f[WIP] eat(sdf): Protect Admin Routes behind a new Administer role #5007
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
We have an admin page controlled by a feature flag. We locked the API endpoints down to be those with systeminit.com emails, but we want to take advantage of spicedb to make this work correctly Even if a user gets to the WorkspaceAdmin page, we have locked down all of the API endpoints for them based on a new role in spicedb This role will be manually granted and can be done so using the following Zed cli command: ``` zed relationship create system:system admin administer:<user_pk> ``` This will be granted by TechOps on the SystemInitiative users that need access to it so that it can be tracked correctly
stack72
force-pushed
the
protect-system-admin-routes
branch
from
7d1e93a to
e2746c8
Compare
britmyerss
reviewed
Nov 21, 2024
| } | ||
|
|
||
| #[derive(Clone, Copy, strum::Display, Debug)] | ||
| #[strum(serialize_all = "snake_case")] | ||
| pub enum Relation { | ||
| Approver, | ||
| Owner, | ||
| Admin, |
There was a problem hiding this comment.
You know - I actually wonder if owner can also just work here. Only it'd be owner of the system vs the workspace
sprutton1
reviewed
Nov 21, 2024
| @@ -206,6 +209,10 @@ impl PermissionBuilder { | |||
| self.object(ObjectType::Workspace, id) | |||
| } | |||
|
|
|||
| pub fn system_object(self) -> Self { | |||
| self.object(ObjectType::System, "system") | |||
There was a problem hiding this comment.
Do we ever want different permission sets for different systems? Maybe this should be "sdf"
|
ok after talking this over with @sprutton1 and @britmyerss we are going to do the following:
|
stack72
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
We have an admin page controlled by a feature flag. We locked the API endpoints down to be those with systeminit.com emails, but we want to take advantage of spicedb to make this work correctly
Even if a user gets to the WorkspaceAdmin page, we have locked down all of the API endpoints for them based on a new role in spicedb
This role will be manually granted and can be done so using the following Zed cli command:
This will be granted by TechOps on the SystemInitiative users that need access to it so that it can be tracked correctly