Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

feat(provisioner): add support for workspace_owner_rbac_roles#16407

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Conversation

@nxf5025
Copy link
Contributor

Part ofcoder/terraform-provider-coder#330

Adds support for the coder_workspace_owner.rbac_roles attribute

josephteddick reacted with thumbs up emoji
@cdr-botcdr-botbot added the communityPull Requests and issues created by the community. labelFeb 3, 2025
@github-actions
Copy link

github-actionsbot commentedFeb 3, 2025
edited
Loading

All contributors have signed the CLA ✍️ ✅
Posted by theCLA Assistant Lite bot.

@nxf5025
Copy link
ContributorAuthor

I have read the CLA Document and I hereby sign the CLA

cdrci2 added a commit to coder/cla that referenced this pull requestFeb 3, 2025
@matifalimatifali requested a review fromEmyrkFebruary 3, 2025 18:23
@nxf5025nxf5025force-pushed theprovisioner-terraform-workspace-owner-rbac-roles branch frombf30eee toada6342CompareFebruary 3, 2025 19:12
Copy link
Member

@EmyrkEmyrk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Sorry for responding so late. I have the time to help push this forward now 👍

Comment on lines 597 to 608
ownerRbacRoles:= []string{}
for_,role:=rangeowner.RBACRoles {
ownerRbacRoles=append(ownerRbacRoles,role)
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Unfortunately this is not sufficient.

This is the code we use to fetch all the user's roles from the database:

https://github.com/coder/coder/blob/main/coderd/httpmw/apikey.go#L447-L475

So we should change this to:

Suggested change
ownerRbacRoles:= []string{}
for_,role:=range owner.RBACRoles {
ownerRbacRoles=append(ownerRbacRoles,role)
}
roles,err:=s.Database.GetAuthorizationUserRoles(dbauthz.AsSystemRestricted(ctx),owner.ID)
iferr!=nil {
// Should we fail the job?
}
ownerRbacRoles:= []string{}
for_,role:=range roles.Roles {
ownerRbacRoles=append(ownerRbacRoles,role)
}

This will include all org roles as<org-id>:<org-role>. Would it be possible to have therole datatype be a struct, instead oflist(string)?

role {  namestring  org-idstring}

This would be preferred, as roles are uniquely identified by the pair of(org-id, rolename). And roles at the site wide level just have the uuid of000...000

Copy link
ContributorAuthor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Makes perfect sense to me! Just updated the PR

Emyrk reacted with thumbs up emoji
@nxf5025nxf5025force-pushed theprovisioner-terraform-workspace-owner-rbac-roles branch fromada6342 tof70ff35CompareFebruary 7, 2025 16:51
Copy link
Member

@EmyrkEmyrk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

This is looking good 👍. Some minor nits, and then I'll approve.

}
ownerRbacRoles:= []*sdkproto.OwnerRbacRoles{}
for_,role:=rangeroles.Roles {
ownerRbacRoles=append(ownerRbacRoles,&sdkproto.OwnerRbacRoles{Name:role,OrgId:s.OrganizationID.String()})
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

I think we should convert the nil uuid to the empty string. Since we losing the parseduuid, determining a nil uuid is trickier on the other side of the communication. Just pass the empty string to indicate "no org id"

Suggested change
ownerRbacRoles=append(ownerRbacRoles,&sdkproto.OwnerRbacRoles{Name:role,OrgId:s.OrganizationID.String()})
ifs.OrganizationID== uuid.Nil {
ownerRbacRoles=append(ownerRbacRoles,&sdkproto.OwnerRbacRoles{Name:role,OrgId:""})
continue
}
ownerRbacRoles=append(ownerRbacRoles,&sdkproto.OwnerRbacRoles{Name:role,OrgId:s.OrganizationID.String()})

nxf5025 reacted with thumbs up emoji
})
}

roles,err:=s.Database.GetAuthorizationUserRoles(dbauthz.AsSystemRestricted(ctx),owner.ID)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Thectx should already have the right perms. If it does not, we can add what it needs to here:https://github.com/coder/coder/blob/main/coderd/database/dbauthz/dbauthz.go#L164-L193

Suggested change
roles,err:=s.Database.GetAuthorizationUserRoles(dbauthz.AsSystemRestricted(ctx),owner.ID)
roles,err:=s.Database.GetAuthorizationUserRoles(ctx,owner.ID)

nxf5025 reacted with thumbs up emoji
DESTROY=2;
}

messageOwnerRbacRoles {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Role is descriptive enough imo.

Suggested change
messageOwnerRbacRoles {
messageRole {

nxf5025 reacted with thumbs up emoji
@nxf5025nxf5025force-pushed theprovisioner-terraform-workspace-owner-rbac-roles branch fromf70ff35 tob960125CompareFebruary 13, 2025 14:00
@nxf5025
Copy link
ContributorAuthor

Updated PR based on suggestions

Copy link
Member

@EmyrkEmyrk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Thanks for the persistence 👍

Just a nit about the unit test

Value:"member",
}, {
Key:"rbac_roles_org_id",
Value:"00000000-0000-0000-0000-000000000000",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Suggested change
Value:"00000000-0000-0000-0000-000000000000",
Value:"",

},
Request:&proto.PlanRequest{
Metadata:&proto.Metadata{
WorkspaceOwnerRbacRoles: []*proto.Role{{Name:"member",OrgId:"00000000-0000-0000-0000-000000000000"}},
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

I think the test should be an empty string now?

Suggested change
WorkspaceOwnerRbacRoles: []*proto.Role{{Name:"member",OrgId:"00000000-0000-0000-0000-000000000000"}},
WorkspaceOwnerRbacRoles: []*proto.Role{{Name:"member",OrgId:""}},

@Emyrk
Copy link
Member

@nxf5025 can you make the test changes and merge/rebase? I will then merge

@nxf5025nxf5025force-pushed theprovisioner-terraform-workspace-owner-rbac-roles branch fromb960125 tobd9d6c8CompareFebruary 19, 2025 20:54
@nxf5025
Copy link
ContributorAuthor

Hey@Emyrk sorry for the delay. Got hit with the flu. I just rebased and updated the test.

Emyrk reacted with heart emoji

@Emyrk
Copy link
Member

@nxf5025 np, thank you for getting this in!

@github-actionsgithub-actionsbot added the staleThis issue is like stale bread. labelFeb 27, 2025
@nxf5025
Copy link
ContributorAuthor

@Emyrk - I see this went stale and got closed. Anything you need from me to get this in?

@EmyrkEmyrk reopened thisMar 2, 2025
@EmyrkEmyrk merged commitca23abe intocoder:mainMar 2, 2025
56 of 59 checks passed
@Emyrk
Copy link
Member

@nxf5025 merged!

@github-actionsgithub-actionsbot locked and limited conversation to collaboratorsMar 2, 2025
Sign up for freeto subscribe to this conversation on GitHub. Already have an account?Sign in.

Reviewers

@EmyrkEmyrkEmyrk approved these changes

Assignees

@nxf5025nxf5025

Labels

communityPull Requests and issues created by the community.staleThis issue is like stale bread.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@nxf5025@Emyrk
[8]ページ先頭
©2009-2025 Movatter.jp