PLAT-50: support roles and attrs on services #7480
Conversation
admin/permissions.go
Outdated
| // If no roles are found, check if the service belongs to the org of the project | ||
| service, err := s.DB.FindService(ctx, serviceID) | ||
| if err != nil { | ||
| return nil, err | ||
| } | ||
|
|
||
| proj, err := s.DB.FindProject(ctx, projectID) | ||
| if err != nil { | ||
| return nil, err | ||
| } | ||
|
|
||
| // Services get read permissions on the projects of the org they belong to | ||
| if proj.OrganizationID == service.OrgID { |
There was a problem hiding this comment.
I think this needs to be removed now? Otherwise if it has no project roles, it would get access to all projects?
For backwards compatibility for the services with the admin org role, I believe the if orgPerms.ManageProjects case above covers them.
There was a problem hiding this comment.
Otherwise if it has no project roles, it would get access to all projects?
Yes this is intended behaviour, if a service is added as a viewer or any other role than admin to org then it should have read permission on project. Otherwise whats the use of org level roles?
There was a problem hiding this comment.
Although this should change to check if any org role exists for service if not then return empty permissions
cli/cmd/service/create.go
Outdated
| if orgRole == "" && projectRole == "" { | ||
| return fmt.Errorf("either --org-role or --project-role must be specified") | ||
| } |
There was a problem hiding this comment.
It's not ideal to require a flag (since flags are usually optional). What do you think would be a nice behavior here?
There was a problem hiding this comment.
Should I just include a prompt saying if no orgRole or projectRole is provide then service will be created with admin role on org level otherwise use either --org-role or --project-role to set a role? Use can accept or deny the prompt.
There was a problem hiding this comment.
Another option is to to prompt for whether they want to add an org role or not and give role options to select from, similar for project name and roles. That will solve this as well.
There was a problem hiding this comment.
changed the flow please check
proto/rill/admin/v1/api.proto
Outdated
| string org_role_name = 3; // Optional org role to assign | ||
| string project_name = 4; // Optional project to assign role to | ||
| string project_role_name = 5; // Optional project role to assign | ||
| map<string, string> attributes = 6; |
There was a problem hiding this comment.
Would about non-string types, like admin (bool) or groups (array)? Consider using either google.protobuf.Struct passing it as JSON, e.g. string attributes_json.
If you use google.protobuf.Struct, I think you can add optional in front – maybe that solves the issue about ability to clear attributes?
There was a problem hiding this comment.
changed to use google.protobuf.Struct
* support roles and attrs on services * proto lint * fixes * manual fixes * gen fixes * fixes * fix persistent flag * runtime proxy fix * review comments * refactor * review comments * add service name as args to remove cmd * fix e2e * add --interactive=false * review comments * remove interactive flag from ui test
* support roles and attrs on services * proto lint * fixes * manual fixes * gen fixes * fixes * fix persistent flag * runtime proxy fix * review comments * refactor * review comments * add service name as args to remove cmd * fix e2e * add --interactive=false * review comments * remove interactive flag from ui test
- Create new service-tokens.md page in /manage section covering: - Overview and use cases for service tokens - Creating tokens with roles and custom attributes - Organization and project-level role management - Custom attributes for fine-grained access control - Managing and editing service tokens - Using attributes with security policies - Issuing ephemeral tokens - Best practices and troubleshooting - Update /integrate/custom-api.md: - Document custom attributes for service tokens - Add examples of using attributes with security policies - Link to comprehensive service tokens documentation - Remove outdated information about admin-only access - Update /integrate/embedding.md: - Improve service token creation examples with roles - Update references to new service tokens documentation - Update /build/metrics-view/security.md: - Add service token custom attributes example - Link to service tokens documentation - Update /manage/index.md: - Add service tokens to Access Control section Related to PR #7480 which added custom attributes support 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <[email protected]>
Fixes https://linear.app/rilldata/issue/PLAT-50/support-roles-and-attributes-for-services
Checklist: