Skip to content

chore: merge provisioner key and provisioner permissions #16628

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
Feb 24, 2025
Merged

chore: merge provisioner key and provisioner permissions #16628

merged 6 commits into from
Feb 24, 2025

Conversation

Emyrk
Copy link
Member

@Emyrk Emyrk commented Feb 19, 2025
edited
Loading

Closes coder/internal#341

Provisioner key permissions were never any different than provisioners. Merging them for a cleaner permission story until they are required (if ever) to be seperate.

This removed ResourceProvisionerKey from RBAC and just uses the existing ResourceProvisioner.

Emyrk
Emyrk commented Feb 19, 2025
View reviewed changes
enterprise/coderd/roles.go
Comment on lines +154 to +156
SitePermissions: db2sdk.List(filterInvalidPermissions(req.SitePermissions), sdkPermissionToDB),
OrgPermissions: db2sdk.List(filterInvalidPermissions(req.OrganizationPermissions), sdkPermissionToDB),
UserPermissions: db2sdk.List(filterInvalidPermissions(req.UserPermissions), sdkPermissionToDB),
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Without this, custom roles with the old perm are unable to be updated.

@Emyrk Emyrk requested a review from johnstcn February 19, 2025 18:28
johnstcn
johnstcn reviewed Feb 19, 2025
View reviewed changes
enterprise/coderd/roles.go
Comment on lines +254 to +270
func filterInvalidPermissions(permissions []codersdk.Permission) []codersdk.Permission {
// Filter out any invalid permissions
var validPermissions []codersdk.Permission
for _, permission := range permissions {
err := rbac.Permission{
Negate: permission.Negate,
ResourceType: string(permission.ResourceType),
Action: policy.Action(permission.Action),
}.Valid()
if err != nil {
continue
}
validPermissions = append(validPermissions, permission)
}
return validPermissions
}

Copy link
Member

@johnstcn johnstcn Feb 19, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need to filter these out? Is this in order to handle custom roles?
I'd rather have some warning of invalid permissions being in use if so.

EDIT: Now I see your above comment. This is legit, but we should probably have some way of surfacing this to admins so that they can update the role.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@johnstcn yea this is really unfortunate.

This is the continuous problem of "warnings" vs "errors", and our product does not support warnings very well.

I can make a follow up issue. Without this change, a stale role is a blocking thing that is impossible to fix via the UI. Custom roles unfortunately just have not been given the resources to come up with a proper UX yet.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Issue made here: #16632

johnstcn
johnstcn reviewed Feb 19, 2025
View reviewed changes
johnstcn
johnstcn reviewed Feb 19, 2025
View reviewed changes
Emyrk and others added 3 commits February 19, 2025 12:44
@Emyrk @johnstcn
Update site/src/api/rbacresourcesGenerated.ts
aee3289 
Co-authored-by: Cian Johnston <cian@coder.com>
@Emyrk @johnstcn
Update coderd/rbac/policy/policy.go
ccc3afa 
Co-authored-by: Cian Johnston <cian@coder.com>
@Emyrk
make gen
a6fcd52
@Emyrk Emyrk merged commit e005e4e into main Feb 24, 2025
34 of 35 checks passed
@Emyrk Emyrk deleted the stevenmasley/merge_provisioner_perms branch February 24, 2025 19:31
@github-actions github-actions bot locked and limited conversation to collaborators Feb 24, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@johnstcn johnstcn johnstcn approved these changes

Assignees

@Emyrk Emyrk

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Remove ResourceProvisionerKeys and lump it with ResourceProvisionerDaemon
2 participants
@Emyrk @johnstcn