-
Notifications
You must be signed in to change notification settings - Fork 11.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RBAC: Cover plugin routes #80578
RBAC: Cover plugin routes #80578
Conversation
pkg/plugins/plugindef/plugindef.cue
Outdated
@@ -364,6 +364,9 @@ schemas: [{ | |||
reqSignedIn?: bool | |||
reqRole?: string | |||
|
|||
// RBAC action the user must have to access the route | |||
action?: string |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we prefer reqAction
to be consistent with reqRole
or action
to be consistent with the includes' action
field?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd go with reqAction
to make it clear it's a requirement. Also an example will help for people to understand what this does.
Unrelated but does this support multiple actions or only one?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok 👌
Also an example will help for people to understand what this does.
What do you have in mind? Plugin example? Or plugin-tools docs update with an example?
Unrelated but does this support multiple actions or only one?
It supports only one action. We'll see if we ever need to support something more complex.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What do you have in mind? Plugin example? Or plugin-tools docs update with an example?
For this case, I only mean in the comment: // RBAC action the user must have to access the route i.e. plugin-id.projects:read
It supports only one action
👍
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Code LGTM, I only have a suggestion regarding naming / docs
pkg/plugins/plugindef/plugindef.cue
Outdated
@@ -364,6 +364,9 @@ schemas: [{ | |||
reqSignedIn?: bool | |||
reqRole?: string | |||
|
|||
// RBAC action the user must have to access the route | |||
action?: string |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd go with reqAction
to make it clear it's a requirement. Also an example will help for people to understand what this does.
Unrelated but does this support multiple actions or only one?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Co-authored-by: Andres Martinez Gotor <andres.martinez@grafana.com>
* RBAC: Cover plugin routes * Action instead of ReqAction * Fix test initializations * Fix NewPluginProxy call * Duplicate test to add RBAC checks * Cover legacy access control as well * Fix typo * action -> reqAction * Add example Co-authored-by: Andres Martinez Gotor <andres.martinez@grafana.com> --------- Co-authored-by: Andres Martinez Gotor <andres.martinez@grafana.com>
* RBAC: Cover plugin routes * Action instead of ReqAction * Fix test initializations * Fix NewPluginProxy call * Duplicate test to add RBAC checks * Cover legacy access control as well * Fix typo * action -> reqAction * Add example Co-authored-by: Andres Martinez Gotor <andres.martinez@grafana.com> --------- Co-authored-by: Andres Martinez Gotor <andres.martinez@grafana.com>
What is this feature?
This PR adds the possibility to protect plugin proxied routes with an RBAC action check.
Why do we need this feature?
This has been requested by plugin developers.
Who is this feature for?
[Add information on what kind of user the feature is for.]
Which issue(s) does this PR fix?:
Special notes for your reviewer:
We had covered in #57582 includes.
Schema updates: #80592
Once this is merged I need to update the plugin-tools docs
Please check that: