feat(rbac): sync only managed resource policies #2144
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
There was a problem hiding this comment.
Pull Request Overview
Adds a Config parameter to the RBAC enforcer to limit policy deletions to known resources, letting external policy sources coexist.
- Introduces
authz.ConfigwithManagedResourcesandRolesMap - Updates all
New*EnforceranddoSynccalls to accept and use the new config - Adjusts tests and wiring code to pass default or custom configs
Reviewed Changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| app/controlplane/pkg/authz/authz.go | Added Config struct, ManagedResources, updated doSync logic |
| app/controlplane/pkg/authz/authz_test.go | Passed &Config{RolesMap: RolesMap} into sync calls |
| app/controlplane/pkg/authz/authz_integration_test.go | Updated enforcer instantiation to include empty &Config{} |
| app/controlplane/pkg/biz/testhelpers/wire.go | Added local authzConfig helper |
| app/controlplane/pkg/biz/testhelpers/wire_gen.go | Added local authzConfig helper |
| app/controlplane/cmd/wire.go | Added local authzConfig helper |
| app/controlplane/cmd/wire_gen.go | Added local authzConfig helper |
Comments suppressed due to low confidence (2)
app/controlplane/pkg/authz/authz.go:522
- The call to
RemovePolicyuses a slice of strings (gotPolicies) rather than passing the individualrole, resource, actionarguments. Consider deconstructing the slice and callinge.RemovePolicy(role, resource, action)for consistency and to match the method signature.
wantPolicies, ok := config.RolesMap[Role(role)]
app/controlplane/pkg/authz/authz.go:43
- [nitpick] The new
Configstruct should have a doc comment explaining its purpose (e.g., default behavior, fields semantics). Adding GoDoc will improve maintainability and clarity for future contributors.
type Config struct {
migmartri
approved these changes
Jun 27, 2025
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
jiparis
changed the title
|
Added some tests for collisions |
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This small patch adds some flexibility to the RBAC policies syncer so that it doesn't delete policies for "unknown" resources. This allows other sources for policies to coexist seamlessly.
The Enforcer can now be configured with a custom set of role mappings and managed resources.
Refs #2121