Delete builtin_roles (#7477)

This came up in a meeting with @davepacheco — storing the roles in the
DB and letting them be listed through the API is a legacy idea with no
practical application that we know of. When I heard that I was curious
how much could be deleted.

Fundamentally, all this machinery I've deleted was just in service of
the `role_view` and `role_list` endpoints, which let you get something
like this list:

```
fleet     admin
fleet     collaborator
fleet     viewer
silo      admin
silo      collaborator
silo      viewer
project   admin
project   collaborator
project   viewer
```

I think we thought this would be a dynamic list of roles, but all these
things are hard-coded. As far as I can tell there is no relationship to
the actual authorization system — this is basically just an unrelated
copy of that stuff. This claim borne out by the fact that deleting all
this stuff doesn't affect anything else, i.e., doesn't cause any tests
to fail.

Author: david-crespo

common/src/api/external/mod.rs

@@ -497,72 +497,6 @@ fn name_schema(
     .into()
 }
 
-/// Name for a built-in role
-#[derive(
-    Clone,
-    Debug,
-    DeserializeFromStr,
-    Display,
-    Eq,
-    FromStr,
-    Ord,
-    PartialEq,
-    PartialOrd,
-    SerializeDisplay,
-)]
-#[display("{resource_type}.{role_name}")]
-pub struct RoleName {
-    // "resource_type" is generally the String value of one of the
-    // `ResourceType` variants.  We could store the parsed `ResourceType`
-    // instead, but it's useful to be able to represent RoleNames for resource
-    // types that we don't know about.  That could happen if we happen to find
-    // them in the database, for example.
-    #[from_str(regex = "[a-z-]+")]
-    resource_type: String,
-    #[from_str(regex = "[a-z-]+")]
-    role_name: String,
-}
-
-impl RoleName {
-    pub fn new(resource_type: &str, role_name: &str) -> RoleName {
-        RoleName {
-            resource_type: String::from(resource_type),
-            role_name: String::from(role_name),
-        }
-    }
-}
-
-/// Custom JsonSchema implementation to encode the constraints on RoleName
-impl JsonSchema for RoleName {
-    fn schema_name() -> String {
-        "RoleName".to_string()
-    }
-    fn json_schema(
-        _: &mut schemars::gen::SchemaGenerator,
-    ) -> schemars::schema::Schema {
-        schemars::schema::Schema::Object(schemars::schema::SchemaObject {
-            metadata: Some(Box::new(schemars::schema::Metadata {
-                title: Some("A name for a built-in role".to_string()),
-                description: Some(
-                    "Role names consist of two string components \
-                     separated by dot (\".\")."
-                        .to_string(),
-                ),
-                ..Default::default()
-            })),
-            instance_type: Some(schemars::schema::SingleOrVec::Single(
-                Box::new(schemars::schema::InstanceType::String),
-            )),
-            string: Some(Box::new(schemars::schema::StringValidation {
-                max_length: Some(63),
-                min_length: None,
-                pattern: Some("[a-z-]+\\.[a-z-]+".to_string()),
-            })),
-            ..Default::default()
-        })
-    }
-}
-
 /// Byte count to express memory or storage capacity.
 //
 // The maximum supported byte count is [`i64::MAX`].  This makes it somewhat
@@ -3595,8 +3529,8 @@ mod test {
     use super::VpcFirewallRuleHostFilter;
     use super::VpcFirewallRuleTarget;
     use super::{
-        ByteCount, Digest, L4Port, L4PortRange, Name, RoleName,
-        VpcFirewallRuleAction, VpcFirewallRuleDirection, VpcFirewallRuleFilter,
+        ByteCount, Digest, L4Port, L4PortRange, Name, VpcFirewallRuleAction,
+        VpcFirewallRuleDirection, VpcFirewallRuleFilter,
         VpcFirewallRulePriority, VpcFirewallRuleProtocol,
         VpcFirewallRuleStatus, VpcFirewallRuleUpdate,
         VpcFirewallRuleUpdateParams,
@@ -3679,54 +3613,6 @@ mod test {
         }
     }
 
-    #[test]
-    fn test_role_name_parse() {
-        // Error cases
-        let bad_inputs = vec![
-            // empty string is always worth testing
-            "",
-            // missing dot
-            "project",
-            // extra dot (or, illegal character in the second component)
-            "project.admin.super",
-            // missing resource type (or, another bogus resource type)
-            ".admin",
-            // missing role name
-            "project.",
-            // illegal characters in role name
-            "project.not_good",
-        ];
-
-        for input in bad_inputs {
-            eprintln!("check name {:?} (expecting error)", input);
-            let result =
-                input.parse::<RoleName>().expect_err("unexpectedly succeeded");
-            eprintln!("(expected) error: {:?}", result);
-        }
-
-        eprintln!("check name \"project.admin\" (expecting success)");
-        let role_name =
-            "project.admin".parse::<RoleName>().expect("failed to parse");
-        assert_eq!(role_name.to_string(), "project.admin");
-        assert_eq!(role_name.resource_type, "project");
-        assert_eq!(role_name.role_name, "admin");
-
-        eprintln!("check name \"barf.admin\" (expecting success)");
-        let role_name =
-            "barf.admin".parse::<RoleName>().expect("failed to parse");
-        assert_eq!(role_name.to_string(), "barf.admin");
-        assert_eq!(role_name.resource_type, "barf");
-        assert_eq!(role_name.role_name, "admin");
-
-        eprintln!("check name \"organization.super-user\" (expecting success)");
-        let role_name = "organization.super-user"
-            .parse::<RoleName>()
-            .expect("failed to parse");
-        assert_eq!(role_name.to_string(), "organization.super-user");
-        assert_eq!(role_name.resource_type, "organization");
-        assert_eq!(role_name.role_name, "super-user");
-    }
-
     #[test]
     fn test_resource_name_parse() {
         let bad_inputs = vec![

nexus/auth/src/authz/api_resources.rs

@@ -960,14 +960,6 @@ authz_resource! {
     polar_snippet = FleetChild,
 }
 
-authz_resource! {
-    name = "RoleBuiltin",
-    parent = "Fleet",
-    primary_key = (String, String),
-    roles_allowed = false,
-    polar_snippet = FleetChild,
-}
-
 authz_resource! {
     name = "UserBuiltin",
     parent = "Fleet",

nexus/auth/src/authz/mod.rs

@@ -67,9 +67,8 @@
 //!
 //! ## Role lookup
 //!
-//! Users, roles, and API resources are all stored in the database.  Naturally,
-//! so is the relationship that says a particular user has a particular role for
-//! a particular resource.
+//! Users and API resources are stored in the database, as is the relationship
+//! that says a particular user has a particular role for a particular resource.
 //!
 //! Suppose a built-in user "cookie-monster" has the "viewer" role for a Project
 //! "monster-foodies".  It looks like this:
@@ -91,26 +90,16 @@
 //! |   |    |
 //! |   |    +---------------------------------------------------------------+
 //! |   |                                                                    |
-//! |   | table: "role_builtin"                                              |
-//! |   | primary key: (resource_type, role_name)                            |
-//! |   | +---------------+-----------+-----+                                |
-//! |   | | resource_type | role_name | ... |                                |
-//! |   | +---------------+-----------+-----+                                |
-//! +---|-> "project "    | "viewer"  | ... |                                |
-//! |   | +---------------+--^--------+-----+                                |
-//! |   |                    |                                               |
-//! | +-|--------------------+                                               |
-//! | | |                                                                    |
-//! | | | table: "role_assignment"                                           |
-//! | | | (assigns built-in roles to users on arbitrary resources)           |
-//! | | | +---------------+-----------+-------------+-------------+---+      |
-//! | | | | resource_type | role_name | resource_id | identity_id |...|      |
-//! | | | +---------------+-----------+-------------+-------------+---+      |
-//! | | | | "project "    | "viewer"  |         123 |         234 |...|      |
-//! | | | +--^------------+--^--------+----------^--+-----------^-+---+      |
-//! | | |    |               |                   |              |            |
-//! +-|-|----+               |                   |              +------------+
-//!   +-|--------------------+                   |
+//! |   | table: "role_assignment"                                           |
+//! |   | (assigns roles to users on arbitrary resources)                    |
+//! |   | +---------------+-----------+-------------+-------------+---+      |
+//! |   | | resource_type | role_name | resource_id | identity_id |...|      |
+//! |   | +---------------+-----------+-------------+-------------+---+      |
+//! |   | | "project "    | "viewer"  |         123 |         234 |...|      |
+//! |   | +--^------------+--^--------+----------^--+-----------^-+---+      |
+//! |   |    |                                   |              |            |
+//! +---|----+                                   |              +------------+
+//!     |                                        |
 //!     +----------------------------------------+
 //! ```
 //!

nexus/auth/src/authz/oso_generic.rs

@@ -153,7 +153,6 @@ pub fn make_omicron_oso(log: &slog::Logger) -> Result<OsoInit, anyhow::Error> {
         DeviceAccessToken::init(),
         PhysicalDisk::init(),
         Rack::init(),
-        RoleBuiltin::init(),
         SshKey::init(),
         Silo::init(),
         SiloUser::init(),

nexus/db-fixed-data/src/lib.rs

@@ -39,7 +39,6 @@ use std::sync::LazyLock;
 pub mod allow_list;
 pub mod project;
 pub mod role_assignment;
-pub mod role_builtin;
 pub mod silo;
 pub mod silo_user;
 pub mod user_builtin;

nexus/db-fixed-data/src/role_assignment.rs

@@ -4,10 +4,10 @@
 //! Built-in assignments for built-in users and built-in roles
 
 use super::FLEET_ID;
-use super::role_builtin;
 use super::user_builtin;
 use nexus_db_model::IdentityType;
 use nexus_db_model::RoleAssignment;
+use omicron_common::api::external::ResourceType;
 use std::sync::LazyLock;
 
 pub static BUILTIN_ROLE_ASSIGNMENTS: LazyLock<Vec<RoleAssignment>> =
@@ -20,9 +20,9 @@ pub static BUILTIN_ROLE_ASSIGNMENTS: LazyLock<Vec<RoleAssignment>> =
             RoleAssignment::new(
                 IdentityType::UserBuiltin,
                 user_builtin::USER_INTERNAL_API.id,
-                role_builtin::FLEET_ADMIN.resource_type,
+                ResourceType::Fleet,
                 *FLEET_ID,
-                role_builtin::FLEET_ADMIN.role_name,
+                "admin",
             ),
             // The "USER_SERVICE_BALANCER" user gets the "admin" role on the
             // Fleet.
@@ -33,9 +33,9 @@ pub static BUILTIN_ROLE_ASSIGNMENTS: LazyLock<Vec<RoleAssignment>> =
             RoleAssignment::new(
                 IdentityType::UserBuiltin,
                 user_builtin::USER_SERVICE_BALANCER.id,
-                role_builtin::FLEET_ADMIN.resource_type,
+                ResourceType::Fleet,
                 *FLEET_ID,
-                role_builtin::FLEET_ADMIN.role_name,
+                "admin",
             ),
             // The "internal-read" user gets the "viewer" role on the sole
             // Fleet.  This will grant them the ability to read various control
@@ -44,19 +44,19 @@ pub static BUILTIN_ROLE_ASSIGNMENTS: LazyLock<Vec<RoleAssignment>> =
             RoleAssignment::new(
                 IdentityType::UserBuiltin,
                 user_builtin::USER_INTERNAL_READ.id,
-                role_builtin::FLEET_VIEWER.resource_type,
+                ResourceType::Fleet,
                 *FLEET_ID,
-                role_builtin::FLEET_VIEWER.role_name,
+                "viewer",
             ),
-            // The "external-authenticator" user gets the "authenticator" role
-            // on the sole fleet.  This grants them the ability to create
-            // sessions.
+            // The "external-authenticator" user gets the
+            // "external-authenticator" role on the sole fleet.  This grants
+            // them the ability to create sessions.
             RoleAssignment::new(
                 IdentityType::UserBuiltin,
                 user_builtin::USER_EXTERNAL_AUTHN.id,
-                role_builtin::FLEET_AUTHENTICATOR.resource_type,
+                ResourceType::Fleet,
                 *FLEET_ID,
-                role_builtin::FLEET_AUTHENTICATOR.role_name,
+                "external-authenticator",
             ),
         ]
     });