Need a way to get the current implicit silo's IAM policy #1571
Description
If I'm merging a silo, org, and project policy on the client in order to give a complete picture of the IAM situation for a project, I need to be able to fetch the current silo policy. Right now we have /policy for fleet policy and /silos/{silo_name}/policy for silo policy. But on the client I don't have the current silo name, or even the silo ID, so I have no way of fetching the silo policy. Here are some ways we might make that possible.
Decent options
- Move existing Fleet
/policyto/global/policy, have/policyreturn the policy for the current silo- This is the best option for the client and seems most correct in general, but it may be blocked on the PR that does the
/globalthing for all the relevant endpoints (early draft here), and it turns out that is a ton of work
- This is the best option for the client and seems most correct in general, but it may be blocked on the PR that does the
- Add
/session/silo/policyor/session/policyor/silo/policyor something that returns the policy for the current silo- Same as above from client POV
- Faster because not blocked on
/globalwork - Trivial to switch server and client to use
/policyonce/globalwork is done
Bad options
- Add silo ID to
/session/meand add/by-id/silos/{silo_id}endpoint- Client gets silo ID from
/session/me, uses it to fetch silo, uses silo name to fetch policy
- Client gets silo ID from
- Add silo ID to
/session/meand/by-id/silos/{silo_id}/policy- Client gets silo ID from
/session/me, uses it to fetch policy directly. also 🤮 but it's one fewer request
- Client gets silo ID from
- Add silo name to
/session/me, use existing/silos/{silo_name}/policy- Not great because while
SiloUserhassilo_idon it (see below), it does not havesilo_name, and this is a pretty silly reason for a join
omicron/nexus/db-model/src/silo_user.rs
Lines 14 to 18 in aff0d7a
- Not great because while