Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

chore(coderd/rbac): addAction{Create,Delete}Agent toResourceWorkspace#17932

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Merged
DanielleMaywood merged 2 commits intomainfromdm-workspace-agent-rbac-actions
May 20, 2025

Conversation

@DanielleMaywood
Copy link
Contributor

This PR adds two new actions:ActionCreateAgent andActionDeleteAgent. The former is used in this PR forInsertWorkspaceAgent, with the latter to be used in a follow-up PR for Dev Container Agents.

A note has been left indbauthz.go forInsertWorkspaceAgent detailing why it is allowed to insert a workspace agent when no workspace could be found.

…space`This PR adds two new actions: `ActionCreateAgent` and`ActionDeleteAgent`. The former is used in this PR for`InsertWorkspaceAgent`, with the latter to be used in a follow-up PR forDev Container Agents.A note has been left in `dbauthz.go` for `InsertWorkspaceAgent`detailing why it is allowed to insert a workspace agent when noworkspace could be found.
@DanielleMaywoodDanielleMaywood marked this pull request as ready for reviewMay 20, 2025 10:14
@DanielleMaywoodDanielleMaywood requested review fromEmyrk andjohnstcn and removed request forEmyrkMay 20, 2025 10:14
}))
s.Run("InsertWorkspaceAgent",s.Subtest(func(db database.Store,check*expects) {
dbtestutil.DisableForeignKeysAndTriggers(s.T(),db)
u:=dbgen.User(s.T(),db, database.User{})
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Can we also add a test to validate:

  • A user in org Acannot create or delete an agent in org B?
  • A user in org Acannot delete an agent owned by a different user?

Copy link
ContributorAuthor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Sure thing!

Comment on lines +229 to +237
{
Name:"CreateDeleteWorkspaceAgent",
Actions: []policy.Action{policy.ActionCreateAgent,policy.ActionDeleteAgent},
Resource:rbac.ResourceWorkspace.WithID(workspaceID).InOrg(orgID).WithOwner(currentUser.String()),
AuthorizeMap:map[bool][]hasAuthSubjects{
true: {owner,orgMemberMe,orgAdmin},
false: {setOtherOrg,memberMe,userAdmin,templateAdmin,orgTemplateAdmin,orgUserAdmin,orgAuditor,orgMemberMeBanWorkspace},
},
},
Copy link
ContributorAuthor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

@johnstcn Does this not already cover the tests you've suggested?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

I think you're right actually!

Copy link
Member

@johnstcnjohnstcn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Approving, but would like a second opinion from@Emyrk

Comment on lines +3721 to +3723
iferr:=q.authorizeContext(ctx,policy.ActionCreateAgent,workspace);err!=nil {
return database.WorkspaceAgent{},err
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

If the err issql.ErrNoRows, then this requires site wide permission. So onlyowner,system, andprovisioner can do it. Is that ok?

What does it mean to insert a workspace agent without a workspace build?

Copy link
ContributorAuthor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

With regards to our currenttest infrastructure, this happens quite often:

  • A workspace is created
  • A provisioner job is created
  • A workspace resource is created
  • A workspace agent is created
  • Maybe A workspace build is created

Unfortunately there is no way we can link back the resource to the workspace. We could always rewrite these tests but that might be a big change.

Another situation where this goes wrong is with workspace templates:

When attempting to update a workspace template, it will fail the job because it cannot insert a workspace agent. I'm not entirely sure whyInsertWorkspaceAgent is invoked for the "Build" template flow but that is an example of where I don't think we have anactual workspace to link back to.

Copy link
Member

@EmyrkEmyrk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

My comment is not blocking

@DanielleMaywoodDanielleMaywood merged commit3e7ff9d intomainMay 20, 2025
36 checks passed
@DanielleMaywoodDanielleMaywood deleted the dm-workspace-agent-rbac-actions branchMay 20, 2025 20:20
@github-actionsgithub-actionsbot locked and limited conversation to collaboratorsMay 20, 2025
Sign up for freeto subscribe to this conversation on GitHub. Already have an account?Sign in.

Reviewers

@johnstcnjohnstcnjohnstcn approved these changes

@EmyrkEmyrkEmyrk approved these changes

Assignees

@DanielleMaywoodDanielleMaywood

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@DanielleMaywood@johnstcn@Emyrk
[8]ページ先頭
©2009-2025 Movatter.jp