Skip to content

Scope operator interaction to namespace #51

New issue
New issue
Closed
#83
Closed
Scope operator interaction to namespace#51
#83
Assignees
ChunyiLyu
Labels
security
@Zerpet

Description

@Zerpet
Zerpet
opened on Mar 11, 2021

Looking at the RabbitmqClusterReference property in User kind:

messaging-topology-operator/api/v1alpha1/user_types.go

Lines 18 to 33 in 06637f5

type UserSpec struct {
// Username of the user to create on a RabbitmqCluster.
// +kubebuilder:validation:Required
Name string `json:"name"`
// List of permissions tags to associate with the user. This determines the level of
// access to the RabbitMQ management UI granted to the user. Omitting this field will
// lead to a user than can still connect to the cluster through messaging protocols,
// but cannot perform any management actions.
// For more information, see https://www.rabbitmq.com/management.html#permissions.
Tags []UserTag `json:"tags,omitempty"`
// Reference to the RabbitmqCluster that the user will be created for. This cluster must
// exist for the User object to be created.
// +kubebuilder:validation:Required
RabbitmqClusterReference RabbitmqClusterReference `json:"rabbitmqClusterReference"`
// TODO: Allow the provision of the user with a pre-defined password through a Secret here
}

messaging-topology-operator/api/v1alpha1/queue_types.go

Lines 44 to 49 in 06637f5

type RabbitmqClusterReference struct {
// +kubebuilder:validation:Required
Name string `json:"name"`
// +kubebuilder:validation:Required
Namespace string `json:"namespace"`
}

I noticed that we allow to interact with RabbitmqCluster objects in any namespace in the cluster. I'm concerned that we might be allowing a human user Cody to create RabbitMQ primitives in a RabbitMQ cluster they might not have access to. For example, Cody has access only to namespace cody-dev and they create a User kind which references a RabbitmqCluster with name rabbit in namespace foobar. The topology operator will create the user primitive in RabbitMQ, granting Cody credentials to access said RabbitMQ instance.

My concern is that the operator might allow Cody to access RabbitMQ instances they are not supposed or intended to.

Should we remove the namespace aspect, effectively having a LocalObjectReference-like object?

Metadata

Metadata

Assignees

Labels

security

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions