coder
diff --git a/‎cli/clitest/golden.go
+6-5 b/‎cli/clitest/golden.go
+6-5
diff --git a/‎cli/exp_scaletest.go
+42-8 b/‎cli/exp_scaletest.go
+42-8
diff --git a/‎cli/exptest/exptest_scaletest_test.go
+70 b/‎cli/exptest/exptest_scaletest_test.go
+70
diff --git a/‎cli/schedule_test.go
+1-1 b/‎cli/schedule_test.go
+1-1
diff --git a/‎cli/server_createadminuser.go
+6-6 b/‎cli/server_createadminuser.go
+6-6
diff --git a/‎cli/user_delete_test.go
+20-23 b/‎cli/user_delete_test.go
+20-23
diff --git a/‎cli/usercreate.go
+8-7 b/‎cli/usercreate.go
+8-7
@@ -11,6 +11,7 @@ import (
 	"strings"
 	"testing"
 
+	"github.com/google/uuid"
 	"github.com/stretchr/testify/require"
 
 	"github.com/coder/coder/v2/cli/config"
@@ -183,11 +184,11 @@ func prepareTestData(t *testing.T) (*codersdk.Client, map[string]string) {
 		IncludeProvisionerDaemon: true,
 	})
 	firstUser := coderdtest.CreateFirstUser(t, rootClient)
-	secondUser, err := rootClient.CreateUser(ctx, codersdk.CreateUserRequest{
-		Email:          "testuser2@coder.com",
-		Username:       "testuser2",
-		Password:       coderdtest.FirstUserParams.Password,
-		OrganizationID: firstUser.OrganizationID,
+	secondUser, err := rootClient.CreateUserWithOrgs(ctx, codersdk.CreateUserRequestWithOrgs{
+		Email:           "testuser2@coder.com",
+		Username:        "testuser2",
+		Password:        coderdtest.FirstUserParams.Password,
+		OrganizationIDs: []uuid.UUID{firstUser.OrganizationID},
 	})
 	require.NoError(t, err)
 	version := coderdtest.CreateTemplateVersion(t, rootClient, firstUser.OrganizationID, nil)
 
@@ -117,7 +117,7 @@ func (s *scaletestTracingFlags) provider(ctx context.Context) (trace.TracerProvi
 	}
 
 	var closeTracingOnce sync.Once
-	return tracerProvider, func(ctx context.Context) error {
+	return tracerProvider, func(_ context.Context) error {
 		var err error
 		closeTracingOnce.Do(func() {
 			// Allow time to upload traces even if ctx is canceled
@@ -430,7 +430,7 @@ func (r *RootCmd) scaletestCleanup() *serpent.Command {
 			}
 
 			cliui.Infof(inv.Stdout, "Fetching scaletest workspaces...")
-			workspaces, err := getScaletestWorkspaces(ctx, client, template)
+			workspaces, _, err := getScaletestWorkspaces(ctx, client, "", template)
 			if err != nil {
 				return err
 			}
@@ -863,6 +863,7 @@ func (r *RootCmd) scaletestWorkspaceTraffic() *serpent.Command {
 		tickInterval     time.Duration
 		bytesPerTick     int64
 		ssh              bool
+		useHostLogin     bool
 		app              string
 		template         string
 		targetWorkspaces string
@@ -926,10 +927,18 @@ func (r *RootCmd) scaletestWorkspaceTraffic() *serpent.Command {
 				return xerrors.Errorf("get app host: %w", err)
 			}
 
-			workspaces, err := getScaletestWorkspaces(inv.Context(), client, template)
+			var owner string
+			if useHostLogin {
+				owner = codersdk.Me
+			}
+
+			workspaces, numSkipped, err := getScaletestWorkspaces(inv.Context(), client, owner, template)
 			if err != nil {
 				return err
 			}
+			if numSkipped > 0 {
+				cliui.Warnf(inv.Stdout, "CODER_DISABLE_OWNER_WORKSPACE_ACCESS is set on the deployment.\n\t%d workspace(s) were skipped due to ownership mismatch.\n\tSet --use-host-login to only target workspaces you own.", numSkipped)
+			}
 
 			if targetWorkspaceEnd == 0 {
 				targetWorkspaceEnd = len(workspaces)
@@ -1092,6 +1101,13 @@ func (r *RootCmd) scaletestWorkspaceTraffic() *serpent.Command {
 			Description: "Send WebSocket traffic to a workspace app (proxied via coderd), cannot be used with --ssh.",
 			Value:       serpent.StringOf(&app),
 		},
+		{
+			Flag:        "use-host-login",
+			Env:         "CODER_SCALETEST_USE_HOST_LOGIN",
+			Default:     "false",
+			Description: "Connect as the currently logged in user.",
+			Value:       serpent.BoolOf(&useHostLogin),
+		},
 	}
 
 	tracingFlags.attach(&cmd.Options)
@@ -1378,22 +1394,35 @@ func isScaleTestWorkspace(workspace codersdk.Workspace) bool {
 		strings.HasPrefix(workspace.Name, "scaletest-")
 }
 
-func getScaletestWorkspaces(ctx context.Context, client *codersdk.Client, template string) ([]codersdk.Workspace, error) {
+func getScaletestWorkspaces(ctx context.Context, client *codersdk.Client, owner, template string) ([]codersdk.Workspace, int, error) {
 	var (
 		pageNumber = 0
 		limit      = 100
 		workspaces []codersdk.Workspace
+		skipped    int
 	)
 
+	me, err := client.User(ctx, codersdk.Me)
+	if err != nil {
+		return nil, 0, xerrors.Errorf("check logged-in user")
+	}
+
+	dv, err := client.DeploymentConfig(ctx)
+	if err != nil {
+		return nil, 0, xerrors.Errorf("fetch deployment config: %w", err)
+	}
+	noOwnerAccess := dv.Values != nil && dv.Values.DisableOwnerWorkspaceExec.Value()
+
 	for {
 		page, err := client.Workspaces(ctx, codersdk.WorkspaceFilter{
 			Name:     "scaletest-",
 			Template: template,
+			Owner:    owner,
 			Offset:   pageNumber * limit,
 			Limit:    limit,
 		})
 		if err != nil {
-			return nil, xerrors.Errorf("fetch scaletest workspaces page %d: %w", pageNumber, err)
+			return nil, 0, xerrors.Errorf("fetch scaletest workspaces page %d: %w", pageNumber, err)
 		}
 
 		pageNumber++
@@ -1403,13 +1432,18 @@ func getScaletestWorkspaces(ctx context.Context, client *codersdk.Client, templa
 
 		pageWorkspaces := make([]codersdk.Workspace, 0, len(page.Workspaces))
 		for _, w := range page.Workspaces {
-			if isScaleTestWorkspace(w) {
-				pageWorkspaces = append(pageWorkspaces, w)
+			if !isScaleTestWorkspace(w) {
+				continue
+			}
+			if noOwnerAccess && w.OwnerID != me.ID {
+				skipped++
+				continue
 			}
+			pageWorkspaces = append(pageWorkspaces, w)
 		}
 		workspaces = append(workspaces, pageWorkspaces...)
 	}
-	return workspaces, nil
+	return workspaces, skipped, nil
 }
 
 func getScaletestUsers(ctx context.Context, client *codersdk.Client) ([]codersdk.User, error) {
 
@@ -0,0 +1,70 @@
+package exptest_test
+
+import (
+	"bytes"
+	"context"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+
+	"cdr.dev/slog/sloggers/slogtest"
+	"github.com/coder/coder/v2/cli/clitest"
+	"github.com/coder/coder/v2/coderd/coderdtest"
+	"github.com/coder/coder/v2/codersdk"
+	"github.com/coder/coder/v2/testutil"
+)
+
+// This test validates that the scaletest CLI filters out workspaces not owned
+// when disable owner workspace access is set.
+// This test is in its own package because it mutates a global variable that
+// can influence other tests in the same package.
+// nolint:paralleltest
+func TestScaleTestWorkspaceTraffic_UseHostLogin(t *testing.T) {
+	ctx, cancelFunc := context.WithTimeout(context.Background(), testutil.WaitMedium)
+	defer cancelFunc()
+
+	log := slogtest.Make(t, &slogtest.Options{IgnoreErrors: true})
+	client := coderdtest.New(t, &coderdtest.Options{
+		Logger:                   &log,
+		IncludeProvisionerDaemon: true,
+		DeploymentValues: coderdtest.DeploymentValues(t, func(dv *codersdk.DeploymentValues) {
+			dv.DisableOwnerWorkspaceExec = true
+		}),
+	})
+	owner := coderdtest.CreateFirstUser(t, client)
+	tv := coderdtest.CreateTemplateVersion(t, client, owner.OrganizationID, nil)
+	_ = coderdtest.AwaitTemplateVersionJobCompleted(t, client, tv.ID)
+	tpl := coderdtest.CreateTemplate(t, client, owner.OrganizationID, tv.ID)
+	// Create a workspace owned by a different user
+	memberClient, _ := coderdtest.CreateAnotherUser(t, client, owner.OrganizationID)
+	_ = coderdtest.CreateWorkspace(t, memberClient, tpl.ID, func(cwr *codersdk.CreateWorkspaceRequest) {
+		cwr.Name = "scaletest-workspace"
+	})
+
+	// Test without --use-host-login first.g
+	inv, root := clitest.New(t, "exp", "scaletest", "workspace-traffic",
+		"--template", tpl.Name,
+	)
+	// nolint:gocritic // We are intentionally testing this as the owner.
+	clitest.SetupConfig(t, client, root)
+	var stdoutBuf bytes.Buffer
+	inv.Stdout = &stdoutBuf
+
+	err := inv.WithContext(ctx).Run()
+	require.ErrorContains(t, err, "no scaletest workspaces exist")
+	require.Contains(t, stdoutBuf.String(), `1 workspace(s) were skipped`)
+
+	// Test once again with --use-host-login.
+	inv, root = clitest.New(t, "exp", "scaletest", "workspace-traffic",
+		"--template", tpl.Name,
+		"--use-host-login",
+	)
+	// nolint:gocritic // We are intentionally testing this as the owner.
+	clitest.SetupConfig(t, client, root)
+	stdoutBuf.Reset()
+	inv.Stdout = &stdoutBuf
+
+	err = inv.WithContext(ctx).Run()
+	require.ErrorContains(t, err, "no scaletest workspaces exist")
+	require.NotContains(t, stdoutBuf.String(), `1 workspace(s) were skipped`)
+}
@@ -35,7 +35,7 @@ func setupTestSchedule(t *testing.T, sched *cron.Schedule) (ownerClient, memberC
 
 	ownerClient, db = coderdtest.NewWithDatabase(t, nil)
 	owner := coderdtest.CreateFirstUser(t, ownerClient)
-	memberClient, memberUser := coderdtest.CreateAnotherUserMutators(t, ownerClient, owner.OrganizationID, nil, func(r *codersdk.CreateUserRequest) {
+	memberClient, memberUser := coderdtest.CreateAnotherUserMutators(t, ownerClient, owner.OrganizationID, nil, func(r *codersdk.CreateUserRequestWithOrgs) {
 		r.Username = "testuser2" // ensure deterministic ordering
 	})
 	_ = dbfake.WorkspaceBuild(t, db, database.Workspace{
 
@@ -83,12 +83,12 @@ func (r *RootCmd) newCreateAdminUserCommand() *serpent.Command {
 
 			validateInputs := func(username, email, password string) error {
 				// Use the validator tags so we match the API's validation.
-				req := codersdk.CreateUserRequest{
-					Username:       "username",
-					Name:           "Admin User",
-					Email:          "email@coder.com",
-					Password:       "ValidPa$$word123!",
-					OrganizationID: uuid.New(),
+				req := codersdk.CreateUserRequestWithOrgs{
+					Username:        "username",
+					Name:            "Admin User",
+					Email:           "email@coder.com",
+					Password:        "ValidPa$$word123!",
+					OrganizationIDs: []uuid.UUID{uuid.New()},
 				}
 				if username != "" {
 					req.Username = username
 
@@ -4,6 +4,7 @@ import (
 	"context"
 	"testing"
 
+	"github.com/google/uuid"
 	"github.com/stretchr/testify/require"
 
 	"github.com/coder/coder/v2/cli/clitest"
@@ -26,13 +27,12 @@ func TestUserDelete(t *testing.T) {
 		pw, err := cryptorand.String(16)
 		require.NoError(t, err)
 
-		_, err = client.CreateUser(ctx, codersdk.CreateUserRequest{
-			Email:          "colin5@coder.com",
-			Username:       "coolin",
-			Password:       pw,
-			UserLoginType:  codersdk.LoginTypePassword,
-			OrganizationID: owner.OrganizationID,
-			DisableLogin:   false,
+		_, err = client.CreateUserWithOrgs(ctx, codersdk.CreateUserRequestWithOrgs{
+			Email:           "colin5@coder.com",
+			Username:        "coolin",
+			Password:        pw,
+			UserLoginType:   codersdk.LoginTypePassword,
+			OrganizationIDs: []uuid.UUID{owner.OrganizationID},
 		})
 		require.NoError(t, err)
 
@@ -57,13 +57,12 @@ func TestUserDelete(t *testing.T) {
 		pw, err := cryptorand.String(16)
 		require.NoError(t, err)
 
-		user, err := client.CreateUser(ctx, codersdk.CreateUserRequest{
-			Email:          "colin5@coder.com",
-			Username:       "coolin",
-			Password:       pw,
-			UserLoginType:  codersdk.LoginTypePassword,
-			OrganizationID: owner.OrganizationID,
-			DisableLogin:   false,
+		user, err := client.CreateUserWithOrgs(ctx, codersdk.CreateUserRequestWithOrgs{
+			Email:           "colin5@coder.com",
+			Username:        "coolin",
+			Password:        pw,
+			UserLoginType:   codersdk.LoginTypePassword,
+			OrganizationIDs: []uuid.UUID{owner.OrganizationID},
 		})
 		require.NoError(t, err)
 
@@ -88,13 +87,12 @@ func TestUserDelete(t *testing.T) {
 		pw, err := cryptorand.String(16)
 		require.NoError(t, err)
 
-		user, err := client.CreateUser(ctx, codersdk.CreateUserRequest{
-			Email:          "colin5@coder.com",
-			Username:       "coolin",
-			Password:       pw,
-			UserLoginType:  codersdk.LoginTypePassword,
-			OrganizationID: owner.OrganizationID,
-			DisableLogin:   false,
+		user, err := client.CreateUserWithOrgs(ctx, codersdk.CreateUserRequestWithOrgs{
+			Email:           "colin5@coder.com",
+			Username:        "coolin",
+			Password:        pw,
+			UserLoginType:   codersdk.LoginTypePassword,
+			OrganizationIDs: []uuid.UUID{owner.OrganizationID},
 		})
 		require.NoError(t, err)
 
@@ -121,13 +119,12 @@ func TestUserDelete(t *testing.T) {
 	// 	pw, err := cryptorand.String(16)
 	// 	require.NoError(t, err)
 
-	// 	toDelete, err := client.CreateUser(ctx, codersdk.CreateUserRequest{
+	// 	toDelete, err := client.CreateUserWithOrgs(ctx, codersdk.CreateUserRequestWithOrgs{
 	// 		Email:          "colin5@coder.com",
 	// 		Username:       "coolin",
 	// 		Password:       pw,
 	// 		UserLoginType:  codersdk.LoginTypePassword,
 	// 		OrganizationID: aUser.OrganizationID,
-	// 		DisableLogin:   false,
 	// 	})
 	// 	require.NoError(t, err)
 
 
@@ -5,6 +5,7 @@ import (
 	"strings"
 
 	"github.com/go-playground/validator/v10"
+	"github.com/google/uuid"
 	"golang.org/x/xerrors"
 
 	"github.com/coder/pretty"
@@ -94,13 +95,13 @@ func (r *RootCmd) userCreate() *serpent.Command {
 				}
 			}
 
-			_, err = client.CreateUser(inv.Context(), codersdk.CreateUserRequest{
-				Email:          email,
-				Username:       username,
-				Name:           name,
-				Password:       password,
-				OrganizationID: organization.ID,
-				UserLoginType:  userLoginType,
+			_, err = client.CreateUserWithOrgs(inv.Context(), codersdk.CreateUserRequestWithOrgs{
+				Email:           email,
+				Username:        username,
+				Name:            name,
+				Password:        password,
+				OrganizationIDs: []uuid.UUID{organization.ID},
+				UserLoginType:   userLoginType,
 			})
 			if err != nil {
 				return err