Permission level degradation proposal

[thetechnick]

What this PR does / why we need it:

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #

Special notes for your reviewer:

Documentation:

Does this PR introduce a user-facing change?:

NONE

[kubermatic-bot]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[kubermatic-bot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: thetechnick

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [thetechnick]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[jiachengxu]

This means, if user tries to create ProjectRole which escalates the user's permission or max permission, we will still let the ProjectRole be created but with limited permissions? Why don't we forbidden to create this ProjectRole?

[thetechnick]

I should probably point this out more prominently in the design document:

OrganizationRoles are validated on creation and update to enforce the same prerequisites as Kubernetes:
https://kubernetes.io/docs/reference/access-authn-authz/rbac/#restrictions-on-role-creation-or-update

Same for ProjectRoles. *RoleBindings are also validated the similar, but the link points to the *Binding specific validation rules.

Those checks include escalation checks, just follow the link.

[jiachengxu]

I am sorry that I still don't get it :)
For example, if User only has permission to do X but not Y, and User creates a Role with X and Y, Kubernetes API server will reject the API call with a forbidden error.
In our case, if User create a ProjectRole with X and Y, we will let it be created, but we only give people permission X (In the status, only X will be granted).
My question was why don't we also reject the call with a forbidden error when user creates ProjectRole? Why we let it be created instead?
Thanks!

[jiachengxu]

Oh, now I see it. In your example, it is the case that the max permission is limited after the ProjectRole is created, in this case, we have the acceptedRules in the status to show User, that your permission is also limited.

[nmiculinic]

Suggested change

	This document extends on the initial Bulward concept to enable degradation of user defined roles.
	This document extends on the initial Bulward concept to enable user defined roles scope reduction.

not sure if the degradation is the right word in this context.

[nmiculinic]

Suggested change

	After installing bulward organization owners will have very limited permissions. Essentially they will only be allowed to interact with the Bulward API -> e.g. creating new Projects, organize users and create sub-roles.
	After installing bulward organization owners have limited permissions. Essentially they are allowed to interact with the Bulward API -> e.g. creating new Projects, organize users, and create sub-roles.

[nmiculinic]

update the concept in the PR as well, to have it up to date.

[nmiculinic]

How is this maximum permission configured? In the Organization / Project resource or?

[nmiculinic]

This is tad underspecified. All roles --> do we mean OrganizationRoleTemplate roles or?

[nmiculinic]

Same, roles is referring to which resource exactly?