Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adapt SwDD for authorization #346

Open
wants to merge 10 commits into
base: main
Choose a base branch
from
Open

Adapt SwDD for authorization #346

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
d4152ad
Remove unused keywords from stest resources
christoph-hamm Aug 6, 2024
5bbb05b
Add Authorizer to structural view of the agent
christoph-hamm Aug 6, 2024
9d856d0
Add requirements for authorization
christoph-hamm Aug 7, 2024
985375e
Add version to control_interface_tester
christoph-hamm Aug 8, 2024
ec513cc
Add test coverage for authorization requirements
christoph-hamm Aug 8, 2024
1d9d9fe
Merge branch 'main' into 22_swdd_for_authorization
christoph-hamm Sep 30, 2024
cbf8c8e
Add description of Authorizer to Structural View of agent
christoph-hamm Sep 30, 2024
3af48b7
Use Authorizer instead of Authorization as tag in agent SWDD
christoph-hamm Sep 30, 2024
8693b8c
Merge image forgotten in last merge
christoph-hamm Sep 30, 2024
707e233
Include authorizer in requirement for control interface change
christoph-hamm Sep 30, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion Cargo.lock
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

207 changes: 202 additions & 5 deletions agent/doc/swdesign/README.md
View file
Open in desktop
Copy link
Contributor

@inf17101 inf17101 Aug 14, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I suggest to describe the Authorizer object in the design decisions at the top of this README and then using the tag -Authorizer in the swdds.

Next, the swdd swdd~agent-compares-control-interface-metadata~1, which I have created within the refactoring of ControlInterface PR #345, must be extended to include the comparison of the Authorizers (it is compared when updating a workload according to swdd~agent-workload-obj-update-command~1). This is because the previous Authorization PR #22 has made changes inside the workload.rs update logic.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have made the requested changes.

Original file line number Diff line number Diff line change
Expand Up @@ -84,6 +84,11 @@ Stores information which the Agent gets from the Server. Currently the storage s

The ControlInterface is responsible for setting up the communication interface between a workload and the Ankaios agent. It translates between the provided to the workload pipes and the internal Ankaios communication channels.

### Authorizer

The Authorizer checks for every request send from a workload to the Ankaios agent,
if the workload is allowed to execute this request.

### RuntimeConnectorInterfaces

This is not really a component but a collection of traits that define the "requirements" towards specific runtime connectors s.t. they can be used by Ankaios. The following three traits specify the interface of the connectors where for one of them (state checker) a reusable default implementation is provided:
Expand Down Expand Up @@ -914,11 +919,14 @@ Needs:
- utest

##### Workload compares control interface metadata
`swdd~agent-compares-control-interface-metadata~1`
`swdd~agent-compares-control-interface-metadata~2`

Status: approved

When the WorkloadObject is triggered to compare its existing control interface metadata with the updated metadata, the Workload shall compare the existing file path with the new file path of the control interface.
When the WorkloadObject is triggered to compare its existing control interface metadata with the updated metadata, the Workload shall compare the control inferface's:

* file path
* authorizer

Tags:
- Workload
Expand Down Expand Up @@ -2814,17 +2822,68 @@ Needs:
- impl
- utest

#### Agent forwards Control Interface request fom the pipe to the server
`swdd~agent-forward-request-from-control-interface-pipe-to-server~1`
#### Agent checks Control Interface request for authorization
`swdd~agent-checks-request-for-authorization~1`

Status: approved

When the Ankaios Agents receives a Control Interface request from a Workload, the Ankaios Agent shall check if this Workload is allowed to make this request.

Tags:
- AgentManager
- ControlInterface
- Authorizer

Needs:
- impl
- utest
- stest

#### Agent returns error on denied Control Interface request
`swdd~agent-responses-to-denied-request-from-control-interface~1`

Status: approved

If the Ankaios Agents receives a Control Interface request from a Workload and the request is denied, the Ankaios Agent shall send an error response the corresponding Workloads input pipe.

Tags:
- AgentManager
- ControlInterface
- Authorizer

Needs:
- impl
- utest

#### Error returned on denied Control Interface request contains requst ID
`swdd~agent-responses-to-denied-request-from-control-interface-contains-request-id~1`

Status: approved

When the Ankaios Agents receives a Control Interface request from a Workload, the Ankaios Agent shall forward this request to the Ankaios Server.
When the Ankaios Agents sends a denied request error response to workload,
the response shall contain the same request_id as the denied request.

Tags:
- AgentManager
- ControlInterface
- Authorizer

Needs:
- impl
- utest

#### Agent forwards Control Interface request from the pipe to the server
`swdd~agent-forward-request-from-control-interface-pipe-to-server~2`

Status: approved

When the Ankaios Agents receives a Control Interface request from a Workload and the request is allowed, the Ankaios Agent shall forward this request to the Ankaios Server.

Tags:
- AgentManager
- ControlInterface
- Authorizer
-
Needs:
- impl
- utest
Expand Down Expand Up @@ -2933,6 +2992,144 @@ Needs:
- impl
- utest

### Authorizing access to the Control Interface

#### Request operations
`swdd~agent-authorizing-request-operations~1`

Status: approved

When the Ankaios Agent checks if a Workload is allowed to make a request,
the Ankaios Agent shall use:

- "read" and "write_read" rules for a CompleteStateRequest.
- "write" and "write_read" rules for a UpdateStateRequest.

Tags:
- AgentManager
- ControlInterface
- Authorizer
-
Needs:
- impl
- utest

#### Request without filter mask
`swdd~agent-authorizing-request-without-filter-mask~1`

Status: approved

When the Ankaios Agent checks if a Workload is allowed to make a request,
a UpdateStateRequest with an empty update mask or a CompleteStateRequest with an empty field mask is only allowed if all of the following is true:

- there is at least one allow rule having an empty String in the filter mask
- there is no deny rule with a non empty filter mask

Tags:
- AgentManager
- ControlInterface
- Authorizer
-
Needs:
- impl
- utest

#### Request allowed if all elements of filter mask are allowed
`swdd~agent-authorizing-all-elements-of-filter-mask-allowed~1`

Status: approved

When the Ankaios Agent checks if a Workload is allowed to make a request
and all entries of the update/field mask are allowed,
the Ankaios Agent shall allow the request.

Tags:
- AgentManager
- ControlInterface
- Authorizer
-
Needs:
- impl
- utest

#### Conditions for element of filter mask being allowed
`swdd~agent-authorizing-condition-element-filter-mask-allowed~1`

Status: approved

When the Ankaios Agent checks an individual entry of the update/field mask of an request,
the Ankaios Agent shall allow this element if all of the following is true:

- there is at least one allow rule with a filter mask entry matching the update/field mask entry
- there is no deny rule with a filter mask entry matching the update/field mask entry

Tags:
- AgentManager
- ControlInterface
- Authorizer

Needs:
- impl
- utest

#### Matching of allow rules
`swdd~agent-authorizing-matching-allow-rules~1`

Status: approved

When the Ankaios Agent checks if an individual entry of the update/field mask of an request matches an individual entry of the filter mask of an allow rule, the Ankaios Agent shall consider them matching if all segments of the allow rule's filter mask match the corresponding segments of the request's update/field mask.

Comment:
An allow rule matches, if it is the same or a prefix of the request's update/field mask.

Tags:
- AgentManager
- ControlInterface
- Authorizer
-
Needs:
- impl
- utest

#### Matching of deny rules
`swdd~agent-authorizing-matching-deny-rules~1`

Status: approved

When the Ankaios Agent checks if an individual entry of the update/field mask of an request matches an individual entry of the filter mask of an deny rule, the Ankaios Agent shall consider them matching if all segments of the allow rule's filter mask match the corresponding segments of the request's update/field mask.

Comment:
A deny rule matches, if the request's update/field mask is the same or a prefix of the rule.

Tags:
- AgentManager
- ControlInterface
- Authorizer

Needs:
- impl
- utest

#### Matching of rule elements
`swdd~agent-authorizing-matching-rules-elements~1`

Status: approved

When the Ankaios Agent checks if one segment of an individual entry of the update/field mask of an request matches on segment an individual entry of the filter mask of an deny rule,
it shall consider them matching if one of the following is true:

- both segments are the same
- the segment of the rule entry is the wildcards symbol "*"

Tags:
- AgentManager
- ControlInterface
- Authorizer
-
Needs:
- impl
- utest

## Data view

## Error management view
Expand Down
Loading