Skip to content

chore: document RBAC usage #14065

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 11 commits into from
Sep 10, 2024
Merged

chore: document RBAC usage #14065

merged 11 commits into from
Sep 10, 2024

Conversation

dannykopping
Copy link
Contributor

Uses #14055 (credit to @johnstcn!) as a reference to demonstrate the use of the RBAC system.

@dannykopping dannykopping requested review from johnstcn and Emyrk July 31, 2024 13:32
@alwaysmeticulous alwaysmeticulous

This comment was marked as outdated.

Sign in to view
@dannykopping dannykopping changed the title Document RBAC usage chore: document RBAC usage Jul 31, 2024
Emyrk
Emyrk reviewed Jul 31, 2024
View reviewed changes
Copy link
Member

@Emyrk Emyrk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This overall looks good. The one missing piece is RBACObject() and the organizational scoping.

Something to note, if you use InOrg(), then you must be a member of the organization as well. What this means is if you have the user Alice make a workspace Worble in organization Orange, and Alice leaves the org, she can no longer use the workspace.

Despite having the user permission to do so.

This is stated here in the rego:

coder/coderd/rbac/policy.rego

Lines 241 to 243 in ceffff9

# If we are not a member of an org, and the object has an org, then we are
# not authorized. This is an "implied -1" for not being in the org.
org_ok

So the truth table for not being in an org (if the resource belongs to an org) has a Negative in the Org column.

@Emyrk Emyrk mentioned this pull request Aug 7, 2024
Merged
@github-actions github-actions bot added the stale This issue is like stale bread. label Aug 9, 2024
@github-actions github-actions bot closed this Aug 12, 2024
@johnstcn johnstcn reopened this Aug 12, 2024
@johnstcn johnstcn removed the stale This issue is like stale bread. label Aug 12, 2024
@dannykopping
Copy link
Contributor Author

@johnstcn thanks for reopening; I'll try get to this today or tomorrow.

@github-actions github-actions bot added the stale This issue is like stale bread. label Aug 27, 2024
@github-actions github-actions bot closed this Aug 31, 2024
@dannykopping dannykopping reopened this Sep 3, 2024
@github-actions github-actions bot removed the stale This issue is like stale bread. label Sep 4, 2024
dannykopping and others added 8 commits September 10, 2024 11:14
@dannykopping
Document RBAC usage
d1b6de6 
Signed-off-by: Danny Kopping <danny@coder.com>
@dannykopping
make fmt
23e01c5 
Signed-off-by: Danny Kopping <danny@coder.com>
@Emyrk @dannykopping
chore: fixup rbac/readme.md typos
706a3d8 
- Truth table had an incorrect result value in final row
- Permission format examples was missing the object type
- Fix actions list
- Code block a bash command
@johnstcn @dannykopping
make fumpt
4681b9d
@johnstcn @Emyrk @dannykopping
Apply suggestions from code review
6f240c9 
Co-authored-by: Steven Masley <Emyrk@users.noreply.github.com>
@johnstcn @dannykopping
make fmt
c2f29d0
@stirby @dannykopping
Minor fixups, added troubleshooting (#14519) (#14530)
26ca907 
(cherry picked from commit 66c8060)

Co-authored-by: Danny Kopping <danny@coder.com>
@dannykopping
Update usage docs
cf25746 
Signed-off-by: Danny Kopping <danny@coder.com>
johnstcn
johnstcn approved these changes Sep 10, 2024
View reviewed changes
Copy link
Member

@johnstcn johnstcn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 Thanks for taking this on @dannykopping !

@dannykopping @johnstcn
Apply suggestions from code review
5fa2b96 
Co-authored-by: Cian Johnston <cian@coder.com>
Emyrk
Emyrk approved these changes Sep 10, 2024
View reviewed changes
Copy link
Member

@Emyrk Emyrk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Love all this ❤️

@dannykopping @Emyrk
Update coderd/rbac/USAGE.md
257962b 
Co-authored-by: Steven Masley <Emyrk@users.noreply.github.com>
@dannykopping dannykopping enabled auto-merge (squash) September 10, 2024 14:36
@dannykopping
Appease the linter gods
02f7447 
Signed-off-by: Danny Kopping <danny@coder.com>
@dannykopping dannykopping merged commit 914f35a into main Sep 10, 2024
26 checks passed
@dannykopping dannykopping deleted the dk/rbacdoc branch September 10, 2024 15:15
@github-actions github-actions bot locked and limited conversation to collaborators Sep 10, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@johnstcn johnstcn johnstcn approved these changes

@Emyrk Emyrk Emyrk approved these changes

Assignees

@dannykopping dannykopping

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@dannykopping @johnstcn @Emyrk @stirby