Matthew Wild <mwild1@gmail.com> [Wed, 17 Aug 2022 16:38:53 +0100] rev 12666
mod_authz_internal, and more: New iteration of role API
These changes to the API (hopefully the last) introduce a cleaner separation
between the user's primary (default) role, and their secondary (optional)
roles.
To keep the code sane and reduce complexity, a data migration is needed for
people using stored roles in 0.12. This can be performed with
prosodyctl mod_authz_internal migrate <host>
Kim Alvefur <zash@zash.se> [Fri, 12 Aug 2022 22:09:09 +0200] rev 12665
util.roles: Add Teal interface declaration
Kim Alvefur <zash@zash.se> [Mon, 15 Aug 2022 16:36:00 +0200] rev 12664
mod_admin_shell: Show session role in c2s:show
Matthew Wild <mwild1@gmail.com> [Mon, 15 Aug 2022 15:25:07 +0100] rev 12663
usermanager: Add back temporary is_admin to warn about deprecated API usage
Goal: Introduce role-auth with minimal disruption
is_admin() is unsafe in a system with per-session permissions, so it has been
deprecated.
Roll-out approach:
1) First, log a warning when is_admin() is used. It should continue to
function normally, backed by the new role API. Nothing is really using
per-session authz yet, so there is minimal security concern.
The 'strict_deprecate_is_admin' global setting can be set to 'true' to
force a hard failure of is_admin() attempts (it will log an error and
always return false).
2) In some time (at least 1 week), but possibly longer depending on the number
of affected deployments: switch 'strict_deprecate_is_admin' to 'true' by
default. It can still be disabled for systems that need it.
3) Further in the future, before the next release, the option will be removed
and is_admin() will be permanently disabled.
Matthew Wild <mwild1@gmail.com> [Fri, 12 Aug 2022 16:21:57 +0100] rev 12662
usermanager: Remove concept of global authz provider
Rationale:
- Removes a bunch of code!
- We don't have many cases where an actor is not bound to one of our hosts
- A notable exception is the admin shell, but if we ever attempt to lock those
sessions down, there is a load of other work that also has to be done. And
it's not clear if we would need a global authz provider for that anyway.
- Removes an extra edge case from the necessary mental model for operators
- Sessions that aren't bound to a host generally are anonymous or have an
alternative auth model (such as by IP addres).
- With the encapsulation now provided by util.roles, ad-hoc "detached roles"
can still be created anyway by code that needs them.
Matthew Wild <mwild1@gmail.com> [Fri, 12 Aug 2022 11:58:25 +0100] rev 12661
usermanager: Fix method name of global authz provider (thanks Zash)
Matthew Wild <mwild1@gmail.com> [Thu, 11 Aug 2022 16:56:59 +0100] rev 12660
usermanager: Remove obsolete function from global authz provider
Matthew Wild <mwild1@gmail.com> [Thu, 11 Aug 2022 16:47:09 +0100] rev 12659
features: Add "permissions" feature for role-auth
Matthew Wild <mwild1@gmail.com> [Mon, 01 Aug 2022 20:26:00 +0100] rev 12658
usermanager: Handle local JIDs being passed to get/set_jid_role()
There is no reasonable fallback for set_jid_role() because users may have
multiple roles, so that's an error.
Kim Alvefur <zash@zash.se> [Wed, 20 Jul 2022 13:10:47 +0200] rev 12657
core.usermanager: Add missing stub authz methods to global authz provider
Except, should we have a global authz provider at all?