Skip to content
This repository has been archived by the owner on Jul 12, 2023. It is now read-only.

Add implied permissions - write permissions need read permissions to be useful #1411

Merged
merged 6 commits into from
Dec 17, 2020
Merged

Add implied permissions - write permissions need read permissions to be useful #1411

merged 6 commits into from
Dec 17, 2020

Conversation

mikehelmick
Copy link
Contributor

@mikehelmick mikehelmick commented Dec 17, 2020
edited
Loading

Fixes #1408

Proposed Changes

  • All write permissions automatically add required read permissions if they are not set.

Release Note

Setting write permissions automatically add required read permissions.

@googlebot googlebot added the cla: yes Auto: added by CLA bot when all committers have signed a CLA. label Dec 17, 2020
@mikehelmick mikehelmick changed the title [WIP] add implied permissions Add implied permissions - write permissions need read permissions to be useful Dec 17, 2020
whaught
whaught reviewed Dec 17, 2020
View reviewed changes
pkg/controller/user/update_test.go
@@ -63,9 +63,14 @@ func TestUpdate(t *testing.T) {

for _, permission := range rbac.NamePermissionMap {
permission := permission
target := fmt.Sprintf(`input#permission-%d`, permission)
targets := []string{fmt.Sprintf(`input#permission-%d`, permission)}
// We also ned to remove permissions that imply this permission, or it will be added back in.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
// We also ned to remove permissions that imply this permission, or it will be added back in.
// We also need to remove permissions that imply this permission, or it will be added back in.

pkg/rbac/rbac.go
impliedBy = make(map[Permission][]Permission)
)

// Note: there are multiple init functions in this file. They are organized to be
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is very clever and require/implied will always be in-sync.

but would it be easier to read as:
requiredPermission = map[Permission][]Permission{ APIKeyRead: {APIKeyWrite}, SettingsRead: {SettingsWrite}, MobileAppRead: {MobileAppWrite}, UserRead: {UserWrite}, }

and perhaps keep init() in but instead just compare them and Panic if they don't match up. That would also allow for them to be asymmetrical eg.
APIKeyWrite: {APIKeyRead, SuperPowers},
and
APIKeyRead: {APIKeyWrite},

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I realize I'm advocating both duplication and panic, but multiple-init is also weird

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Multi-init is pretty common tbh

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This actually allows for the asymmetry - we just don't have it yet.

sethvargo
sethvargo approved these changes Dec 17, 2020
View reviewed changes
Copy link
Member

@sethvargo sethvargo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

I'll cleanup the spelling in another PR (gonna add some javascript that uses this)

@google-oss-robot
Copy link

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: mikehelmick, sethvargo

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:
  • OWNERS [mikehelmick,sethvargo]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@google-oss-robot google-oss-robot merged commit 9882d96 into google:main Dec 17, 2020
@mikehelmick mikehelmick deleted the issue1408 branch December 17, 2020 16:33
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Dec 19, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@whaught whaught whaught left review comments

@sethvargo sethvargo sethvargo approved these changes

@mariliamelo mariliamelo Awaiting requested review from mariliamelo

Assignees

@sethvargo sethvargo

Labels
cla: yes Auto: added by CLA bot when all committers have signed a CLA.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

RBAC Write permissions should include Read
5 participants
@mikehelmick @google-oss-robot @sethvargo @whaught @googlebot