github/pangolin
1
1
Fork 0
mirror of https://github.com/fosrl/pangolin.git synced 2026-04-06 01:11:57 +02:00
Code Issues 85 Packages Projects Releases Wiki Activity

[Feature Request] Security & Permission Access Controls for Blueprints - Ownership, RBAC & Site Toggle #895

New Issue
Closed
opened 2026-04-05 17:56:12 +02:00 by MrUnknownDE · 0 comments
MrUnknownDE commented 2026-04-05 17:56:12 +02:00
Owner
Copy Link

Originally created by @marcschaeferger on 9/18/2025

Summary

In Pangolin v1.10, any authenticated Newt client can change any resource, including critical routing configurations from other sites without ownership or role restrictions. This creates serious security and operational risks.

This proposal addresses these issues by introducing:

  • Ownership enforcement and RBAC
  • Per-site Site Configuration Management (SCM) toggle
  • Admin-only path for system/bootstrapping blueprints
  • Pre-apply validation/dry-run and audit logging

Problem

The current default permits any authenticated Newt client to:

  • Modify, delete, or hijack routes/resources that it did not create
  • Alter system-level configurations, potentially degrading stability or security
  • Cause accidental configuration drift

There is no:

  • Ownership metadata to enforce scope
  • Per-site toggle to adjust/control capabilities
  • Segregation of system bootstrap blueprints from user/tenant blueprints
  • UI-driven permission control over Newt/Blueprint actions

Proposed Security & Permission Model

1. Ownership & Resource Scope

  • Every resource created via a Blueprint is tagged with an immutable owner (e.g. Site ID Client ID).
  • Default behavior: Clients may only update/delete resources they own.
  • Cross-owner modifications require explicit admin permission (via RBAC).

2. RBAC / Roles

Minimal set of roles:

  • Admin: Full access, including system-blueprint ingestion and SCM toggling.
  • Normal User: Access to granted Resources
  • Client: Modifies only owned resources.

3. Site Configuration Management (SCM) Toggle

  • Per-site setting:
    • Enabled: Site actors may manage all resources assigned to their site.
    • Disabled (default): Site actors limited to their own created/owned resources.
  • Changeable only by Admin via UI or API.

4. System / Bootstrap Blueprints

  • Admin-only ingestion route for system-critical blueprints:
    • Loaded on startup or via privileged UI/API.
    • Immutable/read-only to non-admin clients.
  • Comparable to Traefik's dynamic rules file separation.

5. Validation, Dry-Run & Admission

  • Before apply: Validate that each operation passes ownership and permission checks.
  • Optional dry-run/preview mode to show outcome and flag denied actions.

6. Audit Logging

  • Log each Blueprint apply:
    • Who initiated
    • Which client/site
    • What changed
    • Timestamp & result
  • Logs queryable and viewable in the UI for audit and debugging.

7. Annotations & Controlled Overrides

  • Admins can use annotations to mark exceptional cases (e.g., shared resources editable by select clients).
  • Ownership transfer is admin-only until further policy support exists.

Benefits

  • Stronger security: Eliminates uncontrolled cross-resource modification.
  • Granular control: Admins can expand permissions deliberately via RBAC/UI.
  • Auditability: All actions are traceable and reviewable.
  • Familiar model: Based on Kubernetes RBAC and ownership patterns.

Checklist

  • Add owner attribute to resource schema (+ DB migration).
  • Enforce ownership in Blueprint apply pipeline (API/Newt).
  • Implement RBAC roles and permission checks.
  • Add SCM flag to Site model + controls in UI/API.
  • Build admin-only ingestion for system/bootstrapping blueprints.
  • Create pre-apply validation + dry-run capability.
  • Implement audit logging and UI views.
  • Backfill legacy resources with safe default owners (system/legacy) + admin claim UI/CLI.

Considerations

  • Default to least-privilege for all new clients/sites.
  • Tie authentication (API keys, tokens) securely to ownership identity.
  • Verify safe migration for existing resources to avoid granting excess permissions.

Open Questions

  • Mapping RBAC/ownership semantics for future Kubernetes Operator integration.
*Originally created by @marcschaeferger on 9/18/2025* ## Summary In Pangolin **v1.10**, any authenticated **Newt** client can change **any** resource, including critical routing configurations from other sites without ownership or role restrictions. This creates serious **security** and **operational** risks. This proposal addresses these issues by introducing: - **Ownership enforcement** and **RBAC** - Per-site **Site Configuration Management** (SCM) toggle - **Admin-only** path for system/bootstrapping blueprints - **Pre-apply validation/dry-run** and **audit logging** --- ## Problem The **current default** permits any authenticated Newt client to: - Modify, delete, or hijack routes/resources that it did not create - Alter system-level configurations, potentially degrading stability or security - Cause accidental configuration drift There is **no**: - Ownership metadata to enforce scope - Per-site toggle to adjust/control capabilities - Segregation of **system bootstrap blueprints** from user/tenant blueprints - UI-driven permission control over Newt/Blueprint actions --- ## Proposed Security & Permission Model ### 1. Ownership & Resource Scope - Every resource created via a Blueprint is tagged with an **immutable owner** (e.g. Site ID Client ID). - **Default behavior:** Clients may only update/delete resources they own. - Cross-owner modifications require explicit admin permission (via RBAC). ### 2. RBAC / Roles Minimal set of roles: - **Admin**: Full access, including system-blueprint ingestion and SCM toggling. - **Normal User**: Access to granted Resources - **Client**: Modifies only owned resources. ### 3. Site Configuration Management (SCM) Toggle - Per-site setting: - **Enabled:** Site actors may manage all resources assigned to their site. - **Disabled** (default): Site actors limited to their own created/owned resources. - Changeable only by Admin via UI or API. ### 4. System / Bootstrap Blueprints - Admin-only ingestion route for system-critical blueprints: - Loaded on startup or via privileged UI/API. - Immutable/read-only to non-admin clients. - Comparable to Traefik's dynamic rules file separation. ### 5. Validation, Dry-Run & Admission - **Before apply**: Validate that each operation passes ownership and permission checks. - Optional **dry-run/preview mode** to show outcome and flag denied actions. ### 6. Audit Logging - Log each Blueprint apply: - Who initiated - Which client/site - What changed - Timestamp & result - Logs queryable and viewable in the UI for audit and debugging. ### 7. Annotations & Controlled Overrides - Admins can use annotations to mark exceptional cases (e.g., shared resources editable by select clients). - Ownership transfer is admin-only until further policy support exists. --- ## Benefits - **Stronger security**: Eliminates uncontrolled cross-resource modification. - **Granular control**: Admins can expand permissions deliberately via RBAC/UI. - **Auditability**: All actions are traceable and reviewable. - **Familiar model**: Based on Kubernetes RBAC and ownership patterns. --- ## Checklist - [ ] Add `owner` attribute to resource schema (+ DB migration). - [ ] Enforce ownership in Blueprint apply pipeline (API/Newt). - [ ] Implement RBAC roles and permission checks. - [ ] Add SCM flag to Site model + controls in UI/API. - [ ] Build admin-only ingestion for system/bootstrapping blueprints. - [ ] Create pre-apply validation + dry-run capability. - [ ] Implement audit logging and UI views. - [ ] Backfill legacy resources with safe default owners (`system`/`legacy`) + admin claim UI/CLI. --- ## Considerations - Default to least-privilege for all new clients/sites. - Tie authentication (API keys, tokens) securely to ownership identity. - Verify safe migration for existing resources to avoid granting excess permissions. --- ## Open Questions - Mapping RBAC/ownership semantics for future Kubernetes Operator integration.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
Improvement
Improvement
Improvement
Improvement
Look Into
Security
Security
api
api
authentication
authentication
authentication
authentication
authentication
authentication
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
config
config
config
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
docker
docker
docker
docker
docker
documentation
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
go
go
go
go
go
go
go
go
go
go
good first issue
good first issue
good first issue
good first issue
good first issue
good first issue
good first issue
good first issue
good first issue
good first issue
good first issue
good first issue
good first issue
good first issue
good first issue
good first issue
good first issue
good first issue
good first issue
help wanted
help wanted
help wanted
help wanted
help wanted
help wanted
help wanted
help wanted
help wanted
help wanted
help wanted
help wanted
help wanted
help wanted
help wanted
help wanted
help wanted
help wanted
help wanted
help wanted
help wanted
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
networking
new feature
new feature
new feature
new feature
new feature
new feature
new feature
new feature
new feature
new feature
new feature
new feature
new feature
new feature
new feature
non-critical bug
non-critical bug
non-critical bug
non-critical bug
non-critical bug
non-critical bug
non-critical bug
non-critical bug
non-critical bug
non-critical bug
non-critical bug
non-critical bug
non-critical bug
non-critical bug
potential bug
potential bug
potential bug
potential bug
potential bug
potential bug
potential bug
potential bug
potential bug
potential bug
potential bug
potential bug
question
reverse proxy
reverse proxy
reverse proxy
reverse proxy
reverse proxy
reverse proxy
reverse proxy
reverse proxy
reverse proxy
reverse proxy
reverse proxy
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
ui
ui
ui
ui
ui
ui
wontfix
No Label enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
MrUnknownDE
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github/pangolin#895
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?