NotificationsYou must be signed in to change notification settings
Fork1.1k
Star11.4k

Commit299a54a

authored

feat(coderd): add tasks rbac object (#20234)

This change adds RBAC for tasks.Updatescoder/internal#948Supersedes#20212

1 parentd9f95f2 commit299a54aCopy full SHA for 299a54a

File tree

19 files changed

+155

-3

lines changed

coderd
- apidoc
  - docs.go
  - swagger.json
- database
  - dbauthz
    - dbauthz.go
  - dump.sql
  - migrations
    - 000378_add_tasks_rbac.down.sql
    - 000378_add_tasks_rbac.up.sql
  - modelmethods.go
  - models.go
- rbac
codersdk
- apikey_scopes_gen.go
- rbacresources_gen.go
docs/reference/api
- members.md
- schemas.md
site/src/api
- rbacresourcesGenerated.ts
- typesGenerated.ts

19 files changed

+155

-3

lines changed

`‎coderd/apidoc/docs.go‎`

Lines changed: 12 additions & 0 deletions

Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

`‎coderd/apidoc/swagger.json‎`

Lines changed: 12 additions & 0 deletions

Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

`‎coderd/database/dbauthz/dbauthz.go‎`

Lines changed: 3 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -219,7 +219,9 @@ var (`
`219`	`219`	`rbac.ResourceUser.Type: {policy.ActionRead,policy.ActionReadPersonal,policy.ActionUpdatePersonal},`
`220`	`220`	`rbac.ResourceWorkspaceDormant.Type: {policy.ActionDelete,policy.ActionRead,policy.ActionUpdate,policy.ActionWorkspaceStop},`
`221`	`221`	`rbac.ResourceWorkspace.Type: {policy.ActionDelete,policy.ActionRead,policy.ActionUpdate,policy.ActionWorkspaceStart,policy.ActionWorkspaceStop,policy.ActionCreateAgent},`
`222`		`-rbac.ResourceApiKey.Type: {policy.WildcardSymbol},`
	`222`	`+// Provisionerd needs to read and update tasks associated with workspaces.`
	`223`	`+rbac.ResourceTask.Type: {policy.ActionRead,policy.ActionUpdate},`
	`224`	`+rbac.ResourceApiKey.Type: {policy.WildcardSymbol},`
`223`	`225`	`// When org scoped provisioner credentials are implemented,`
`224`	`226`	`// this can be reduced to read a specific org.`
`225`	`227`	`rbac.ResourceOrganization.Type: {policy.ActionRead},`

`‎coderd/database/dump.sql‎`

Lines changed: 6 additions & 1 deletion

Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

`‎coderd/database/migrations/000378_add_tasks_rbac.down.sql‎`

Lines changed: 3 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+-- Revert Tasks RBAC.`
	`2`	`+-- No-op: enum values remain to avoid churn. Removing enum values requires`
	`3`	`+-- doing a create/cast/drop cycle which is intentionally omitted here.`

`‎coderd/database/migrations/000378_add_tasks_rbac.up.sql‎`

Lines changed: 6 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,6 @@`
	`1`	`+-- Tasks RBAC.`
	`2`	`+ALTERTYPE api_key_scope ADD VALUE IF NOT EXISTS'task:create';`
	`3`	`+ALTERTYPE api_key_scope ADD VALUE IF NOT EXISTS'task:read';`
	`4`	`+ALTERTYPE api_key_scope ADD VALUE IF NOT EXISTS'task:update';`
	`5`	`+ALTERTYPE api_key_scope ADD VALUE IF NOT EXISTS'task:delete';`
	`6`	`+ALTERTYPE api_key_scope ADD VALUE IF NOT EXISTS'task:*';`

`‎coderd/database/modelmethods.go‎`

Lines changed: 7 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -132,6 +132,13 @@ func (w ConnectionLog) RBACObject() rbac.Object {`
`132`	`132`	`returnobj`
`133`	`133`	`}`
`134`	`134`
	`135`	`+func (tTask)RBACObject() rbac.Object {`
	`136`	`+returnrbac.ResourceTask.`
	`137`	`+WithID(t.ID).`
	`138`	`+WithOwner(t.OwnerID.String()).`
	`139`	`+InOrg(t.OrganizationID)`
	`140`	`+}`
	`141`	`+`
`135`	`142`	`func (sAPIKeyScope)ToRBAC() rbac.ScopeName {`
`136`	`143`	`switchs {`
`137`	`144`	`caseApiKeyScopeCoderAll:`

`‎coderd/database/models.go‎`

Lines changed: 16 additions & 1 deletion

Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

`‎coderd/rbac/object_gen.go‎`

Lines changed: 11 additions & 0 deletions

Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

`‎coderd/rbac/policy/policy.go‎`

Lines changed: 10 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -63,6 +63,13 @@ var workspaceActions = map[Action]ActionDefinition{`
`63`	`63`	`ActionDeleteAgent:"delete an existing workspace agent",`
`64`	`64`	`}`
`65`	`65`
	`66`	`+vartaskActions=map[Action]ActionDefinition{`
	`67`	`+ActionCreate:"create a new task",`
	`68`	`+ActionRead:"read task data or output to view on the UI or CLI",`
	`69`	`+ActionUpdate:"edit task settings or send input to an existing task",`
	`70`	`+ActionDelete:"delete task",`
	`71`	`+}`
	`72`	`+`
`66`	`73`	`// RBACPermissions is indexed by the type`
`67`	`74`	`varRBACPermissions=map[string]PermissionDefinition{`
`68`	`75`	`// Wildcard is every object, and the action "*" provides all actions.`
`@@ -86,6 +93,9 @@ var RBACPermissions = map[string]PermissionDefinition{`
`86`	`93`	`"workspace": {`
`87`	`94`	`Actions:workspaceActions,`
`88`	`95`	`},`
	`96`	`+"task": {`
	`97`	`+Actions:taskActions,`
	`98`	`+},`
`89`	`99`	`// Dormant workspaces have the same perms as workspaces.`
`90`	`100`	`"workspace_dormant": {`
`91`	`101`	`Actions:workspaceActions,`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit299a54a

File tree

19 files changed

19 files changed

`‎coderd/apidoc/docs.go‎`

`‎coderd/apidoc/swagger.json‎`

`‎coderd/database/dbauthz/dbauthz.go‎`

`‎coderd/database/dump.sql‎`

`‎coderd/database/migrations/000378_add_tasks_rbac.down.sql‎`

`‎coderd/database/migrations/000378_add_tasks_rbac.up.sql‎`

`‎coderd/database/modelmethods.go‎`

`‎coderd/database/models.go‎`

`‎coderd/rbac/object_gen.go‎`

`‎coderd/rbac/policy/policy.go‎`

0 commit comments