feat(reconcile): add Permission and Role kinds, bootstrap only creates missing roles#1737
feat(reconcile): add Permission and Role kinds, bootstrap only creates missing roles#1737rohilsurana wants to merge 3 commits into
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Coverage Report for CI Build 28667601403Coverage increased (+0.3%) to 45.29%Details
Uncovered Changes
Coverage Regressions71 previously-covered lines in 1 file lost coverage.
Coverage Stats
💛 - Coveralls |
Stacked on #1731; will rebase onto main once that squash-merges.
What
Two new desired-state kinds for
frontier reconcileandfrontier export, plus a bootstrap behavior change that makes role management through the API stick.Permission kind
A permission is identity only (namespace + name). It is added or deleted, never updated.
appnamespaces) are server-managed: the diff and export ignore them, and spec entries targeting them are rejected.service/resourcenamespace.Role kind
Platform-level roles only. The role name is the identity and never changes. Title, permissions, and scopes are the managed fields: a field that is present in an entry is managed, a field that is omitted keeps its server value.
delete: true— so the plan fails loudly on unaccounted roles instead of removing anything by omission.slug,service/resource:verb,service.resource.verb); slugs are canonical.managed_by: frontier-reconcilein metadata for provenance.Bootstrap change: existing roles are left alone
MigrateRolesused to write a role's definition back whenever its permission set drifted. That meant any change made through the API — including this reconciler's — was reverted on the next boot. Now boot creates a role only when it is missing and never updates an existing one. Operators own existing roles; the reconcile flow is the way to change them.Trade-off, stated on purpose: when a new frontier version changes a predefined role's permission set, existing deployments no longer pick that up automatically — only fresh installs do. The desired-state file becomes the way to roll such changes out.
Why no role renames
An earlier draft allowed renaming predefined roles. Verifying it showed the server resolves predefined roles by name at runtime in 13+ places (org owner constraint checks, group creation, invitation acceptance, service-user creation, admin listings, notifications). Renaming a predefined role would break all of them, so the name is fixed as the identity and only the display title is renameable.
Tests