feat: Check permissions endpoint #1389
Conversation
Allows FE to query backend for permission capabilities. Batch requests supported
Codecov Report
@@ Coverage Diff @@
## main #1389 +/- ##
==========================================
+ Coverage 66.93% 66.99% +0.06%
==========================================
Files 288 284 -4
Lines 18856 19006 +150
Branches 241 241
==========================================
+ Hits 12622 12734 +112
- Misses 4944 4959 +15
- Partials 1290 1313 +23
Continue to review full report at Codecov.
|
| } | ||
|
|
||
| response := make(codersdk.UserPermissionCheckResponse) | ||
| for k, v := range params.Checks { |
There was a problem hiding this comment.
It seems odd to echo user-specified keys back in the response. Do we require this endpoint to check for N permissions?
There was a problem hiding this comment.
Yes. It's a batch request, so the map key is to return the right true/false for each permission check. So the keys will likely be human friendly names such as read-my-workspace, the response will return "read-my-workspace": true
There was a problem hiding this comment.
I understand, but what is the use-case that attempting to fetch the workspace and checking the status code wouldn't catch?
There was a problem hiding this comment.
This is primarily for deciding which UI options to show.
Currently the admin Manage dropdown would use this to determine if it should show, and what buttons.
This is probably not going to be exactly how it's done, but something like this. The manage dropdown has 4 different options, you can do a permission check for each one and conditionally show the ui elements the user can access. If any return true, you show the Manage button.
{
"manage-all-organizations": true,
"manage-all-users": true,
"read-all-auditlogs": true,
"modify-deployment-settings: false,
}
In the past, the UI used the user's roles, but that means the UI has to know what an admin can and cannot do. In this world, if we ever support custom roles, that becomes impossible. This is the new approach, where the UI comes up with actions associated with UI elements, and queries the backend to handle the Authorize() check. Keeping it centralized in 1 place where RBAC logic is done.
There was a problem hiding this comment.
Is this standard amongst other products with RBAC? Something feels fishy to me which isn't enough to prevent this, but maybe is sign to look for validation with other products.
GitHub appears to display UI options based off role, but I know that diverges from our abstraction a bit.
There was a problem hiding this comment.
What I like most on not being attached to the role itself but the permission is in the future, if we want, we can create custom roles without having to update the front end at all.
There was a problem hiding this comment.
Is this standard amongst other products with RBAC?
Kubernetes has SubjectAccessReview and SelfSubjectAccessReview API endpoints, for example: https://kubernetes.io/docs/reference/access-authn-authz/authorization/#checking-api-access
There was a problem hiding this comment.
@spikecurtis good example that is exactly what we are doing here.
There was a problem hiding this comment.
@kylecarbs What do you think now?
There was a problem hiding this comment.
I still feel it's odd to echo the key-value pairs, but I don't think it should block progress! Seems fine to me.
| readonly owner_id?: string | ||
| readonly organization_id?: string | ||
| readonly resource_id?: string | ||
| } |
There was a problem hiding this comment.
Can you write some docs on how to use this? The example request is helpful but for instance, where do we find the resource type and id, and where does the arbitrary name come in (I think it's the string that keys the record below but having this written somewhere will help when I forget that later lol)
There was a problem hiding this comment.
Yup! Random comment on this, I am going to add the docs to the codersdk struct. These comments are not pulled over to the typescript, but they could in theory be copied over. If that is something that would be helpful, we can pull comments to the typescript too.
I'll link to the docs when I commit them 👍
There was a problem hiding this comment.
Lines 81 to 127 in 79c0886
There was a problem hiding this comment.
Awesome! And how do I know which resource types are possible, or which resource id a given thing has?
There was a problem hiding this comment.
Unfortunately, it is not exported into the TS types but you can see them right here
Lines 11 to 35 in 57bb108
There was a problem hiding this comment.
So eventually the parts of the admin menu will be in there, right? I can see how the resource id of a workspace would be the workspace id, but I was having trouble figuring out how I'd ask if a user can see the Users page, for instance.
There was a problem hiding this comment.
You eventually can do this:
...
"read-all-users":{
"object":{
"resource_type":"users"
},
"action":"read"
},
Right now that is not possible because we don't have the resource "users" but I will make that during this ticket #884
There was a problem hiding this comment.
Ah, so that one won't need a resource id. So when I don't specify an owner/org/resource id, I'm asking for everything, but supplying ids can narrow the scope - is that right? Would be nice to have a note on that, although maybe it's more obvious to most people.
| for k, v := range params.Checks { | ||
| if v.Object.ResourceType == "" { | ||
| httpapi.Write(rw, http.StatusBadRequest, httpapi.Response{ | ||
| Message: "'resource_type' must be defined", |
There was a problem hiding this comment.
Is resource type required? It has a ? in the typescript
There was a problem hiding this comment.
I think it is. @Emyrk is that possible to have this reflected in the TS types?
|
Closes #984 |
* feat: Check permissions endpoint Allows FE to query backend for permission capabilities. Batch requests supported
Allows FE to query backend for permission capabilities.
Batch requests supported
Example Request
Response