dubois-Felsmann, Loi Ly, Russ Allbery, Trey Roby
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Dates

                Created:
                Updated:

                  Jenkins Builds

                  No builds found.