fix(security-operator): address AuthorizationModel StoreRef at the org's generated cluster#477
Open
ifdotpy wants to merge 2 commits intoplatform-mesh:mainfrom
Open
fix(security-operator): address AuthorizationModel StoreRef at the org's generated cluster#477ifdotpy wants to merge 2 commits intoplatform-mesh:mainfrom
ifdotpy wants to merge 2 commits intoplatform-mesh:mainfrom
Conversation
The StoreRef-cluster fix is generic to every provider; the test should read that way. Swap OpenKCM-specific identifiers (operations.openkcm.io / servicekeys / openkcm-provider workspace) for the stand-in example.io / widgets / providers:example so the intent is 'any provider APIBinding generates an AuthorizationModel addressed at the org GeneratedClusterId', not 'OpenKCM happens to break on cc-d2'. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
ifdotpy
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
AuthorizationModelwhoseStoreRef.Clustermust identify the KCP workspace that hosts the org's OpenFGAStore. The Process path was addressing it byOrganization.OriginClusterId; the Finalize path in the same file already usesOrganization.GeneratedClusterIdto identify the org. Align Process with Finalize so provider auth modules actually merge into the org store on write.StoreRef.Cluster == Organization.GeneratedClusterIdfor any namespaced provider resource.Why
StoreRefis a KCP workspace reference (seeinternal/subroutine/authorization_model.go->getRelatedAuthorizationModelsmatching on the store's logical cluster key from multicluster-runtime context).Organization.OriginClusterIdis the shard-side identifier used in OpenFGA tuple object strings - stable for tuples, wrong for workspace lookups.Organization.GeneratedClusterIdis the org's logical cluster identity and matches what the Finalize path already uses to disambiguate bindings. The two cluster IDs are distinct by design (seeaccount-operatoraccount_info_types.go); Process was picking the wrong one.Why this isn't a provider-specific bug
Every APIBinding (regardless of provider) flows through this subroutine. Any org-scoped provider APIExport currently produces an AuthorizationModel whose
StoreRefpoints at the wrong logical cluster for the org store, so its module is never merged into that store - the resource becomes unreachable to account-scope users because OpenFGA returnsNoOpinion-> default deny at the gateway. The symptom is more visible for providers whose resources are consumed from account scope through the shared store; the root cause is generic.Other
OriginClusterIdsites intentionally stay as they areUsage in
apiexportpolicy.goandaccount-operator/pkg/subroutines/fga.gocomposes FGA tuple user/object strings (e.g.core_platform-mesh_io_account:<OriginClusterId>/<name>). Those are the stable identifiers inside OpenFGA's model graph; changing them would invalidate the existing tuple graph. Left unchanged on purpose.Testing
go test ./internal/subroutine -run TestAuthorizationModelGeneration_Process_UsesGeneratedClusterForStoreRef -count=1go test ./internal/subroutine -count=1Risk
Organization.GeneratedClusterIdwould produce a model with an empty StoreRef.Cluster. The account-operator's FGA subroutine already guards on a non-empty value before propagating (account-operator/pkg/subroutines/fga.go:95), so in a healthy cluster this field is populated by the time an APIBinding is processed. Worth sanity-checking on older clusters before rollout.