Skip to content

feat(provisioner): add support for workspace_owner_rbac_roles #16407

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Mar 2, 2025
Merged

feat(provisioner): add support for workspace_owner_rbac_roles #16407

merged 1 commit into from
Mar 2, 2025

Conversation

nxf5025
Copy link
Contributor

@nxf5025 nxf5025 commented Feb 3, 2025

Part of coder/terraform-provider-coder#330

Adds support for the coder_workspace_owner.rbac_roles attribute

@cdr-bot cdr-bot bot added the community Pull Requests and issues created by the community. label Feb 3, 2025
@github-actions GitHub Actions
Copy link

github-actions bot commented Feb 3, 2025
edited
Loading

All contributors have signed the CLA ✍️ ✅
Posted by the CLA Assistant Lite bot.

@nxf5025
Copy link
Contributor Author

nxf5025 commented Feb 3, 2025

I have read the CLA Document and I hereby sign the CLA

cdrci2 added a commit to coder/cla that referenced this pull request Feb 3, 2025
@cdrci2
@nxf5025 has signed the CLA in coder/coder#16407
7909b57
@nxf5025 nxf5025 mentioned this pull request Feb 3, 2025
Merged
@matifali matifali requested a review from Emyrk February 3, 2025 18:23
@nxf5025 nxf5025 force-pushed the provisioner-terraform-workspace-owner-rbac-roles branch from bf30eee to ada6342 Compare February 3, 2025 19:12
Emyrk
Emyrk reviewed Feb 6, 2025
View reviewed changes
Copy link
Member

@Emyrk Emyrk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry for responding so late. I have the time to help push this forward now 👍

coderd/provisionerdserver/provisionerdserver.go Outdated
Comment on lines 597 to 608
ownerRbacRoles := []string{}
for _, role := range owner.RBACRoles {
ownerRbacRoles = append(ownerRbacRoles, role)
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unfortunately this is not sufficient.

This is the code we use to fetch all the user's roles from the database:

https://github.com/coder/coder/blob/main/coderd/httpmw/apikey.go#L447-L475

So we should change this to:

Suggested change
ownerRbacRoles := []string{}
for _, role := range owner.RBACRoles {
ownerRbacRoles = append(ownerRbacRoles, role)
}
roles, err := s.Database.GetAuthorizationUserRoles(dbauthz.AsSystemRestricted(ctx), owner.ID)
if err != nil {
// Should we fail the job?
}
ownerRbacRoles := []string{}
for _, role := range roles.Roles {
ownerRbacRoles = append(ownerRbacRoles, role)
}

This will include all org roles as <org-id>:<org-role>. Would it be possible to have the role datatype be a struct, instead of list(string)?

role {
  name string
  org-id string
}

This would be preferred, as roles are uniquely identified by the pair of (org-id, rolename). And roles at the site wide level just have the uuid of 000...000

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Makes perfect sense to me! Just updated the PR

@nxf5025 nxf5025 force-pushed the provisioner-terraform-workspace-owner-rbac-roles branch from ada6342 to f70ff35 Compare February 7, 2025 16:51
Emyrk
Emyrk reviewed Feb 10, 2025
View reviewed changes
Copy link
Member

@Emyrk Emyrk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is looking good 👍. Some minor nits, and then I'll approve.

coderd/provisionerdserver/provisionerdserver.go Outdated
}
ownerRbacRoles := []*sdkproto.OwnerRbacRoles{}
for _, role := range roles.Roles {
ownerRbacRoles = append(ownerRbacRoles, &sdkproto.OwnerRbacRoles{Name: role, OrgId: s.OrganizationID.String()})
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we should convert the nil uuid to the empty string. Since we losing the parsed uuid, determining a nil uuid is trickier on the other side of the communication. Just pass the empty string to indicate "no org id"

Suggested change
ownerRbacRoles = append(ownerRbacRoles, &sdkproto.OwnerRbacRoles{Name: role, OrgId: s.OrganizationID.String()})
if s.OrganizationID == uuid.Nil {
ownerRbacRoles = append(ownerRbacRoles, &sdkproto.OwnerRbacRoles{Name: role, OrgId: ""})
continue
}
ownerRbacRoles = append(ownerRbacRoles, &sdkproto.OwnerRbacRoles{Name: role, OrgId: s.OrganizationID.String()})

coderd/provisionerdserver/provisionerdserver.go Outdated
@@ -594,6 +594,15 @@ func (s *server) acquireProtoJob(ctx context.Context, job database.ProvisionerJo
})
}

roles, err := s.Database.GetAuthorizationUserRoles(dbauthz.AsSystemRestricted(ctx), owner.ID)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The ctx should already have the right perms. If it does not, we can add what it needs to here: https://github.com/coder/coder/blob/main/coderd/database/dbauthz/dbauthz.go#L164-L193

Suggested change
roles, err := s.Database.GetAuthorizationUserRoles(dbauthz.AsSystemRestricted(ctx), owner.ID)
roles, err := s.Database.GetAuthorizationUserRoles(ctx, owner.ID)

Emyrk
Emyrk reviewed Feb 10, 2025
View reviewed changes
provisionersdk/proto/provisioner.proto Outdated
@@ -244,6 +244,11 @@ enum WorkspaceTransition {
DESTROY = 2;
}

message OwnerRbacRoles {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Role is descriptive enough imo.

Suggested change
message OwnerRbacRoles {
message Role {

@nxf5025 nxf5025 force-pushed the provisioner-terraform-workspace-owner-rbac-roles branch from f70ff35 to b960125 Compare February 13, 2025 14:00
@nxf5025
Copy link
Contributor Author

nxf5025 commented Feb 13, 2025

Updated PR based on suggestions

Emyrk
Emyrk approved these changes Feb 13, 2025
View reviewed changes
Copy link
Member

@Emyrk Emyrk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the persistence 👍

Just a nit about the unit test

provisioner/terraform/provision_test.go Outdated
Value: "member",
}, {
Key: "rbac_roles_org_id",
Value: "00000000-0000-0000-0000-000000000000",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Value: "00000000-0000-0000-0000-000000000000",
Value: "",

provisioner/terraform/provision_test.go Outdated
},
Request: &proto.PlanRequest{
Metadata: &proto.Metadata{
WorkspaceOwnerRbacRoles: []*proto.Role{{Name: "member", OrgId: "00000000-0000-0000-0000-000000000000"}},
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the test should be an empty string now?

Suggested change
WorkspaceOwnerRbacRoles: []*proto.Role{{Name: "member", OrgId: "00000000-0000-0000-0000-000000000000"}},
WorkspaceOwnerRbacRoles: []*proto.Role{{Name: "member", OrgId: ""}},

@Emyrk
Copy link
Member

Emyrk commented Feb 18, 2025

@nxf5025 can you make the test changes and merge/rebase? I will then merge

@nxf5025 nxf5025 force-pushed the provisioner-terraform-workspace-owner-rbac-roles branch from b960125 to bd9d6c8 Compare February 19, 2025 20:54
@nxf5025
Copy link
Contributor Author

nxf5025 commented Feb 19, 2025

Hey @Emyrk sorry for the delay. Got hit with the flu. I just rebased and updated the test.

@Emyrk
Copy link
Member

Emyrk commented Feb 19, 2025

@nxf5025 np, thank you for getting this in!

@github-actions github-actions bot added the stale This issue is like stale bread. label Feb 27, 2025
@github-actions github-actions bot closed this Mar 2, 2025
@nxf5025
Copy link
Contributor Author

nxf5025 commented Mar 2, 2025

@Emyrk - I see this went stale and got closed. Anything you need from me to get this in?

@Emyrk Emyrk reopened this Mar 2, 2025
@Emyrk Emyrk merged commit ca23abe into coder:main Mar 2, 2025
56 of 59 checks passed
@Emyrk
Copy link
Member

Emyrk commented Mar 2, 2025

@nxf5025 merged!

@github-actions github-actions bot locked and limited conversation to collaborators Mar 2, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@Emyrk Emyrk Emyrk approved these changes

Assignees

@nxf5025 nxf5025

Labels
community Pull Requests and issues created by the community. stale This issue is like stale bread.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@nxf5025 @Emyrk