Skip to content

Allow admins to create workspaces on behalf of users #3263

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
bpmct opened this issue Jul 28, 2022 · 5 comments · Fixed by #4183
Closed

Allow admins to create workspaces on behalf of users #3263

bpmct opened this issue Jul 28, 2022 · 5 comments · Fixed by #4183
Labels
api Area: HTTP API design needed Request for more beauty site Area: frontend dashboard

Comments

@bpmct
Copy link
Member

bpmct commented Jul 28, 2022

As a Coder administrator, I'd like to use the API/CLI (or even the web dashboard) to create and edit workspaces on behalf of other users.

Use cases:

  • Migrating platforms or workspaces on behalf of users
    • e.g. moving to another template, migrating from Coder v1
  • Automate/integrate Coder into another platform
  • Automated load testing (create users with workspaces)
  • Ensure developers have one workspace when their account is created

This seems like it could be an API/CLI-only feature. @Emyrk brought up the idea that admins could "masquerade" users (e.g. "Log in to Coder as @user-1").
@bpmct bpmct changed the title Admin can create workspaces on behalf of users Allow admins to create workspaces on behalf of users Jul 28, 2022
@ammario
Copy link
Member

ammario commented Jul 29, 2022

I think it's safe to permit admins to create workspaces for other users, but we should continue being careful with our approach to compute access for the reasons outlined in #2135. TL;DR arbitrary workspace access from an admin / group manager to a workspace exposes the users' non-Coder accounts. E.g, an admin in our dev deployment could use the credentials from my workspace to masquerade as me on GitHub, which makes me uncomfortable.

@bpmct
Copy link
Member Author

bpmct commented Jul 29, 2022

I could also see this being a "root user" only feature.

@ammario
Copy link
Member

ammario commented Jul 29, 2022

If we seriously believe in the pattern of someone creating a workspace for a new user, then it should be made in a fashion where more users can safely do it. The superadmin role should only be used for automation, setup, and the occasional configuration. It's too much of a security risk otherwise.

I think we could build it where they enter parameters and create the workspace but can't shell in afterwards. Either way this seems like something we should wait on more user feedback before building due to the uncertainty.

@bpmct
Copy link
Member Author

bpmct commented Jul 29, 2022

The only use cases I could think of are automation (in issue description), hence the comment about it being a root feature.

Agree we it's something we can wait on for feedback.

@mattlqx
Copy link

mattlqx commented Aug 12, 2022

As an admin of the service, I find it very important to be able to perform some actions on behalf of a user, specifically creation and deletion. In our developer systems today, we already have many ways in for support and maintenance purposes.

There's always out-of-band ways in anyway. At an enterprise level, someone will have great access than the user. The administrator of the server can exec into Docker containers. An admin of a Kubernetes cluster can still exec into a pod. An EC2 admin can use SSM or a launch key to get in potentially, or just stop the instance and mount the volume somewhere else.

Re: the credentials bit, on our dedicated instances, we rely mostly on the policy that one should forward their SSH agent into their instance and always encrypt their key on their laptop. Not sure how that paradigm could transfer to a web-based workspace though.

@kylecarbs kylecarbs added site Area: frontend dashboard api Area: HTTP API design needed Request for more beauty labels Aug 24, 2022
kylecarbs added a commit that referenced this issue Sep 23, 2022
@kylecarbs
feat: Allow admins to create workspaces
7727bad 
Fixes #3263.

This is now possible via the API, but still isn't possible via the UI.
@kylecarbs kylecarbs mentioned this issue Sep 23, 2022
Merged
kylecarbs added a commit that referenced this issue Sep 24, 2022
@kylecarbs
feat: Allow admins to create workspaces (#4183)
3c215a8 
Fixes #3263.

This is now possible via the API, but still isn't possible via the UI.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
api Area: HTTP API design needed Request for more beauty site Area: frontend dashboard
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: Allow admins to create workspaces for other users coder/coder
4 participants
@mattlqx @kylecarbs @ammario @bpmct