-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[vtadmin-api] Allow RBAC config file to be optional #9419
Comments
I was reading the related backscroll with jakon and had the thought that defaulting allow-all when no rbac config flag is convenient but allows failure in an unsafe way: I can imagine fucking up a chef flag -> not passing an rbac flag -> opening write actions to the world. Still extremely into easy allow-all option but we should make it opt-in under |
A clarifying q, does that mean we're either saying 1) must pass in rbac config or 2) must explicitly pass --no-rbac to default to all? |
@setassociative +1 for
|
@notfelineit sorry, to be more explicit: I'm suggesting you must pass in @jakon89 so when constructing args to set up vtadmin there is the error where you typo the arg and it's safe as you point out. I'm more worried about a scenario where it gets omitted entirely for whatever reason and I'd rather fail hard and fast in that situation |
This sounds great. I updated the issue description to specify an explicit |
This issue is being addressed here: #9972 |
Merged #9972! Closing this issue. |
The
--rbac-config
flag is required when running vtadmin-api. If omitted:The local example provides a default rbac.yaml file here: https://github.com/vitessio/vitess/blob/main/examples/local/vtadmin/rbac.yaml
However, it might be more ergonomic + explicit if Vitess operators could either:
--rbac
flag and an--rbac-config
file, or--no-rbac
(or--rbac=false
) flag to explicitly opt out of using RBAC.The text was updated successfully, but these errors were encountered: