[vtadmin] [experimental] add per-api RBAC implementation #8515
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Andrew Mason <amason@slack-corp.com>
Signed-off-by: Andrew Mason <amason@slack-corp.com>
Signed-off-by: Andrew Mason <amason@slack-corp.com>
Signed-off-by: Andrew Mason <amason@slack-corp.com>
Signed-off-by: Andrew Mason <amason@slack-corp.com>
Signed-off-by: Andrew Mason <amason@slack-corp.com>
doeg
approved these changes
Jul 21, 2021
| authz = opts.RBAC.GetAuthorizer() | ||
|
|
||
| if authn != nil { | ||
| opts.GRPCOpts.StreamInterceptors = append(opts.GRPCOpts.StreamInterceptors, rbac.AuthenticationStreamInterceptor(authn)) |
| // stream and request contexts, respectively. | ||
| // | ||
| // Returning an error from the authenticator will fail the request. To | ||
| // denote an authenticated request, return (nil, nil) instead. |
| */ | ||
|
|
||
| /* | ||
| Package rbac provides role-based access control for vtadmin API endpoints. |
| // AuthenticateHTTP returns an actor given an http.Request. | ||
| // | ||
| // Returning an error from the authenticator will fail the request. To | ||
| // denote an authenticated request, return (nil, nil) instead. |
There was a problem hiding this comment.
"To denote an authenticated request without an actor, return (nil, nil) instead" might be more clear?
There was a problem hiding this comment.
ohhh this is a typo. it should be "to denote an unauthenticated request, return (nil, nil)"
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
This PR introduces an experimental feature to vtadmin, namely per-api scoped role-based access control. See the package documentation in rbac.go for more details around the principles behind the design. I plan to continue to iterate on this within our deployment, and I'll follow up with more unit tests and documentation as I do so.
Related Issue(s)
Checklist
Deployment Notes