Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Share coder_app and ports with groups #13361

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
stirby opened this issue May 24, 2024 · 10 comments
Open

Share coder_app and ports with groups #13361

stirby opened this issue May 24, 2024 · 10 comments
Labels
customer-requested Features requested by enterprise customers. Only humans may set this.

Comments

@stirby
Copy link
Collaborator

stirby commented May 24, 2024
edited
Loading

Currently, coder_apps can be shared with either all authenticated users on a deployment or publicly. This allows users to expose services or demo work across teams, but does not provide sufficient RBAC control for most scenarios.

Resource separation is team-based in most deployments, and exposing ports widely across the deployment supersedes this isolation pattern. For example, a data science team will want to share Jupyter notebooks with teammates, but not expose the sensitive data to all users. This challenge is especially apparent as customers scale to multiple templates, groups and organizations.

To remedy this, we should add new sharing scope (e.g. group, template, organization) to coder_apps and sharable ports.

User-to-user sharing is not in the scope of this work as it further convoludes resource access. For that discussion, see our Shared workspaces thread.
@coder-labeler coder-labeler bot added customer-requested Features requested by enterprise customers. Only humans may set this. feature labels May 24, 2024
@stirby
Copy link
Collaborator Author

stirby commented May 24, 2024
edited
Loading

It would be nice if we could access users' groups in Terraform (as a data source?) since customers like to use generalized templates with team-specific options.

@matifali
Copy link
Member

It would be nice if we could access users' groups in Terraform (as a data source?) since customers like to use generalized templates with team-specific options.

It will be soon be possible to get a user's groups with data.coder_workspace_owner.me.groups having a list of all available groups would make the UX more useful.

A good candidate for a feature request for https://github.com/coder/terraform-provider-coder

@stirby
Copy link
Collaborator Author

stirby commented May 24, 2024

@matifali Interesting. I'll open a different issue there since this may impact shared ports as well.

Do you envision that enabling this flow? Some conditional to check that the group matches?

resource "coder_app" "code-server" {
  agent_id     = coder_agent.dev.id
  slug         = "code-server"
  ...
  count = contains(data.coder_workspace_owner.me.groups, "data-sci") ? 1 : 0
  share        = "authenticated"
}

If we could just pass the group name/id to the share attribute this would be extremely smooth. TBF this may be a more limiting abstraction.

resource "coder_app" "code-server" {
  agent_id     = coder_agent.dev.id
  slug         = "code-server"
  ...
  share        = "group"
  group        = "data-sci" # or group id
}

@matifali
Copy link
Member

matifali commented May 24, 2024
edited
Loading

@stirby I think a better way would be to be able to set share = owner|username|groupname|authenticated|public.

resource "coder_app" "code-server" {
  agent_id = coder_agent.dev.id
  slug     = "code-server"
  ...
  share    = "owner|matifali|data-sci|authenticated|public"
}

Setting share =

  1. owner --> default only workspace owner
  2. matiafli --> share with user matifali
  3. data-sci --> shate with group data-sci
  4. authenticated --> share with all coder users in current organization
  5. public --> share with anyone on the network

This is increasing the share level as we move from owner to public

BONUS: If this can be done from the dashboard share-ports UI too.

@ammario
Copy link
Member

ammario commented May 28, 2024

I don't think that kind of string abuse is a good idea. In the | separator suggestion, a group named "public" or "owner" could not be selected. A user might try to target a group named "public" and unknowingly make their shared URL public to the internet.

Also, we have tended to represent RBAC state in the DB as opposed to in Terraform. There are good reasons to do this consistently, e.g. when a Group is deleted or renamed we don't want Templates to fail.

Instead, I propose we add another share-level in between "owner" and "authenticated": "template". When a URL is shared to the "template", anyone that can use the template can also visit the URL.

@matifali
Copy link
Member

| is not a separator here but just showing all mutually exclusive possible values for share. I agree that a change in group name can break the template.
Using a new share level named inherited or template sounds a better approach.

@stirby
Copy link
Collaborator Author

stirby commented May 28, 2024
edited
Loading

I don't think that kind of string abuse is a good idea. In the | separator suggestion, a group named "public" or "owner" could not be selected. A user might try to target a group named "public" and unknowingly make their shared URL public to the internet.

I was thinking about supporting group/user names/IDs directly but stopped because of this exact collision.

Instead, I propose we add another share-level in between "owner" and "authenticated": "template". When a URL is shared to the "template", anyone that can use the template can also visit the URL.

I'm fine with this.

Some customers still use general templates across multiple teams. However, I agree that we should signal templates-per-team.

December update: I was wrong. After discussion with multiple customers, I realize that template-per-team is not a typical pattern. For example, devcontainer-centric development may mean only one template for the entire org.

@matifali

This comment was marked as outdated.

Sign in to view
@stirby stirby mentioned this issue May 30, 2024
Open
This was referenced May 31, 2024
Closed
Closed
@matifali matifali removed the feature label Oct 14, 2024
@elliot-graebert-skydio
Copy link

Just adding a comment: templates-per-team is not how we organize our templates. One template is used by the entire company, and teams are subsets of that. I think of templates as the structure around how you define what a workspace is, and groups as a permission structure. Doing this on the code level is also insufficient.

For my use case, what's needed is sharing workspaces to a user or group, as the two entities that represent access control in the Coder app. The workflow should look like this:

  1. Open up my workspace
  2. Go to Open ports
  3. Enter a port number (e.g. '12345')
  4. Select Sharing Level: 'custom'
  5. Click some multi-select dropdown that allows me to specify individual users or groups.

@suse-coder
Copy link

I would also be interested in this feature

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
customer-requested Features requested by enterprise customers. Only humans may set this.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@ammario @matifali @stirby @elliot-graebert-skydio @suse-coder