- Notifications
You must be signed in to change notification settings - Fork928
chore: document RBAC usage#14065
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
Uh oh!
There was an error while loading.Please reload this page.
Conversation
This comment was marked as outdated.
This comment was marked as outdated.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
This overall looks good. The one missing piece isRBACObject() and the organizational scoping.
Something to note, if you useInOrg(), then youmust be a member of the organization as well. What this means is if you have the user Alice make a workspace Worble in organization Orange, and Alice leaves the org, she can no longer use the workspace.
Despite having the user permission to do so.
This is stated here in the rego:
Lines 241 to 243 inceffff9
| # If we are not a member of an org, and the object has an org, then we are | |
| # not authorized. This is an "implied -1" for not being in the org. | |
| org_ok |
So the truth table for not being in an org (if the resource belongs to an org) has aNegative in theOrg column.
Uh oh!
There was an error while loading.Please reload this page.
Uh oh!
There was an error while loading.Please reload this page.
Uh oh!
There was an error while loading.Please reload this page.
Uh oh!
There was an error while loading.Please reload this page.
Uh oh!
There was an error while loading.Please reload this page.
Uh oh!
There was an error while loading.Please reload this page.
Uh oh!
There was an error while loading.Please reload this page.
Uh oh!
There was an error while loading.Please reload this page.
Uh oh!
There was an error while loading.Please reload this page.
Uh oh!
There was an error while loading.Please reload this page.
@johnstcn thanks for reopening; I'll try get to this today or tomorrow. |
Signed-off-by: Danny Kopping <danny@coder.com>
- Truth table had an incorrect result value in final row- Permission format examples was missing the object type- Fix actions list- Code block a bash command
Co-authored-by: Steven Masley <Emyrk@users.noreply.github.com>
Signed-off-by: Danny Kopping <danny@coder.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
👍 Thanks for taking this on@dannykopping !
Uh oh!
There was an error while loading.Please reload this page.
Uh oh!
There was an error while loading.Please reload this page.
Uh oh!
There was an error while loading.Please reload this page.
Co-authored-by: Cian Johnston <cian@coder.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Love all this ❤️
Uh oh!
There was an error while loading.Please reload this page.
Co-authored-by: Steven Masley <Emyrk@users.noreply.github.com>
Signed-off-by: Danny Kopping <danny@coder.com>
914f35a intomainUh oh!
There was an error while loading.Please reload this page.
Uses#14055 (credit to@johnstcn!) as a reference to demonstrate the use of the RBAC system.