Skip to content

feat: add 'groups' namespace for managing RBAC groups #343

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Sep 2, 2025
Merged

feat: add 'groups' namespace for managing RBAC groups #343

merged 5 commits into from
Sep 2, 2025

Conversation

bevzzz
Copy link
Collaborator

@bevzzz bevzzz commented Sep 2, 2025
edited
Loading

This PR add a new groups namespace for assigning / revoking roles to user groups rather than individual users. The API is similar to that in users namespace:

client.groups.oidc.assignRoles('fifth-floor-empl', [analystRole, researcherRole]);
client.groups.oidc.getAssignedRoles('fifth-floor-empl'); // Returns {'analyst': {...}, 'researcher': {...}}
client.groups.oidc.getKnownGroupNames(); // Returns ['fifth-floor-empl'];
client.groups.oidc.revokeRoles('fifth-floor-empl', researcherRole);

Complimenting that are GroupPermissions which a role can now have:

client.roles.create(
  'group-admin',
  wv.permissions.groups.oidc('general', read: true, assignAndRevoke: true),
);

@bevzzz bevzzz requested a review from tsmith023 September 2, 2025 08:27
@bevzzz bevzzz changed the title feat: add 'groups' namespace for managing OIDC groups feat: add 'groups' namespace for managing RBAC groups Sep 2, 2025
orca-security-eu[bot]
orca-security-eu bot reviewed Sep 2, 2025
View reviewed changes
Copy link

@orca-security-eu orca-security-eu bot left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Orca Security Scan Summary

Status Check Issues by priority
Passed Passed Infrastructure as Code high 0   medium 0   low 0   info 0 View in Orca
Passed Passed SAST high 0   medium 0   low 0   info 0 View in Orca
Passed Passed Secrets high 0   medium 0   low 0   info 0 View in Orca
Passed Passed Vulnerabilities high 0   medium 0   low 0   info 0 View in Orca

@bevzzz
feat: add permissions for OIDC groups
4273a30 
Note: the OpenAPI schema is manually modified to exclude 'db' group type,
because it is not currently supported on the server. It will be removed
from the next RC release (and GA too).

Regenerate the schema once this PR is merged:
#343
@bevzzz bevzzz marked this pull request as ready for review September 2, 2025 09:31
tsmith023
tsmith023 approved these changes Sep 2, 2025
View reviewed changes
@bevzzz
Copy link
Collaborator Author

bevzzz commented Sep 2, 2025

Because this is targeting stable/1.32 regenerating the schema from it is a bit of a hassle. In the end, all we want is for GroupType to not include 'db', which it already does.

I'm going to merge the PR as is.

@bevzzz bevzzz merged commit e36e54d into main Sep 2, 2025
15 checks passed
@bevzzz bevzzz deleted the feat/oidc-groups branch September 2, 2025 11:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@orca-security-eu orca-security-eu[bot] orca-security-eu[bot] left review comments

@tsmith023 tsmith023 tsmith023 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@bevzzz @tsmith023