NotificationsYou must be signed in to change notification settings
Fork1k
Star11.1k

Commitfffde2e

committed

feat(coderd): add tasks rbac object

This change adds RBAC for tasks.Updatescoder/internal#948Supersedes#20212

1 parented90ecf commitfffde2eCopy full SHA for fffde2e

File tree

20 files changed

+165

-7

lines changed

coderd
- apidoc
  - docs.go
  - swagger.json
- database
  - dbauthz
    - dbauthz.go
  - dump.sql
  - migrations
    - 000378_add_tasks_rbac.down.sql
    - 000378_add_tasks_rbac.up.sql
  - modelmethods.go
  - models.go
- rbac
codersdk
- apikey_scopes_gen.go
- rbacresources_gen.go
docs/reference/api
- members.md
- schemas.md
site/src/api
- rbacresourcesGenerated.ts
- typesGenerated.ts

20 files changed

+165

-7

lines changed

`‎coderd/apidoc/docs.go‎`

Lines changed: 12 additions & 0 deletions

Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

`‎coderd/apidoc/swagger.json‎`

Lines changed: 12 additions & 0 deletions

Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

`‎coderd/database/dbauthz/dbauthz.go‎`

Lines changed: 3 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -219,7 +219,9 @@ var (`
`219`	`219`	`rbac.ResourceUser.Type: {policy.ActionRead,policy.ActionReadPersonal,policy.ActionUpdatePersonal},`
`220`	`220`	`rbac.ResourceWorkspaceDormant.Type: {policy.ActionDelete,policy.ActionRead,policy.ActionUpdate,policy.ActionWorkspaceStop},`
`221`	`221`	`rbac.ResourceWorkspace.Type: {policy.ActionDelete,policy.ActionRead,policy.ActionUpdate,policy.ActionWorkspaceStart,policy.ActionWorkspaceStop,policy.ActionCreateAgent},`
`222`		`-rbac.ResourceApiKey.Type: {policy.WildcardSymbol},`
	`222`	`+// Provisionerd needs to read and update tasks associated with workspaces.`
	`223`	`+rbac.ResourceTask.Type: {policy.ActionRead,policy.ActionUpdate},`
	`224`	`+rbac.ResourceApiKey.Type: {policy.WildcardSymbol},`
`223`	`225`	`// When org scoped provisioner credentials are implemented,`
`224`	`226`	`// this can be reduced to read a specific org.`
`225`	`227`	`rbac.ResourceOrganization.Type: {policy.ActionRead},`

`‎coderd/database/dump.sql‎`

Lines changed: 6 additions & 1 deletion

Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

`‎coderd/database/migrations/000378_add_tasks_rbac.down.sql‎`

Lines changed: 3 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+-- Revert Tasks RBAC.`
	`2`	`+-- No-op: enum values remain to avoid churn. Removing enum values requires`
	`3`	`+-- doing a create/cast/drop cycle which is intentionally omitted here.`

`‎coderd/database/migrations/000378_add_tasks_rbac.up.sql‎`

Lines changed: 6 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,6 @@`
	`1`	`+-- Tasks RBAC.`
	`2`	`+ALTERTYPE api_key_scope ADD VALUE IF NOT EXISTS'task:create';`
	`3`	`+ALTERTYPE api_key_scope ADD VALUE IF NOT EXISTS'task:read';`
	`4`	`+ALTERTYPE api_key_scope ADD VALUE IF NOT EXISTS'task:update';`
	`5`	`+ALTERTYPE api_key_scope ADD VALUE IF NOT EXISTS'task:delete';`
	`6`	`+ALTERTYPE api_key_scope ADD VALUE IF NOT EXISTS'task:*';`

`‎coderd/database/modelmethods.go‎`

Lines changed: 7 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -132,6 +132,13 @@ func (w ConnectionLog) RBACObject() rbac.Object {`
`132`	`132`	`returnobj`
`133`	`133`	`}`
`134`	`134`
	`135`	`+func (tTask)RBACObject() rbac.Object {`
	`136`	`+returnrbac.ResourceTask.`
	`137`	`+WithID(t.ID).`
	`138`	`+WithOwner(t.OwnerID.String()).`
	`139`	`+InOrg(t.OrganizationID)`
	`140`	`+}`
	`141`	`+`
`135`	`142`	`func (sAPIKeyScope)ToRBAC() rbac.ScopeName {`
`136`	`143`	`switchs {`
`137`	`144`	`caseApiKeyScopeCoderAll:`

`‎coderd/database/models.go‎`

Lines changed: 16 additions & 1 deletion

Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

`‎coderd/rbac/object_gen.go‎`

Lines changed: 11 additions & 0 deletions

Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

`‎coderd/rbac/policy/policy.go‎`

Lines changed: 10 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -63,6 +63,13 @@ var workspaceActions = map[Action]ActionDefinition{`
`63`	`63`	`ActionDeleteAgent:"delete an existing workspace agent",`
`64`	`64`	`}`
`65`	`65`
	`66`	`+vartaskActions=map[Action]ActionDefinition{`
	`67`	`+ActionCreate:"create a new task",`
	`68`	`+ActionRead:"read task data to view on the UI",`
	`69`	`+ActionUpdate:"edit task settings",`
	`70`	`+ActionDelete:"delete task",`
	`71`	`+}`
	`72`	`+`
`66`	`73`	`// RBACPermissions is indexed by the type`
`67`	`74`	`varRBACPermissions=map[string]PermissionDefinition{`
`68`	`75`	`// Wildcard is every object, and the action "*" provides all actions.`
`@@ -86,6 +93,9 @@ var RBACPermissions = map[string]PermissionDefinition{`
`86`	`93`	`"workspace": {`
`87`	`94`	`Actions:workspaceActions,`
`88`	`95`	`},`
	`96`	`+"task": {`
	`97`	`+Actions:taskActions,`
	`98`	`+},`
`89`	`99`	`// Dormant workspaces have the same perms as workspaces.`
`90`	`100`	`"workspace_dormant": {`
`91`	`101`	`Actions:workspaceActions,`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commitfffde2e

File tree

20 files changed

20 files changed

`‎coderd/apidoc/docs.go‎`

`‎coderd/apidoc/swagger.json‎`

`‎coderd/database/dbauthz/dbauthz.go‎`

`‎coderd/database/dump.sql‎`

`‎coderd/database/migrations/000378_add_tasks_rbac.down.sql‎`

`‎coderd/database/migrations/000378_add_tasks_rbac.up.sql‎`

`‎coderd/database/modelmethods.go‎`

`‎coderd/database/models.go‎`

`‎coderd/rbac/object_gen.go‎`

`‎coderd/rbac/policy/policy.go‎`

0 commit comments