-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Relax access requests limitations and refactor AccessRequestsService
state
#41717
Conversation
…an access request This was an artificial limitation, we only need to pass the correct cluster name to each requested resource.
web/packages/teleterm/src/ui/services/workspacesService/accessRequestsService.ts
Show resolved
Hide resolved
The aim of this refactor is to disallow mixing resource and role access requests at the type level. Another thing is that for resource access requests we need to store cluster name. Because it's not needed for roles, we have to separate these two resource kinds.
…nstead of when switching resource tab
…ctions with resource access requests
fd0574a
to
fdc25d8
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I finished midway through the second commit. The change with the types sounds pretty good.
web/packages/teleterm/src/ui/services/workspacesService/accessRequestsService.ts
Outdated
Show resolved
Hide resolved
web/packages/teleterm/src/ui/services/workspacesService/accessRequestsService.ts
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Made it through the second commit, I'll continue the review tomorrow.
So far everything looks fine, my comments are mostly just tangents about keeping type safety of these changes in the future.
web/packages/teleterm/src/ui/AccessRequestCheckout/useAccessRequestCheckout.ts
Outdated
Show resolved
Hide resolved
web/packages/teleterm/src/ui/DocumentAccessRequests/NewRequest/useNewRequest.ts
Outdated
Show resolved
Hide resolved
web/packages/teleterm/src/ui/services/workspacesService/accessRequestsService.ts
Show resolved
Hide resolved
web/packages/teleterm/src/ui/services/workspacesService/accessRequestsService.ts
Show resolved
Hide resolved
web/packages/teleterm/src/ui/DocumentAccessRequests/NewRequest/useNewRequest.ts
Outdated
Show resolved
Hide resolved
The original type `ResourceKind` was too wide, we don't support `user_group` and `windows_desktop` anyway.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🚢
As of now, we had two limitations when creating access requests:
As it turned out, 1. was an artificial limitation. It's perfectly fine for the backend to have requests from many clusters in a single access request.
But why did I want to remove it? It's because in the search bar you have access to all resources, so we can't easily block adding resources from a different cluster (and tbh the previous check that was kept in the cluster switcher was really easy to bypass by simply opening multiple access requests tabs).
However, after I removed this limitation, another problem occurred: we don't store cluster URI for the resources.
To fix this, I had to refactor the access requests service (and its state in particular).
The
{app: {}, node: {}, ...}
was replaced by aMap
key by resource URI. This ensures that resources are unique among clusters.The map value is a request object, which keeps a resource kind, uri, and for servers their hostname.
Previously, the hostname was stored as
kindIds[resourceId] = resourceName || resourceId
. I must say that I didn't like it, mainly because it was up to the caller to set the name (and it was really easy to miss it). Now it is required by the types for the particular resource type.As of 2: I moved the check to the access requests service level, because as above, we can't control what the user adds to the request: it may add a role and the go the search bar and add a resource.
I also changed the state shape, now it's
roles | resources
, not roles & resources` to better reflect the business logic.TODO: show cluster name in the request checkout of there is more than one cluster in the request.