Merge branch 'main' into fix-attach

Author: smklein

common/src/api/external/mod.rs

@@ -726,7 +726,7 @@ pub struct Instance {
 
 // DISKS
 
-/// Client view of an [`Disk`]
+/// Client view of a [`Disk`]
 #[derive(ObjectIdentity, Clone, Debug, Deserialize, Serialize, JsonSchema)]
 pub struct Disk {
     #[serde(flatten)]

nexus/src/authz/api_resources.rs

@@ -391,6 +391,7 @@ impl ApiResourceWithRolesType for Organization {
 pub enum OrganizationRoles {
     Admin,
     Collaborator,
+    Viewer,
 }
 
 impl db::model::DatabaseString for OrganizationRoles {
@@ -400,13 +401,15 @@ impl db::model::DatabaseString for OrganizationRoles {
         match self {
             OrganizationRoles::Admin => "admin",
             OrganizationRoles::Collaborator => "collaborator",
+            OrganizationRoles::Viewer => "viewer",
         }
     }
 
     fn from_database_string(s: &str) -> Result<Self, Self::Error> {
         match s {
             "admin" => Ok(OrganizationRoles::Admin),
             "collaborator" => Ok(OrganizationRoles::Collaborator),
+            "viewer" => Ok(OrganizationRoles::Viewer),
             _ => Err(anyhow!(
                 "unsupported Organization role from database: {:?}",
                 s

nexus/src/authz/omicron.polar

@@ -67,6 +67,7 @@ has_role(actor: AuthenticatedActor, role: String, resource: Resource)
 # - silo.viewer           (can read most resources within the Silo)
 # - organization.admin    (complete control over an organization)
 # - organization.collaborator (can manage Projects)
+# - organization.viewer   (can read most resources within the Organization)
 # - project.admin         (complete control over a Project)
 # - project.collaborator  (can manage all resources within the Project)
 # - project.viewer        (can read most resources within the Project)
@@ -164,22 +165,22 @@ resource Organization {
 	    "read",
 	    "create_child",
 	];
-	roles = [ "admin", "collaborator" ];
+	roles = [ "admin", "collaborator", "viewer" ];
 
 	# Roles implied by other roles on this resource
+	"viewer" if "collaborator";
 	"collaborator" if "admin";
 
 	# Permissions granted directly by roles on this resource
-	"list_children" if "collaborator";
-	"read" if "collaborator";
+	"list_children" if "viewer";
+	"read" if "viewer";
 	"create_child" if "collaborator";
 	"modify" if "admin";
 
 	# Roles implied by roles on this resource's parent (Silo)
 	relations = { parent_silo: Silo };
 	"admin" if "collaborator" on "parent_silo";
-	"read" if "viewer" on "parent_silo";
-	"list_children" if "viewer" on "parent_silo";
+	"viewer" if "viewer" on "parent_silo";
 }
 has_relation(silo: Silo, "parent_silo", organization: Organization)
 	if organization.silo = silo;
@@ -206,7 +207,7 @@ resource Project {
 	# Roles implied by roles on this resource's parent (Organization)
 	relations = { parent_organization: Organization };
 	"admin" if "collaborator" on "parent_organization";
-	"viewer" if "list_children" on "parent_organization";
+	"viewer" if "viewer" on "parent_organization";
 }
 has_relation(organization: Organization, "parent_organization", project: Project)
 	if project.organization = organization;
@@ -253,7 +254,7 @@ has_relation(user: SiloUser, "silo_user", ssh_key: SshKey)
 # of the API path (e.g., "/images") or as an implementation detail of the system
 # (in the case of console sessions and "Database").  The policies are
 # either statically-defined in this file or driven by role assignments on the
-# Fleet.
+# Fleet.  None of these resources defines their own roles.
 #
 
 # Describes the policy for accessing "/images" (in the API)
@@ -320,25 +321,11 @@ resource Database {
 	    # other general functions.
 	    "modify"
 	];
-	roles = [
-	    # All authenticated users get the "user" role, which grants the
-	    # "query" permission.  See above.
-	    "user",
-
-	    # The special "db-init" user gets the "init" role, which grants the
-	    # additional "modify" permission.
-	    "init"
-	];
-
-	# See above.
-	"query" if "user";
-
-	"user" if "init";
-	"modify" if "init";
 }
 
-# All authenticated users have the "user" role on the database.
-has_role(_actor: AuthenticatedActor, "user", _resource: Database);
+# All authenticated users have the "query" permission on the database.
+has_permission(_actor: AuthenticatedActor, "query", _resource: Database);
+
 # The "db-init" user is the only one with the "init" role.
-has_role(actor: AuthenticatedActor, "init", _resource: Database)
+has_permission(actor: AuthenticatedActor, "modify", _resource: Database)
 	if actor = USER_DB_INIT;

nexus/src/db/fixed_data/role_builtin.rs

@@ -6,7 +6,7 @@
 use lazy_static::lazy_static;
 use omicron_common::api;
 
-#[derive(Clone)]
+#[derive(Clone, Debug)]
 pub struct RoleBuiltinConfig {
     pub resource_type: api::external::ResourceType,
     pub role_name: &'static str,
@@ -67,6 +67,11 @@ lazy_static! {
         },
         ORGANIZATION_ADMINISTRATOR.clone(),
         ORGANIZATION_COLLABORATOR.clone(),
+        RoleBuiltinConfig {
+            resource_type: api::external::ResourceType::Organization,
+            role_name: "viewer",
+            description: "Organization Viewer",
+        },
         RoleBuiltinConfig {
             resource_type: api::external::ResourceType::Project,
             role_name: "admin",
@@ -84,3 +89,52 @@ lazy_static! {
         },
     ];
 }
+
+#[cfg(test)]
+mod test {
+    use super::BUILTIN_ROLES;
+    use crate::authz;
+    use crate::db::model::DatabaseString;
+    use omicron_common::api::external::ResourceType;
+    use strum::IntoEnumIterator;
+
+    #[test]
+    fn test_fixed_role_data() {
+        // Every role that's defined in the public API as assignable on a
+        // resource must have a corresponding entry in BUILTIN_ROLES above.
+        // The reverse is not necessarily true because we have some internal
+        // roles that are not exposed to end users.
+        check_public_roles::<authz::FleetRoles>(ResourceType::Fleet);
+        check_public_roles::<authz::SiloRoles>(ResourceType::Silo);
+        check_public_roles::<authz::OrganizationRoles>(
+            ResourceType::Organization,
+        );
+        check_public_roles::<authz::ProjectRoles>(ResourceType::Project);
+    }
+
+    fn check_public_roles<T>(resource_type: ResourceType)
+    where
+        T: std::fmt::Debug + DatabaseString + IntoEnumIterator,
+    {
+        for variant in T::iter() {
+            let role_name = variant.to_database_string();
+
+            let found = BUILTIN_ROLES.iter().find(|role_config| {
+                role_config.resource_type == resource_type
+                    && role_config.role_name == role_name
+            });
+            if let Some(found_config) = found {
+                println!(
+                    "variant: {:?} found fixed data {:?}",
+                    variant, found_config
+                );
+            } else {
+                panic!(
+                    "found public role {:?} on {:?} with no corresponding \
+                    built-in role",
+                    role_name, resource_type
+                );
+            }
+        }
+    }
+}

nexus/tests/integration_tests/endpoints.rs

@@ -7,6 +7,7 @@
 //! This is used for various authz-related tests.
 //! THERE ARE NO TESTS IN THIS FILE.
 
+use crate::integration_tests::unauthorized::HTTP_SERVER;
 use http::method::Method;
 use lazy_static::lazy_static;
 use nexus_test_utils::RACK_UUID;
@@ -234,7 +235,7 @@ lazy_static! {
                 name: DEMO_IMAGE_NAME.clone(),
                 description: String::from(""),
             },
-            source: params::ImageSource::Url(String::from("http://127.0.0.1:5555/image.raw")),
+            source: params::ImageSource::Url(HTTP_SERVER.url("/image.raw").to_string()),
             block_size: params::BlockSize::try_from(4096).unwrap(),
         };
 

nexus/tests/integration_tests/roles_builtin.rs

@@ -34,6 +34,7 @@ async fn test_roles_builtin(cptestctx: &ControlPlaneTestContext) {
         ("fleet.viewer", "Fleet Viewer"),
         ("organization.admin", "Organization Administrator"),
         ("organization.collaborator", "Organization Collaborator"),
+        ("organization.viewer", "Organization Viewer"),
         ("project.admin", "Project Administrator"),
         ("project.collaborator", "Project Collaborator"),
         ("project.viewer", "Project Viewer"),

nexus/tests/integration_tests/unauthorized.rs

@@ -55,24 +55,6 @@ async fn test_unauthorized(cptestctx: &ControlPlaneTestContext) {
     let client = &cptestctx.external_client;
     let log = &cptestctx.logctx.log;
 
-    // Run a httptest server
-    let server = ServerBuilder::new()
-        .bind_addr("127.0.0.1:5555".parse().unwrap())
-        .run()
-        .unwrap();
-
-    // Fake some data
-    server.expect(
-        Expectation::matching(request::method_path("HEAD", "/image.raw"))
-            .times(1..)
-            .respond_with(
-                status_code(200).append_header(
-                    "Content-Length",
-                    format!("{}", 4096 * 1000),
-                ),
-            ),
-    );
-
     // Create test data.
     info!(log, "setting up resource hierarchy");
     for request in &*SETUP_REQUESTS {
@@ -118,7 +100,7 @@ EXAMPLE:  0 3111 5555 3111 5555 5555 0  /organizations
             The number in each cell is the last digit of the 400-level response
             that was expected for this test case.
 
-    In this case, an unauthenthicated request to "GET /organizations" returned
+    In this case, an unauthenticated request to "GET /organizations" returned
     401.  All requests to "PUT /organizations" returned 405.
 
 G GET  PUT  POST DEL  TRCE G  URL
@@ -141,6 +123,25 @@ struct SetupReq {
 }
 
 lazy_static! {
+    pub static ref HTTP_SERVER: httptest::Server = {
+        // Run a httptest server
+        let server = ServerBuilder::new().run().unwrap();
+
+        // Fake some data
+        server.expect(
+            Expectation::matching(request::method_path("HEAD", "/image.raw"))
+                .times(1..)
+                .respond_with(
+                    status_code(200).append_header(
+                        "Content-Length",
+                        format!("{}", 4096 * 1000),
+                    ),
+                ),
+        );
+
+        server
+    };
+
     /// List of requests to execute at setup time
     static ref SETUP_REQUESTS: Vec<SetupReq> = vec![
         // Create a separate Silo (not used for anything else)

nexus/tests/output/authz-roles-organization.txt

@@ -1,2 +1,3 @@
 variant Admin: serialized form = admin
 variant Collaborator: serialized form = collaborator
+variant Viewer: serialized form = viewer

openapi/nexus.json

@@ -5304,7 +5304,7 @@
         ]
       },
       "Disk": {
-        "description": "Client view of an [`Disk`]",
+        "description": "Client view of a [`Disk`]",
         "type": "object",
         "properties": {
           "block_size": {
@@ -6643,7 +6643,8 @@
         "type": "string",
         "enum": [
           "admin",
-          "collaborator"
+          "collaborator",
+          "viewer"
         ]
       },
       "OrganizationRolesPolicy": {

sled-agent/src/bootstrap/agent.rs

@@ -7,14 +7,14 @@
 use super::config::{Config, BOOTSTRAP_AGENT_PORT};
 use super::discovery;
 use super::params::SledAgentRequest;
+use super::rss_handle::RssHandle;
 use super::trust_quorum::{
     self, RackSecret, ShareDistribution, TrustQuorumError,
 };
 use super::views::{ShareResponse, SledAgentResponse};
 use crate::config::Config as SledConfig;
 use crate::illumos::dladm::{self, Dladm, PhysicalLink};
 use crate::illumos::zone::Zones;
-use crate::rack_setup::service::Service as RackSetupService;
 use crate::server::Server as SledServer;
 use omicron_common::address::get_sled_address;
 use omicron_common::api::external::{Error as ExternalError, MacAddr};
@@ -90,7 +90,7 @@ pub(crate) struct Agent {
     peer_monitor: discovery::PeerMonitor,
     share: Option<ShareDistribution>,
 
-    rss: Mutex<Option<RackSetupService>>,
+    rss: Mutex<Option<RssHandle>>,
     sled_agent: Mutex<Option<SledServer>>,
     sled_config: SledConfig,
 }
@@ -381,8 +381,8 @@ impl Agent {
     // Initializes the Rack Setup Service.
     async fn start_rss(&self, config: &Config) -> Result<(), BootstrapError> {
         if let Some(rss_config) = &config.rss_config {
-            let rss = RackSetupService::new(
-                self.parent_log.new(o!("component" => "RSS")),
+            let rss = RssHandle::start_rss(
+                &self.parent_log,
                 rss_config.clone(),
                 self.peer_monitor.observer().await,
             );

sled-agent/src/bootstrap/mod.rs

@@ -11,6 +11,7 @@ pub mod discovery;
 mod http_entrypoints;
 pub mod multicast;
 pub(crate) mod params;
+pub(crate) mod rss_handle;
 pub mod server;
 mod spdm;
 pub mod trust_quorum;