Restructure authentication policies. (#1232)

This PR restructures how authentication policies are used in Krill. It removes the use of Oso and its policy definition language and instead switches to simple, straightforward mappings between permissions, roles, and users. The existing concept of roles is augmented to serve as the central configuration option for limiting a user’s access to certain action and resources. Roles are now user configurable via the new auth_roles configuration directive. For each role, a set of permissions has to be provided. Optionally, a list of resource handles (vulgo: CAs) can be given in which case access is limited to these resources. The authentication providers now assign one of these roles to each logged in user. The OpenID Connect provider now only determines claims for “id,” i.e., the user name, and the “role.” Since we replaced the previous use of JMES paths with custom functions with a more stringent model of matching and substitution, the configuration had to change in a non-compatible way, anyway, so we cleaned it up a bit and switched from a map to an array for the claims. For the config file provider, this was already possible by adding a “role” attribute. This has now been changed into a “role” field of the user details. In order to make upgrading seamless, the “role” attribute is still accepted but a deprecation warning is logged. Since the auth_users configuration is not used for the OpenID Connect provider any more, the password_hash and salt fields of the user details are now mandatory. Custom policies have been removed. This is a breaking change.
NLnetLabs · Feb 5, 2025 · fc10424 · fc10424
1 parent 14ec86a
commit fc10424
Show file tree

Hide file tree

Showing 55 changed files with 3,433 additions and 3,918 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -35,13 +35,11 @@ http-body-util  = "0.1"
 hyper           = { version = "1.5.2", features = ["server"] }
 hyper-util      = { version = "0.1", features = [ "server" ] }
 intervaltree    = "0.2.7"
-jmespatch       = { version = "0.3", features = ["sync"], optional = true }
 kmip            = { version = "0.4.3", package = "kmip-protocol", features = [ "tls-with-openssl" ], optional = true }
 kvx             = { version = "0.9.3", features = ["macros"] }
 log             = "0.4"
-openidconnect   = { version = "2.5.1", optional = true, default-features = false }
+openidconnect   = { version = "3.5.0", optional = true, default-features = false }
 openssl         = { version = "0.10", features = ["v110"] }
-oso             = { version = "0.12", optional = true, default-features = false }
 percent-encoding = "2.3.1"
 pin-project-lite = "0.2.15"
 r2d2            = { version = "0.8.10", optional = true }
@@ -78,9 +76,7 @@ default = ["multi-user", "hsm"]
 hsm = ["backoff", "kmip", "cryptoki", "r2d2"]
 multi-user = [
     "basic-cookies",
-    "jmespatch/sync",
     "regex",
-    "oso",
     "openidconnect",
     "rpassword",
     "scrypt",

diff --git a/defaults/abac.polar b/defaults/abac.polar
diff --git a/defaults/aliases.polar b/defaults/aliases.polar
diff --git a/defaults/krill-multi-user.conf b/defaults/krill-multi-user.conf
diff --git a/defaults/rbac.polar b/defaults/rbac.polar
diff --git a/defaults/roles.polar b/defaults/roles.polar