RFD 0229b: Scopes - Machine & Workload Identity

[strideynet]

Related to #63195

[strideynet]

@fspmarshall I think this is my first "philosophical" question. I'm leaning towards permitting a Bot within scope /foo to be granted privileges in scope /bar by an admin of scope /bar but very curious on your thoughts and whether there's a solution that fits better with the philosophy of Scoped RBAC here.

[strideynet]

Discussion in slack (summarised):

• Yes: this is a tricky problem we need to think on longer.
• We may want to make this possible (there seems to be good use-cases), but, we need to protect against Bot privileges changing without the consent of the scope admin.
• This may require pinning the role assignment to the Bot Name and Scope OR introducing namespacing for ScopedBot resources.

We will meditate on this further.

[strideynet]

Is it strictly necessary to prevent the Scope of Origin being above the Bot Scope?

For example:

• Bot: /foo/bar
• SR: /foo
• SRA Origin: /foo
• SRA Effect: /foo/bar

[strideynet]

This check may be overly strict.

Today, for a scoped token, the assigned_scope must be the same or descendent to scope. This means we could instead only validate that assigned_scope is equal to the scope of the Bot. This would permit an admin in a parent scope to create a join token for a bot in a descendent scope - which does not break any of the rules of Scoped RBAC.

I don't think there's a strong use-case for this - so it doesn't matter too much which way we go here. I'm tempted to start with the "stricter" check since it would be not-breaking to make this more relaxed in future - whereas vice versa would be a breaking change.

Curious on thoughts.

[strideynet]

@fspmarshall - do any other controls come to mind for the cross-scope privilege ?