Enable RBAC on reads #1
Description
Problem:
As an indexd or DRS user, when I list objects, I only expect to see items that belong to projects I have access to.
Solution:
Assuming a Bearer token is included on the request, I expect indexd to query arborist, extract the projects I have access to and add those as an "authz" filter when querying the database. A feature flag should control this query injection, the flag should default to FALSE, as this will improve chances of getting a PR approved. All current unit tests should pass. Additional unit tests should confirm behavior.
Alternatives:
We could have a RBAC aware proxy front end indexd - however will add complexity and processing overhead
Context:
Main auth code has two methods auth and authz. The indexd.authorize method checks if Basic auth header is present auth is called otherwise authz is called. The revproxy gateway injects this header here This reliance on Basic auth is concerning and it's rationale is undocumented. It appears that it is not used for either create or read based on client API
Approach:
Add code to get_index to call auth_mapping
and inject resources (projects) into query.
- skip if feature flag not enabled
- 401 if Bearer token not available
- update dependency gen3authz as latest version includes token as parameter (as an alternative to username)
- use mock_arborist_requests pytest fixture
- update test_index_list_with_params or add new tests
- Add feature flag to default_settings default to False
- Update helm with feature flag