From 293312e7a77b52727fa10afe44e54a39396448ec Mon Sep 17 00:00:00 2001 From: Yuqing Wei Date: Tue, 9 Aug 2022 18:52:05 +0800 Subject: [PATCH] quick update on rbac docs and input hint --- registry/access_control/README.md | 42 ++++++++++++++++++++++-- ui/src/components/roleManagementForm.tsx | 6 ++-- ui/src/components/userRoles.tsx | 5 +-- 3 files changed, 45 insertions(+), 8 deletions(-) diff --git a/registry/access_control/README.md b/registry/access_control/README.md index ca282f51d..091d21b97 100644 --- a/registry/access_control/README.md +++ b/registry/access_control/README.md @@ -16,7 +16,7 @@ flowchart TD G -- Yes --> H[Return API Results] ``` -If Access control plugin is NOT enabled, the flow will start from **Call Downstream API*** +If Access control plugin is NOT enabled, the flow will directly **Call Downstream API***. ## Access Control Registry API @@ -72,12 +72,48 @@ Supported scenarios status are tracked below: - [x] Initialize default Project Admin role for project creator - [ ] Initialize default Global Admin Role for workspace creator - UI Experience - - [x] Hidden page `../management` for project admin to make CUD requests to `userroles` table + - [x] `management` page for project admin to make CUD requests to `userroles` table - [x] Use id token in Management API Request headers to identify requestor - Future Enhancements: - [x] Support AAD Application token - [x] Support OAuth tokens with `email` attributes - [x] Functional in Feathr Client + - [ ] Add Access Control Dev Guide (include deployment tips) + - [ ] Add Access Control User Guide (UI & Client Experience) - [ ] Support AAD Groups - [ ] Support Other OAuth Providers - \ No newline at end of file + +## Access Control Management APIs +### UserRole +| Field | Comments | +| ------------ | -------------------------------------------- | +| scope | Project name or `global` | +| userName | User email or APP ID | +| roleName | Admin or Producer or Consumer | +| createBy | The admin user name who assigned this role | +| createReason | The reason for this role assignment | +| createTime | Auto generated during record creation | +| deleteBy | For audit purpose, not used in API returns | +| deleteReason | For audit purpose, not used in API returns | +| deleteTime | Auto generated when record marked as deleted | +| access | A list of permissions of this role | + +### `GET /userroles` +Get `userrole` records of projects that requestor has `manage` access. ++ Response Type: [`UserRole`](#userrole) + +### `POST /users/{user}/userroles/add ` +Create a new role assignment ++ Request Params: + + project: project name or `global` + + user: user email or app id + + role: admin or producer or consumer + + reason: create reason + +### `DELETE /users/{user}/userroles/delete` +Delete an existing role assignment ++ Request Params: + + project: project name or `global` + + user: user email or app id + + role: admin or producer or consumer + + reason: delete reason \ No newline at end of file diff --git a/ui/src/components/roleManagementForm.tsx b/ui/src/components/roleManagementForm.tsx index ae336fd8a..910b5188e 100644 --- a/ui/src/components/roleManagementForm.tsx +++ b/ui/src/components/roleManagementForm.tsx @@ -51,14 +51,14 @@ const RoleManagementForm: React.FC = ({ > - + - + = ({ - + diff --git a/ui/src/components/userRoles.tsx b/ui/src/components/userRoles.tsx index 470838178..b25acfa9b 100644 --- a/ui/src/components/userRoles.tsx +++ b/ui/src/components/userRoles.tsx @@ -136,8 +136,9 @@ const UserRoles: React.FC = () => {
<>

- This page is protected by Feathr Access Control. Only Global Admin - can retrieve management details and grant or delete user roles. + This page is protected by Feathr Access Control. Only Project + Admins can retrieve management details and grant or delete user + roles.