Sensu-go: Should Sensu-agent be able to register an entity in any namespace?

Created on 18 Mar 2019  路  2Comments  路  Source: sensu/sensu-go

I'm using RBAC to build a multi-tenanted Sensu platform. I create a per-department namespace, create users, assign them to groups, and apply the cluster-role "admin" to the group with a role-binding in their namespace. The intended result is that the users in each department are isolated from named resources in any other department.

Expected Behavior

I misconfigure agent.yml, and allow a user in my "preprod" department (who's inherited cluster-role admin with a role binding to the "preprod" namespace) to register an entity in the "default" namespace. The entity is not permitted to be registered to the default namespace, since the username used by the agent has no permissions to "default" namespace (or any other besides their own).

Current Behavior

Provided I specify a valid user/pass in agent.yml, I'm able to register entities into any namespace I please. This presents a problem because having misconfigured my agent, I can't later _delete_ the entity from the incorrect namespace, since my user doesn't have permission to even _list_ entities in that namespace.

Possible Solution

It feels as if this is to do with the fact that on receiving a Keepalive from an agent, the API will register an entity for that agent if one is not already seen. I wonder whether the user/permissions check is not applied at this point, allowing the entity to be erroneously registered.

Steps to Reproduce (for bugs)

  1. Create namespace "test-rbac-issue" (sensuctl namespace create test-rbac-issue)
  2. Create user "test-rbac-issue" (sensuctl user create test-rbac-issue -p "test-rbac-issue
  3. Add user to group (sensuctl user add-group test-rbac-issue group-test-rbac-issue)
  4. Add role-binding (in namespace) to group (sensuctl role-binding create role-test-rbac-issue-admin --cluster-role admin -g group-test-rbac-issue --namespace test-rbac-issue
  5. Attempt to setup a new agent, leaving "namespace" value in agent.yml comment out (per default), but populate the user/pass correctly. When you start the agent, the entity is registered in the "default" namespace.
  6. Create _another_ namespace (to prove it's not specific to default) (sensuctl namespace create super-secret)
  7. Change the namespace in agent.yml to "super-secret", and restart sensu-agent
  8. The entity is now registered in the "super-secret" namespace.

Context

The risk here is that a misconfigured agent would pollute other namespaces, and the operators responsible for that agent would be unable to remove the entity from the erroneous namespaces

Your Environment

Running sensu/sensu Docker container under Kubernetes on GKE

Server:

/ # sensu-backend version
sensu-backend version 5.3.0#379593a, build 379593a8859315e746da28eedfdc8ae4907091fa, built 2019-03-11T20:23:43Z
/ #

Agent:

root@node2:~# sensu-agent version
sensu-agent version 5.3.0#379593a, build 379593a8859315e746da28eedfdc8ae4907091fa, built 2019-03-07T19:00:05Z
root@node2:~#
bug

All 2 comments

Thanks for reporting this issue @funkypenguin (and great username btw). I'm able to reproduce this issue on 5.9.0, it appears that we're only using basic authentication to establish a web socket connection between the backend and agent. We definitely need to take the RBAC permissions into account before attempting to register the entity.

Nicely squashed, thank you 馃帀

Was this page helpful?
0 / 5 - 0 ratings