Page MenuHomePhabricator

Simplify locking of Almanac cluster services
ClosedPublic

Authored by epriestley on Feb 24 2016, 12:59 AM.
Tags
None
Referenced Files
F14061591: D15339.diff
Mon, Nov 18, 7:27 AM
F13998473: D15339.diff
Thu, Oct 24, 9:26 AM
F13994742: D15339.diff
Wed, Oct 23, 8:13 AM
F13994038: D15339.id.diff
Wed, Oct 23, 3:18 AM
F13994035: D15339.id36992.diff
Wed, Oct 23, 3:17 AM
F13994024: D15339.id37003.diff
Wed, Oct 23, 3:12 AM
F13992243: D15339.id.diff
Tue, Oct 22, 3:25 PM
F13985851: D15339.id37003.diff
Sun, Oct 20, 11:14 PM
Subscribers
None

Details

Summary

Fixes T6741. Ref T10246. Broadly, we want to protect Almanac cluster services:

  • Today, against users in the Phacility cluster accidentally breaking their own instances.
  • In the future, against attackers compromising administrative accounts and adding a new "cluster database" which points at hardware they control.

The way this works right now is really complicated: there's a global "can create cluster services" setting, and then separate per-service and per-device locks.

Instead, change "Can Create Cluster Services" into "Can Manage Cluster Services". Require this permission (in addition to normal permissions) to edit or create any cluster service.

This permission can be locked to "No One" via config (as we do in the Phacility cluster) so we only need this one simple setting.

There's also zero reason to individually lock some of the cluster services.

Also improve extended policy errors.

The UI here is still a little heavy-handed, but should be good enough for the moment.

Test Plan
  • Ran migrations.
  • Verified that cluster services and bindings reported that they belonged to the cluster.
  • Edited a cluster binding.
  • Verified that the bound device was marked as a cluster device
  • Moved a cluster binding, verified the old device was unmarked as a cluster device.
  • Tried to edit a cluster device as an unprivileged user, got a sensible error.

Screen Shot 2016-02-23 at 4.38.05 PM.png (1×1 px, 166 KB)

Diff Detail

Repository
rP Phabricator
Branch
almanac11
Lint
Lint Passed
Unit
Tests Passed
Build Status
Buildable 10832
Build 13350: Run Core Tests
Build 13349: arc lint + arc unit