Skip to content

fix(coderd): update provisionderd authz policy to allow updating userdata #6925

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Mar 31, 2023
Merged

fix(coderd): update provisionderd authz policy to allow updating userdata #6925

merged 1 commit into from
Mar 31, 2023

Conversation

johnstcn
Copy link
Member

Given:

A workspace existed in an orphaned state from an OIDC user

When:

I attempted to delete the workspace

Then:

The workspace deletion failed with the following error in coderd logs:

Mar 31 13:15:06 coder coder[381195]: 2023-03-31 13:15:06.583 [DEBUG]        (coderd.authz_querier)        <./coderd/database/dbauthz/dbauthz.go:64>        logNotAuthorizedError        unauthorized        {"input": {"action": "update", "object": {"id": "dc196706-7dc1-4151-b83c-2f1314367fcb", "owner": "dc196706-7dc1-4151-b83c-2f1314367fcb", "org_owner": "", "type": "user_data", "acl_user_list": null, "acl_group_list": null}, "subject": {"ID": "00000000-0000-0000-0000-000000000000", "Roles": [{"name": "provisionerd", "display_name": "Provisioner Daemon", "site"
: [{"negate": false, "resource_type": "file", "action": "read"}, {"negate": false, "resource_type": "system", "action": "*"}, {"negate": false, "resource_type": "template", "action": "read"}, {"negate": false, "resource_type": "template", "action": "update"}, {"negate": false, "resource_type": "user", "action": "read"}, {"negate": false, "resource_type": "user_data", "actio
n": "read"}, {"negate": false, "resource_type": "workspace", "action": "read"}, {"negate": false, "resource_type": "workspace", "action": "update"}, {"negate": false, "resource_type": "workspace", "action": "delete"}], "org": {}, "user": []}], "Groups": null, "Scope": "all"}}, "error": "forbidden"} ...                                                                         
Mar 31 13:15:06 coder coder[381195]:   "internal": policy disallows request:                                                                                                                Mar 31 13:15:06 coder coder[381195]:                   github.com/coder/coder/coderd/rbac.RegoAuthorizer.authorize                                                                          Mar 31 13:15:06 coder coder[381195]:                       /home/coder/src/cdr/coder/coderd/rbac/authz.go:302                                                                               
Mar 31 13:15:06 coder coder[381195]: 2023-03-31 13:15:06.586 [WARN]        <./provisionerd/provisionerd.go:330>        (*Server).acquireJob        acquire job ...                          Mar 31 13:15:06 coder coder[381195]:   "error": request job was invalidated: obtain OIDC access token: update user link: unauthorized: forbidden                                            Mar 31 13:15:06 coder coder[381195]:                    storj.io/drpc/drpcwire.UnmarshalError:26                                                                                            
Mar 31 13:15:06 coder coder[381195]:                    storj.io/drpc/drpcstream.(*Stream).HandlePacket:198                                                                                 Mar 31 13:15:06 coder coder[381195]:                    storj.io/drpc/drpcmanager.(*Manager).manageReader:216

This PR updates the role for provisionerd so that it can update userdata resources.

@johnstcn johnstcn marked this pull request as ready for review March 31, 2023 14:10
@johnstcn johnstcn merged commit 334d982 into main Mar 31, 2023
@johnstcn johnstcn deleted the cj/provisionerd_rm_orphan_oidc branch March 31, 2023 14:11
@github-actions github-actions bot locked and limited conversation to collaborators Mar 31, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@Emyrk Emyrk Emyrk approved these changes

Assignees

@johnstcn johnstcn

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@johnstcn @Emyrk