I'm using RBAC to build a multi-tenanted Sensu platform. I create a per-department namespace, create users, assign them to groups, and apply the cluster-role "admin" to the group with a role-binding in their namespace. The intended result is that the users in each department are isolated from named resources in any other department.
I misconfigure agent.yml, and allow a user in my "preprod" department (who's inherited cluster-role admin with a role binding to the "preprod" namespace) to register an entity in the "default" namespace. The entity is not permitted to be registered to the default namespace, since the username used by the agent has no permissions to "default" namespace (or any other besides their own).
Provided I specify a valid user/pass in agent.yml, I'm able to register entities into any namespace I please. This presents a problem because having misconfigured my agent, I can't later _delete_ the entity from the incorrect namespace, since my user doesn't have permission to even _list_ entities in that namespace.
It feels as if this is to do with the fact that on receiving a Keepalive from an agent, the API will register an entity for that agent if one is not already seen. I wonder whether the user/permissions check is not applied at this point, allowing the entity to be erroneously registered.
sensuctl namespace create test-rbac-issue)sensuctl user create test-rbac-issue -p "test-rbac-issuesensuctl user add-group test-rbac-issue group-test-rbac-issue)sensuctl role-binding create role-test-rbac-issue-admin --cluster-role admin -g group-test-rbac-issue --namespace test-rbac-issuesensuctl namespace create super-secret)The risk here is that a misconfigured agent would pollute other namespaces, and the operators responsible for that agent would be unable to remove the entity from the erroneous namespaces
Running sensu/sensu Docker container under Kubernetes on GKE
Server:
/ # sensu-backend version
sensu-backend version 5.3.0#379593a, build 379593a8859315e746da28eedfdc8ae4907091fa, built 2019-03-11T20:23:43Z
/ #
Agent:
root@node2:~# sensu-agent version
sensu-agent version 5.3.0#379593a, build 379593a8859315e746da28eedfdc8ae4907091fa, built 2019-03-07T19:00:05Z
root@node2:~#
Thanks for reporting this issue @funkypenguin (and great username btw). I'm able to reproduce this issue on 5.9.0, it appears that we're only using basic authentication to establish a web socket connection between the backend and agent. We definitely need to take the RBAC permissions into account before attempting to register the entity.
Nicely squashed, thank you 馃帀