New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RBAC: Adding action set resolver (action set read path) #86801
base: main
Are you sure you want to change the base?
Conversation
actionSets map[string][]string | ||
log log.Logger | ||
actionSetsToActions map[string][]string | ||
actionsToActionSets map[string][]string |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
change this from actionsToActionSets
since we are taking in a action
and not multiple actions
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I feel like this is a matter of preference on whether to use plural or singular for map naming. I usually go for a plural (my thinking is - we are creating a mapping between actions and action sets, which will hold several entries, so plural makes sense). But I don't have a strong preference as long as we're consistent. So if you feel strongly about actionToActionSets
instead of actionsToActionSets
, we should also go with actionSetToActions
instead of actionSetsToActions
.
if features.IsEnabled(context.Background(), featuremgmt.FlagAccessActionSets) { | ||
actionSetService.StoreActionSet(options.Resource, permission, actions) | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Note: putting this behind a feature toggle - there shouldn't be anything risky with registering an action set, but better safe than sorry.
❌ Failed to run Playwright plugin e2e tests. |
… due to the amount of test changes
@@ -48,6 +49,11 @@ func (a *AccessControl) Evaluate(ctx context.Context, user identity.Requester, e | |||
return false, nil | |||
} | |||
|
|||
// TODO update this to use featuremgmt.FeatureToggles instead of checking the config |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Will tackle this in a separate PR, as it will involve a lot of test changes, and I don't want to add noise to this PR.
@@ -1,12 +1,17 @@ | |||
package acimpl | |||
package acimpl_test |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
renaming to avoid import cycles
@@ -1,4 +1,4 @@ | |||
package database | |||
package database_test |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
renaming to avoid import cycles
What is this feature?
Adding action set resolver.
Why do we need this feature?
We are transitioning over to using action sets when storing resource permissions in a DB instead of storing each individual permission.
We added logic to store action sets in #86108. This PR adds logic to consider action sets when we check for users permissions. Eg, when checking if a user has the permission
folders:write
, we checkfolders:write
as well asfolders:edit
andfolders:admin
(the latter two being action sets).This is done by adding an action set resolver, that expands the evaluator to include action sets, so evaluator checking
folders:view
becomes an evaluator checkingany(folders:view folders:edit folders:admin folders:read)
(the scope remains unchanged).Who is this feature for?
Currently internal only (behind
accessActionSets
feature toggle).Which issue(s) does this PR fix?:
Fixes https://github.com/grafana/identity-access-team/issues/662
Special notes for your reviewer:
OSS counter part: https://github.com/grafana/grafana-enterprise/pull/6574