Creating this ticket for
|
// TODO-security We should carefully review what permissions are |
|
// required for modifying the policy of a resource. |
(edit: this comment was removed under #2417 but the issue remains)
Internally, there's an explicit authz action for ModifyPolicy. Who should get it? Right now, it's precisely anyone who can modify the resource:
|
Action::ModifyPolicy => Perm::Modify, |
For resources covered by the roles policy test, you can see which roles are able to modify the resource's policy in this output file (the "MP" column):
https://github.com/oxidecomputer/omicron/blob/b062e95f5f917909b8c6d40200a4d0d80847694f/nexus/tests/output/authz-roles.out
We should make sure that's right.
Creating this ticket for
omicron/nexus/src/db/datastore/role.rs
Lines 239 to 240 in b062e95
(edit: this comment was removed under #2417 but the issue remains)
Internally, there's an explicit authz action for ModifyPolicy. Who should get it? Right now, it's precisely anyone who can modify the resource:
omicron/nexus/src/authz/oso_generic.rs
Line 211 in b062e95
For resources covered by the roles policy test, you can see which roles are able to modify the resource's policy in this output file (the "MP" column):
https://github.com/oxidecomputer/omicron/blob/b062e95f5f917909b8c6d40200a4d0d80847694f/nexus/tests/output/authz-roles.out
We should make sure that's right.