Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: use different consul service policy rule for service role #4104

Merged
merged 3 commits into from
Jul 28, 2022
Merged

feat: use different consul service policy rule for service role #4104

merged 3 commits into from
Jul 28, 2022

Conversation

jim-wang-intel
Copy link
Contributor

@jim-wang-intel jim-wang-intel commented Jul 26, 2022
edited
Loading

Closes: #3257

Signed-off-by: Jim Wang (Intel) yutsung.jim.wang@intel.com

If your build fails due to your commit message not passing the build checks, please review the guidelines here: https://github.com/edgexfoundry/edgex-go/blob/main/.github/Contributing.md

PR Checklist

Please check if your PR fulfills the following requirements:

  • [x ] I am not introducing a breaking change (if you are, flag in conventional commit message with BREAKING CHANGE: describing the break)
  • [x ] I am not introducing a new dependency (add notes below if you are)
  • I have added unit tests for the new feature or bug fix (if not, why?) same unit test for regression and make test still works
  • [x ] I have fully tested (add details below) this the new feature or bug fix (if not, why?)
  • I have opened a PR for the related docs change (if not, why?)

Testing Instructions

  1. git clone this branch and build security-bootstrapper docker image: make docker_security_bootstrapper

  2. go to edgex-compse repo and use this local built image for security-bootstrapper in the docker-compose file, i.e.: make gen dev or run it with make run dev

  3. run it up with docker-compose or make run dev

  4. once the stack is up, please obtain the consul admin token via make get-consul-acl-token and we will use it to verify policies and tokens were generated by login into consul UI and check them.

  5. Use consul admin token to login consul in any browser at http://localhost:8500

  6. After login, go to Policy view (click on Policies hyperlink on the left panel) and check that policies were generated for all services, something looks like the following:
    consul_policies_per_service

  7. Then go to Token view (click on Tokens hyperlink on the left panel) and check that consul tokens were generated per service policy:
    consul_tokens_per_service

  8. Now we can test the key-value store only accessible to its own service per kv api point of view: copy the app-http-export's consul token and export it and then use it to read some key of its own:

# use http-export's consul token
export CONSUL_TOKEN=057fcff7-2a4e-15ab-a115-e64cda7f28b9
curl -H "X-Consul-Token:${CONSUL_TOKEN}" -X GET "http://localhost:8500/v1/kv/edgex/appservices/2.0/app-http-export/Database/Host"

[{"LockIndex":0,"Key":"edgex/appservices/2.0/app-http-export/Database/Host","Flags":0,"Value":"ZWRnZXgtcmVkaXM=","CreateIndex":548,"ModifyIndex":548}]

as we can see its own consul token works for kv read, now we can also test kv write for its own key:

curl -H "X-Consul-Token:${CONSUL_TOKEN}" -X PUT "http://localhost:8500/v1/kv/edgex/appservices/2.0/app-http-export/Database/Host" -d 'test consul'

true
  1. Now we use different consul token from other service to test if kv read is restricted or not:
export CONSUL_TOKEN=3c7f7fd0-7170-4c8a-4c4c-f36f5a672f15
try to read app-http-export:
curl -H "X-Consul-Token:${CONSUL_TOKEN}" -X GET "http://localhost:8500/v1/kv/edgex/appservices/2.0/app-http-export/Database/Host"
Permission denied: token with AccessorID '154e821e-325b-2681-a45f-6e3ca6141b77' lacks permission 'key:read' on "edgex/appservices/2.0/app-http-export/Database/Host"

so kv read is permission denied when we use other's consul token to access read it.

  1. And we can also test the kv write using other consul token:
curl -H "X-Consul-Token:${CONSUL_TOKEN}" -X PUT "http://localhost:8500/v1/kv/edgex/appservices/2.0/app-http-export/Database/Host" -d 'edgex-redis'
Permission denied: token with AccessorID '154e821e-325b-2681-a45f-6e3ca6141b77' lacks permission 'key:write' on "edgex/appservices/2.0/app-http-export/Database/Host"

again, the kv write permission is denied as we intended it to.

New Dependency Instructions (If applicable)

@jim-wang-intel
feat: use different consul service policy for each service role
10f78b5 
Closes: edgexfoundry#3257

Signed-off-by: Jim Wang (Intel) <yutsung.jim.wang@intel.com>
@jim-wang-intel jim-wang-intel added enhancement New feature or request security-services levski fall 2022 release labels Jul 26, 2022
@jim-wang-intel jim-wang-intel self-assigned this Jul 26, 2022
lenny-goodell
lenny-goodell reviewed Jul 26, 2022
View reviewed changes
Copy link
Member

@lenny-goodell lenny-goodell left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, but not expert in this area. Will defer to @bnevis-i

@bnevis-i bnevis-i marked this pull request as draft July 27, 2022 17:57
@bnevis-i bnevis-i added the hold Intended for PRs we want to flag for ongoing review label Jul 27, 2022
@jim-wang-intel
Copy link
Contributor Author

Discussed with Bryon, @bnevis-i and we put this on hold in draft because there is no clean way to determine the dynamic structure for key-prefix from security-bootstrapper point of view:

key_value_structure

@jim-wang-intel
fix: add consul KV ACL restriction per service and remove service's a…
a0601c7 
…gent related access rights

Signed-off-by: Jim Wang (Intel) <yutsung.jim.wang@intel.com>
@jim-wang-intel jim-wang-intel removed the hold Intended for PRs we want to flag for ongoing review label Jul 27, 2022
@jim-wang-intel jim-wang-intel marked this pull request as ready for review July 27, 2022 21:52
lenny-goodell
lenny-goodell previously requested changes Jul 28, 2022
View reviewed changes
internal/constants.go Outdated Show resolved Hide resolved
@jim-wang-intel
fix: address Lenny's feedback comment
41dd0d2 
Signed-off-by: Jim Wang (Intel) <yutsung.jim.wang@intel.com>
@sonarcloud
Copy link

sonarcloud bot commented Jul 28, 2022

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 1 Code Smell

No Coverage information No Coverage information
0.0% 0.0% Duplication

lenny-goodell
lenny-goodell reviewed Jul 28, 2022
View reviewed changes
Copy link
Member

@lenny-goodell lenny-goodell left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, deferring to @bnevis-i for final approval

@lenny-goodell lenny-goodell dismissed their stale review July 28, 2022 17:53

changes addressed

@jim-wang-intel jim-wang-intel mentioned this pull request Jul 28, 2022
Closed
bnevis-i
bnevis-i approved these changes Jul 28, 2022
View reviewed changes
Copy link
Collaborator

@bnevis-i bnevis-i left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Does exactly what I expect it to do.

@jim-wang-intel jim-wang-intel merged commit 85bfaaf into edgexfoundry:main Jul 28, 2022
@jim-wang-intel jim-wang-intel deleted the consul-policy-per-service-role branch July 29, 2022 00:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lenny-goodell lenny-goodell lenny-goodell left review comments

@bnevis-i bnevis-i bnevis-i approved these changes

@farshidtz farshidtz Awaiting requested review from farshidtz

@vli11 vli11 Awaiting requested review from vli11

Assignees

@jim-wang-intel jim-wang-intel

Labels
enhancement New feature or request levski fall 2022 release security-services
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Secure Consul Ph. 3] Create ACL Policies and Roles for all services and per EdgeX service
3 participants
@jim-wang-intel @bnevis-i @lenny-goodell