Skip to content

chore: document RBAC usage#14065

Merged
dannykopping merged 11 commits into
mainfrom
dk/rbacdoc
Sep 10, 2024
Merged

chore: document RBAC usage#14065
dannykopping merged 11 commits into
mainfrom
dk/rbacdoc

Conversation

@dannykopping
Copy link
Copy Markdown
Contributor

@dannykopping dannykopping commented Jul 31, 2024

Uses #14055 (credit to @johnstcn!) as a reference to demonstrate the use of the RBAC system.

@dannykopping dannykopping requested review from Emyrk and johnstcn July 31, 2024 13:32
@alwaysmeticulous

This comment was marked as outdated.

Sign in to view
@dannykopping dannykopping changed the title Document RBAC usage chore: document RBAC usage Jul 31, 2024
Emyrk
Emyrk reviewed Jul 31, 2024
View reviewed changes
Copy link
Copy Markdown
Member

@Emyrk Emyrk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This overall looks good. The one missing piece is RBACObject() and the organizational scoping.

Something to note, if you use InOrg(), then you must be a member of the organization as well. What this means is if you have the user Alice make a workspace Worble in organization Orange, and Alice leaves the org, she can no longer use the workspace.

Despite having the user permission to do so.

This is stated here in the rego:

coder/coderd/rbac/policy.rego

Lines 241 to 243 in ceffff9

# If we are not a member of an org, and the object has an org, then we are
# not authorized. This is an "implied -1" for not being in the org.
org_ok

So the truth table for not being in an org (if the resource belongs to an org) has a Negative in the Org column.

Comment thread coderd/rbac/USAGE.md
Comment thread coderd/rbac/USAGE.md Outdated
Comment thread coderd/rbac/USAGE.md Outdated
Comment thread coderd/rbac/USAGE.md
Comment thread coderd/rbac/USAGE.md Outdated
Comment thread coderd/rbac/USAGE.md Outdated
Comment thread coderd/rbac/USAGE.md Outdated
Comment thread coderd/rbac/USAGE.md
Comment thread coderd/rbac/USAGE.md Outdated
Comment thread coderd/rbac/USAGE.md Outdated
@Emyrk Emyrk mentioned this pull request Aug 7, 2024
Merged
@github-actions github-actions Bot added the stale This issue is like stale bread. label Aug 9, 2024
@github-actions github-actions Bot closed this Aug 12, 2024
@johnstcn johnstcn reopened this Aug 12, 2024
@johnstcn johnstcn removed the stale This issue is like stale bread. label Aug 12, 2024
@dannykopping
Copy link
Copy Markdown
Contributor Author

dannykopping commented Aug 12, 2024

@johnstcn thanks for reopening; I'll try get to this today or tomorrow.

@github-actions github-actions Bot added the stale This issue is like stale bread. label Aug 27, 2024
@github-actions github-actions Bot closed this Aug 31, 2024
@dannykopping dannykopping reopened this Sep 3, 2024
@github-actions github-actions Bot removed the stale This issue is like stale bread. label Sep 4, 2024
dannykopping and others added 8 commits September 10, 2024 11:14
@dannykopping
Document RBAC usage
d1b6de6 
Signed-off-by: Danny Kopping <danny@coder.com>
@dannykopping
make fmt
23e01c5 
Signed-off-by: Danny Kopping <danny@coder.com>
@Emyrk @dannykopping
chore: fixup rbac/readme.md typos
706a3d8 
- Truth table had an incorrect result value in final row
- Permission format examples was missing the object type
- Fix actions list
- Code block a bash command
@johnstcn @dannykopping
make fumpt
4681b9d
@johnstcn @Emyrk @dannykopping
Apply suggestions from code review
6f240c9 
Co-authored-by: Steven Masley <Emyrk@users.noreply.github.com>
@johnstcn @dannykopping
make fmt
c2f29d0
@stirby @dannykopping
Minor fixups, added troubleshooting (#14519) (#14530)
26ca907 
(cherry picked from commit 66c8060)

Co-authored-by: Danny Kopping <danny@coder.com>
@dannykopping
Update usage docs
cf25746 
Signed-off-by: Danny Kopping <danny@coder.com>
johnstcn
johnstcn approved these changes Sep 10, 2024
View reviewed changes
Copy link
Copy Markdown
Member

@johnstcn johnstcn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 Thanks for taking this on @dannykopping !

Comment thread coderd/rbac/README.md Outdated
Comment thread coderd/rbac/USAGE.md Outdated
Comment thread coderd/rbac/USAGE.md Outdated
@dannykopping @johnstcn
Apply suggestions from code review
5fa2b96 
Co-authored-by: Cian Johnston <cian@coder.com>
Emyrk
Emyrk approved these changes Sep 10, 2024
View reviewed changes
Copy link
Copy Markdown
Member

@Emyrk Emyrk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Love all this ❤️

Comment thread coderd/rbac/USAGE.md Outdated
@dannykopping @Emyrk
Update coderd/rbac/USAGE.md
257962b 
Co-authored-by: Steven Masley <Emyrk@users.noreply.github.com>
@dannykopping dannykopping enabled auto-merge (squash) September 10, 2024 14:36
@dannykopping
Appease the linter gods
02f7447 
Signed-off-by: Danny Kopping <danny@coder.com>
@dannykopping dannykopping merged commit 914f35a into main Sep 10, 2024
@dannykopping dannykopping deleted the dk/rbacdoc branch September 10, 2024 15:15
@github-actions github-actions Bot locked and limited conversation to collaborators Sep 10, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@johnstcn johnstcn johnstcn approved these changes

@Emyrk Emyrk Emyrk approved these changes

Assignees

@dannykopping dannykopping

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@dannykopping @johnstcn @Emyrk @stirby