Skip to content

feat: allow auditors to read template insights #10860

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Nov 24, 2023
Merged

feat: allow auditors to read template insights #10860

merged 3 commits into from
Nov 24, 2023

Conversation

johnstcn
Copy link
Member

@johnstcn johnstcn commented Nov 24, 2023
edited
Loading

Fixes #10627

  • Adds a template_insights pseudo-resource
  • Grants auditor and template admin roles read access on template_insights
  • Updates existing RBAC checks to check for read template_insights, falling back to template update permissions
  • Updates TemplateLayout to show Insights tab if can read template_insights or can update template

@johnstcn johnstcn self-assigned this Nov 24, 2023
@johnstcn johnstcn requested review from mtojek and mafredri November 24, 2023 15:52
mtojek
mtojek approved these changes Nov 24, 2023
View reviewed changes
Copy link
Member

@mtojek mtojek left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Mostly nit picks 👍

coderd/database/dbauthz/dbauthz.go
if len(arg.TemplateIDs) == 0 {
if err := q.authorizeContext(ctx, rbac.ActionUpdate, rbac.ResourceTemplate.All()); err != nil {
return nil, err
}
}
}
return q.db.GetTemplateInsightsByInterval(ctx, arg)
}

func (q *querier) GetTemplateInsightsByTemplate(ctx context.Context, arg database.GetTemplateInsightsByTemplateParams) ([]database.GetTemplateInsightsByTemplateRow, error) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some of these methods are used only by metrics collector, so in theory you don't need to assign auditor permissions.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'll take another pass and remove the unnecessary perms.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I ended up switching GetTemplateAppInsightsByTemplate and GetTemplateInsightsByTemplate to only check rbac.ResourceTemplateInsights as they're only used by metrics collector and it's likely to be lower overhead than rbac.ResourceTemplate.All(). Could also have made check rbac.ResourceSystem, but I think this is more correct.

@johnstcn johnstcn merged commit dd161b1 into main Nov 24, 2023
@johnstcn johnstcn deleted the cj/auditor-insights-user-latency branch November 24, 2023 17:21
@github-actions github-actions bot locked and limited conversation to collaborators Nov 24, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@mtojek mtojek mtojek approved these changes

@mafredri mafredri Awaiting requested review from mafredri

Assignees

@johnstcn johnstcn

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

allow auditors to query insights/user-latency
2 participants
@johnstcn @mtojek