feat: add authz supporting subdomain module and ADR-0018#561
feat: add authz supporting subdomain module and ADR-0018#561mariajgrimaldi wants to merge 5 commits intomainfrom
Conversation
openedx-webhooks
added
open-source-contribution
|
Thanks for the pull request, @mariajgrimaldi! This repository is currently maintained by Once you've gone through the following steps feel free to tag them in a comment and let them know that your changes are ready for engineering review. 🔘 Get product approvalIf you haven't already, check this list to see if your contribution needs to go through the product review process.
🔘 Provide contextTo help your reviewers and other members of the community understand the purpose and larger context of your changes, feel free to add as much of the following information to the PR description as you can:
🔘 Get a green buildIf one or more checks are failing, continue working on your changes until this is no longer the case and your build turns green. DetailsWhere can I find more information?If you'd like to get more details on all aspects of the review process for open source pull requests (OSPRs), check out the following resources: When can I expect my changes to be merged?Our goal is to get community contributions seen and reviewed as efficiently as possible. However, the amount of time that it takes to review and merge a PR can vary significantly based on factors such as:
💡 As a result it may take up to several weeks or months to complete a review and merge your PR. |
Introduces openedx_events/authz with ROLE_ASSIGNMENT_CREATED and R OLE_ASSIGNMENT_DELETED events. ADR-0018 documents the decision to use dedicated top-level modules for supporting subdomains, with authz module is recognized as a prior instance of the same concept. as the first application of that pattern after analytics in #230
Introduces openedx_events/authz with ROLE_ASSIGNMENT_CREATED and ROLE_ASSIGNMENT_DELETED events. ADR-0018 documents the decision to use dedicated top-level modules for supporting subdomains, with authz as the first application of that pattern. The existing analytics module is recognized as a prior instance of the same concept.
… username - Add Operations NamedTuple with `created` and `deleted` constants so callers use RoleAssignmentData.OPERATIONS.created instead of bare strings - Add attr.validators.in_ to enforce valid operation values at construction time - Rename actor field from Optional[str] (free-form) to Optional[str] carrying the username of the performing user, documented as actor
mariajgrimaldi
force-pushed
the
MJG/authz-audit
branch
from
478a2d0 to
f5a3cc4
Compare
mariajgrimaldi
changed the title
…signals Remove constrained validator from operation field (incompatible with Avro test infra), align field definitions to repo attrs convention, and generate Avro schemas for ROLE_ASSIGNMENT_CREATED and ROLE_ASSIGNMENT_DELETED.
mariajgrimaldi
force-pushed
the
MJG/authz-audit
branch
from
690576a to
9887ef6
Compare
mariajgrimaldi
requested review from
a team,
MaferMazu,
bmtcril,
dwong2708,
rodmgwgu and
wgu-taylor-payne
rodmgwgu
left a comment
rodmgwgu
left a comment
There was a problem hiding this comment.
I'm not very familiar with this module, but the ADR and implementation looks good to me.
Please update the version and CHANGELOG once this is ready to merge, thanks!
bmtcril
left a comment
bmtcril
left a comment
There was a problem hiding this comment.
This looks great, I think there is still the open question about persisting usernames in the audit logs but using the username here, where it's possible to be a cross-boundary identifier that pk can't fulfill makes sense to me.
felipemontoya
left a comment
felipemontoya
left a comment
There was a problem hiding this comment.
I think this is clear (thanks for the ADR), well though and warranted.
| "doc": "Avro Event Format for CloudEvents created with openedx_events/schema", | ||
| "fields": [ | ||
| { | ||
| "name": "role_assignment", |
There was a problem hiding this comment.
Quick question, I’m not familiar with these events. Should we add a suffix like _delete here?
7 participants
Description
This PR introduces the
authzmodule as a supporting subdomain module inopenedx-events, along with ADR-0018 to document the pattern.Authorization events don't belong to any single existing domain module. Role assignments originate from
openedx-authzand are consumed across learning, content authoring, enterprise, and other areas. Placing them undercourse_authoring(the current home of the admin console where role assignment happens today) would tie the module to a UI surface that is expected to move to its own application. ADR-0018 defines the criteria for supporting subdomain modules and establishesanalyticsas a prior instance of the same concept.The module adds two public signals:
ROLE_ASSIGNMENT_CREATED: emitted when a role is assigned to a subjectROLE_ASSIGNMENT_DELETED: emitted when a role assignment is removedBoth carry
RoleAssignmentData, which holds the operation, subject, role, scope, and optional actor. Valid operation values are constrained viaRoleAssignmentData.OPERATIONS(aNamedTuplewithcreatedanddeletedfields), enforced at construction time withattr.validators.in_.Design decisions are documented in docs/decisions/0018-supporting-subdomain-modules.rst.
Supporting information
Testing instructions
See openedx/openedx-authz#261 for end-to-end testing instructions.
Deadline
None.
Other information
analyticsmodule is the prior instance of the supporting subdomain pattern; this PR makes that classification explicit in ADR-0018.Checklists
Merge Checklist:
Post Merge: