Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement proxied MPA support #374

Merged
merged 9 commits into from
Nov 27, 2023
Merged

Implement proxied MPA support #374

merged 9 commits into from
Nov 27, 2023

Conversation

stvnrhodes
Copy link
Contributor

@stvnrhodes stvnrhodes commented Nov 15, 2023
edited by sfc-gh-srhodes
Loading

This adds support for MPA requests that go through the proxy, building upon the support that we have for direct MPA requests. I've updated documentation with examples and I've added an integration test.

Some notes on implementation quirks:

  • Our telemetry handler passes through the metadata specifying the MPA request id from the proxy to the server, triggering its MPA authz hook if the method matches. This works fine because the server will look at proxied identity information for deciding if the request id matches the stored data.
  • Our telemetry handler also passes through the justification metadata. If someone forgets to add the handler that does this, justification isn't stored in the MPA request and the proxy MPA authz hook will fail due to the mismatch between the stored action and the requested action.
  • sanssh will wait for all targets to be approved before running the final command on any target.

Fixes #346

@stvnrhodes stvnrhodes marked this pull request as ready for review November 21, 2023 05:44
@stvnrhodes stvnrhodes mentioned this pull request Nov 22, 2023
Merged
sfc-gh-jallie
sfc-gh-jallie approved these changes Nov 27, 2023
View reviewed changes
Copy link
Collaborator

@sfc-gh-jallie sfc-gh-jallie left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@sfc-gh-srhodes sfc-gh-srhodes merged commit bbb321c into Snowflake-Labs:main Nov 27, 2023
4 checks passed
@stvnrhodes stvnrhodes deleted the mpa-identity branch March 27, 2024 03:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sfc-gh-jallie sfc-gh-jallie sfc-gh-jallie approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Multi Party Authorization
3 participants
@stvnrhodes @sfc-gh-jallie @sfc-gh-srhodes