WF-261 Add srv/* permissions required to start deployments #27
Conversation
| } | ||
| }; | ||
|
|
||
| var permMetrics = new Permission |
There was a problem hiding this comment.
srv actually refers to Service, not Metrics
There was a problem hiding this comment.
this name is because of the docs explanation for this perm being needed to access service metrics: https://docs.improbable.io/reference/13.6/shared/operate/service-accounts#path
I'm still unclear tbh why we would need it in order to start a deployment, I'm waiting on compute to confirm this is the actual intended flow and not a bug on their side!
There was a problem hiding this comment.
BundlesRead = MustRegisterPerm0(
"no permission to fetch fabric bundles",
"Allows retrieval of fabric bundles from the Bundle service",
Read, PartService, "bundles",
You need an account with permission to access the Fabric Bundle service in order to launch a deployment so this sounds intentional
There was a problem hiding this comment.
ah ok thanks! any opinion/objections to rename the variable to permServices then?
There was a problem hiding this comment.
srv/bundles is needed to start a deployment because it needs the perm in order to download bundles from the bundle service. However, since it's srv/*, it actually gives you perms to do a bunch of other stuff as well (such as access metrics, and logs) which aren't used when starting a deployment.
There was a problem hiding this comment.
this is the accompanying documentation
Now that you have seen both verbs and paths, you can construct a permission. For example, you might want to use the deployment service to manage to the deployments for your game in the project called my_project. In this case, you need read and write access to the path with parts prj, and my_project. Using the Platform SDK, this is represented as:
I'm gonna test if srv/bundles is enough to run each DeploymentService command (unless you already know? Is there a place to check that? )
There was a problem hiding this comment.
Or are you happy for me to merge with srv/*?
https://improbableio.atlassian.net/browse/WF-261
I'll update the documentation referring to this example accordingly after this is approved.