Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: client side access control (WIP) #27174

Open
wants to merge 9 commits into
base: master
Choose a base branch
from
Open

feat: client side access control (WIP) #27174

wants to merge 9 commits into from
+620 −310

Conversation

zlwaterfield
Copy link
Contributor

@zlwaterfield zlwaterfield commented Dec 27, 2024
edited
Loading

Changes

(this is still a WIP but wanted feedback on the implementation so far)

Follow along with all RBAC changes here: #24512

This PR is starting to layer on the client side access control changes. This PR is trying to layer on these changes without affecting this current experience. The main goal is to block access to actions where the user does not have access (editing, renaming, deleting, etc.). The API handles all this but we want the client to properly render what actions the user has access to.

It includes

  • API middleware to render UI for access denied when a resource being loaded 403s
  • New AccessControlAction wrapper component to make the experience consistent for showing the user doesn't have access - takes in required levels and current levels and returns a message if they don't have access and why
  • New hasResourceAccess method in the access control logic that the AccessControlAction uses to determine access

TODO:

  • client
    • only run API middleware for access when feature flag is on
    • get the access control check for canEditInsight and canEditDashboard working
    • thinking through what edit access means - duplicating? editing SQL? adding insight to dashboard?
    • review feature flag can_edit and make sure this doesn't break anything + works as expected going forward
    • make sure all edit level actions are being covered for feature flags, notebooks, insights and dashboards
  • API
    • limit list requests from API for Insights and Dashboards
    • dashboard retrieve access is not working

Note: this has not been implemented for projects, teams, or environments - it's focused on resources.

Feedback

Asking all leads for reviews as this will affect all teams once implemented. Please provide thoughts/feedback on the way this implemented. This is attempting to make a reuseable pattern to it's easy to add access level checks.

An alternative approach could be to return an object from hasResourceAccess which has the disabled reason and the wrapper is not needed.

👉 Stay up-to-date with PostHog coding conventions for a smoother review.

Does this work well for both Cloud and self-hosted?

Yes

How did you test this code?

Manually testing + will add some snapshots

@zlwaterfield zlwaterfield self-assigned this Dec 27, 2024
zlwaterfield
zlwaterfield commented Dec 27, 2024
View reviewed changes
frontend/src/lib/logic/apiStatusLogic.ts
@@ -46,6 +61,13 @@ export const apiStatusLogic = kea<apiStatusLogicType>([
const data = await response?.json()
if (data.detail === 'This action requires you to be recently authenticated.') {
actions.setTimeSensitiveAuthenticationRequired(true)
} else if (data.code === 'permission_denied') {
// TODO - only do if the RBAC feature flag is enabled
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

importing feature flag logic here is breaking this logic so haven't figured out this check yet

zlwaterfield
zlwaterfield commented Dec 27, 2024
View reviewed changes
frontend/src/scenes/dashboard/dashboardLogic.tsx
if (featureFlags[FEATURE_FLAGS.ROLE_BASED_ACCESS_CONTROL]) {
return true
// TODO: figure out how to access this method
// return hasResourceAccess({ userAccessLevel: dashboard.user_access_level, requiredLevels: ['admin', 'editor'] })
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Need to figure out how to access access control logic hasResourceAccess

zlwaterfield
zlwaterfield commented Dec 27, 2024
View reviewed changes
frontend/src/scenes/insights/insightLogic.tsx
if (featureFlags[FEATURE_FLAGS.ROLE_BASED_ACCESS_CONTROL]) {
return true
// TODO: figure out how to access this method
// return hasResourceAccess({ userAccessLevel: insight.user_access_level, requiredLevels: ['admin', 'editor'] })
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Need to figure out how to access access control logic hasResourceAccess

@github-actions GitHub Actions
Copy link
Contributor

Size Change: +547 B (+0.05%)

Total Size: 1.11 MB

ℹ️ View Unchanged
Filename Size Change
frontend/dist/toolbar.js 1.11 MB +547 B (+0.05%)

compressed-size-action

@zlwaterfield zlwaterfield changed the title feat: client side access control feat: client side access control (WIP) Dec 27, 2024
@zlwaterfield zlwaterfield mentioned this pull request Dec 27, 2024
Open
10 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aspicer aspicer Awaiting requested review from aspicer

@Twixes Twixes Awaiting requested review from Twixes

@dmarticus dmarticus Awaiting requested review from dmarticus

@daibhin daibhin Awaiting requested review from daibhin

@neilkakkar neilkakkar Awaiting requested review from neilkakkar

@EDsCODE EDsCODE Awaiting requested review from EDsCODE

@benjackwhite benjackwhite Awaiting requested review from benjackwhite

At least 1 approving review is required to merge this pull request.

Assignees

@zlwaterfield zlwaterfield

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@zlwaterfield