Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

feat: addowner_oidc_access_token tocoder_workspace data source#6042

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Merged
kylecarbs merged 2 commits intomainfromprovisionoidc
Mar 17, 2023

Conversation

@kylecarbs
Copy link
Member

@kylecarbskylecarbs self-assigned thisFeb 5, 2023
Copy link
Member

@deansheatherdeansheather left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

This needs to be configurable via a flag. I think it should be disabled by default personally, but at the very least it needs to be the other way around IMO.

stringworkspace_id=5;
stringworkspace_owner_id=6;
stringworkspace_owner_email=7;
stringworkspace_owner_oidc_access_token=8;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

tabs vs spaces

@kylecarbs
Copy link
MemberAuthor

@deansheather why does this need to be configurable via a flag?

@deansheather
Copy link
Member

To prevent template admins from reading OIDC secrets without deployment approval. It seems dangerous to allow anyone with write access to templates to push an update that starts reading OIDC tokens and doing nefarious things with them.

We have a similar feature in v1 and it's disabled by default for this reason

@kylecarbs
Copy link
MemberAuthor

Hmm, fair. I suppose this would permit any template author to gain access to users inside of Coder, so it could be real bad. Some additional thought is needed on how we do it... 🤔

@bpmct
Copy link
Member

bpmct commentedFeb 8, 2023
edited
Loading

Can we make it disabled by default?

dtate-wave reacted with thumbs up emoji

@github-actions
Copy link

This Pull Request is becoming stale. In order to minimize WIP, prevent merge conflicts and keep the tracker readable, I'm going close to this PR in 3 days if there isn't more activity.

@github-actionsgithub-actionsbot added the staleThis issue is like stale bread. labelFeb 16, 2023
@bpmct
Copy link
Member

bpmct commentedMar 17, 2023
edited
Loading

We'll need to rethink our template authorship experience since theTemplate Admin role is already quite risky,as we have documented here.

Because of this, we'll just move forward with it on by default

@bpmctbpmct reopened thisMar 17, 2023
@kylecarbskylecarbsforce-pushed theprovisionoidc branch 2 times, most recently from6ac4c51 to43dfe91CompareMarch 17, 2023 20:09
@kylecarbskylecarbs removed the staleThis issue is like stale bread. labelMar 17, 2023
@kylecarbskylecarbs merged commitc3fb1b3 intomainMar 17, 2023
@kylecarbskylecarbs deleted the provisionoidc branchMarch 17, 2023 20:25
@github-actionsgithub-actionsbot locked and limited conversation to collaboratorsMar 17, 2023
Sign up for freeto subscribe to this conversation on GitHub. Already have an account?Sign in.

Reviewers

@deansheatherdeansheatherdeansheather left review comments

@bpmctbpmctbpmct approved these changes

Assignees

@kylecarbskylecarbs

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@kylecarbs@deansheather@bpmct
[8]ページ先頭
©2009-2025 Movatter.jp