Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

chore: create type for unique role names#13506

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Merged
Emyrk merged 16 commits intomainfromstevenmasley/typed_role_name
Jun 11, 2024
Merged

Conversation

Emyrk
Copy link
Member

@EmyrkEmyrk commentedJun 7, 2024
edited
Loading

BeforeRoleName was a string that was formatted<role_name>[:<org_id>]. This was super loose and hard to tell when a string had the org_id and when it did not.

This change makes the string a struct. So now allstring names are just the name, without theorg_id scope.

Why do this?

The database and the sdk store roles as a struct, so it makes sense the rbac package should also. It makes the organizationID an obvious field vs something implied from an arbitrary string format.

It also disambiguates the format at any given point in the code. The oldstring was almost arbitrary when it was formatted with the org id, and when not

Copy link
Member

@johnstcnjohnstcn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

vibe check 👍

Emyrk reacted with thumbs up emoji
@@ -192,7 +192,7 @@ func (r *RootCmd) newCreateAdminUserCommand() *serpent.Command {
HashedPassword: []byte(hashedPassword),
CreatedAt: dbtime.Now(),
UpdatedAt: dbtime.Now(),
RBACRoles: []string{rbac.RoleOwner()},
RBACRoles: []string{rbac.RoleOwner().String()},
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

review:string does not implementfmt.Stringer :(

Emyrk reacted with confused emoji
@EmyrkEmyrkforce-pushed thestevenmasley/typed_role_name branch from3977989 tofa2f704CompareJune 10, 2024 19:39
@EmyrkEmyrk marked this pull request as ready for reviewJune 10, 2024 20:00
@EmyrkEmyrk requested a review fromjohnstcnJune 10, 2024 21:03
Copy link
Member

@johnstcnjohnstcn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

LGTM

@@ -199,7 +199,8 @@ func (api *API) convertAuditLog(ctx context.Context, dblog database.GetAuditLogs
Roles: []codersdk.SlimRole{},
}

for _, roleName := range dblog.UserRoles {
for _, input := range dblog.UserRoles {
roleName, _ := rbac.RoleNameFromString(input)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Should we at least drop an error log if we were unable to covert any of the roles rom the db?

Copy link
MemberAuthor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Since this is in the convert audit log, I think that could get quite noisy. I agree this is not ideal

Comment on lines +173 to +178
// TODO: Currently the api only returns site wide roles.
// Should it return organization roles?
rbacRole, err := rbac.RoleByName(rbac.RoleIdentifier{
Name: roleName,
OrganizationID: uuid.Nil,
})
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

follow-up for TODO?

Copy link
MemberAuthor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

I'm not going to do this until we get farther in the organization work.

Right now this api is used for the/users page on the UI. If I were to add it, then organization roles would pop up there, which is probably incorrect behavior.

So this is a genuine question if we should expand the roles returned, and on the UI filter out the organization ones. But at present, showing org roles at all is incorrect as orgs do not really exist.

Comment on lines +1540 to +1542
// TODO: This only supports mapping deployment wide roles. Organization scoped roles
// are unsupported.
if _, err := rbac.RoleByName(rbac.RoleIdentifier{Name: role}); err == nil {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

follow-up for TODO

also, should we catch an attempt to lookup an org-scoped role here?

Emyrk reacted with thumbs up emoji
Copy link
MemberAuthor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Followup is already an issue:#12147

And we do check that an org scoped role is not assigned here:

iflen(role.Org)>0&&name.OrganizationID==uuid.Nil {

If you pass a nil uuid, and some org permissions exist, it will fail.

@EmyrkEmyrk merged commit5ccf508 intomainJun 11, 2024
27 checks passed
@EmyrkEmyrk deleted the stevenmasley/typed_role_name branchJune 11, 2024 13:55
@github-actionsgithub-actionsbot locked and limited conversation to collaboratorsJun 11, 2024
Sign up for freeto subscribe to this conversation on GitHub. Already have an account?Sign in.
Reviewers

@johnstcnjohnstcnjohnstcn approved these changes

Assignees

@EmyrkEmyrk

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

2 participants
@Emyrk@johnstcn
[8]ページ先頭
©2009-2025 Movatter.jp