Skip to content

feat: add public RBAC scope catalog for user-requestable permissions#19913

Merged
ThomasK33 merged 1 commit into
mainfrom
thomask33/09-22-add_curated_scope_catalog
Sep 26, 2025
Merged

feat: add public RBAC scope catalog for user-requestable permissions#19913
ThomasK33 merged 1 commit into
mainfrom
thomask33/09-22-add_curated_scope_catalog

Conversation

@ThomasK33
Copy link
Copy Markdown
Member

@ThomasK33 ThomasK33 commented Sep 22, 2025

Add a curated catalog of public RBAC scopes

This PR introduces a curated catalog of public RBAC scopes that are exposed to users. It adds:

  • A publicLowLevel map in scopes_catalog.go that defines which resource:action pairs are user-requestable
  • IsPublicLowLevel() function to check if a scope is in the public catalog
  • PublicLowLevelScopeNames() function that returns a sorted list of public scopes
  • Tests to verify the catalog entries are valid and properly sorted
  • Updated documentation in the check-scopes README to clarify that public scopes should be added to this catalog

This change helps distinguish between internal-only scopes and those that should be exposed to users in the API.

This was referenced Sep 22, 2025
Merged
Merged
Merged
@ThomasK33 Graphite App
Copy link
Copy Markdown
Member Author

ThomasK33 commented Sep 22, 2025
edited
Loading

This stack of pull requests is managed by Graphite. Learn more about stacking.

@ThomasK33 ThomasK33 mentioned this pull request Sep 22, 2025
Merged
@ThomasK33 ThomasK33 requested a review from Emyrk September 22, 2025 13:50
@ThomasK33 ThomasK33 marked this pull request as ready for review September 22, 2025 13:50
@ThomasK33 ThomasK33 force-pushed the thomask33/09-22-add_curated_scope_catalog branch from fdb2822 to 4f64c51 Compare September 22, 2025 14:17
This was referenced Sep 22, 2025
Merged
Merged
@ThomasK33 ThomasK33 force-pushed the thomask33/09-22-add_curated_scope_catalog branch from 4f64c51 to caa7377 Compare September 22, 2025 15:28
@ThomasK33 ThomasK33 force-pushed the thomask33/09-19-feat_add_scope_constants_generation branch from 6de9975 to 99afbd9 Compare September 22, 2025 15:28
@ThomasK33 ThomasK33 force-pushed the thomask33/09-22-add_curated_scope_catalog branch from caa7377 to bf1e4e9 Compare September 22, 2025 16:33
@ThomasK33 ThomasK33 force-pushed the thomask33/09-19-feat_add_scope_constants_generation branch from 99afbd9 to 6a22bcc Compare September 22, 2025 16:33
Emyrk
Emyrk reviewed Sep 22, 2025
View reviewed changes
Copy link
Copy Markdown
Member

@Emyrk Emyrk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The name PublicLowLevel feels strange. We could probably just call it Public? Or External to mirror the Internal language you have in the comments.

Comment thread coderd/rbac/scopes_catalog.go Outdated
@ThomasK33 ThomasK33 force-pushed the thomask33/09-19-feat_add_scope_constants_generation branch from 6a22bcc to 2dc79e0 Compare September 22, 2025 17:03
@ThomasK33 ThomasK33 force-pushed the thomask33/09-22-add_curated_scope_catalog branch from bf1e4e9 to 76ae5ab Compare September 22, 2025 17:03
@ThomasK33 Graphite App
Copy link
Copy Markdown
Member Author

ThomasK33 commented Sep 22, 2025

The name PublicLowLevel feels strange. We could probably just call it Public? Or External to mirror the Internal language you have in the comments.

I updated it to IsPublicScope and PublicScopeNames in #19917.
I'll look into splitting off those changes and squashing them into this PR.

Or External to mirror the Internal language you have in the comments.

I don't really have a preference here. When I initially named it, I was thinking of public and private regarding OOP and field access. I am happy to rename it to better match our existing (user-facing) nomenclature.

@ThomasK33 ThomasK33 force-pushed the thomask33/09-19-feat_add_scope_constants_generation branch from 2dc79e0 to 92537e5 Compare September 22, 2025 17:27
@ThomasK33 ThomasK33 force-pushed the thomask33/09-22-add_curated_scope_catalog branch from 76ae5ab to f1eed85 Compare September 22, 2025 17:28
@ThomasK33 ThomasK33 force-pushed the thomask33/09-19-feat_add_scope_constants_generation branch from 92537e5 to 4810c5e Compare September 22, 2025 17:42
@ThomasK33 ThomasK33 force-pushed the thomask33/09-22-add_curated_scope_catalog branch 3 times, most recently from c96c93d to 0ae1500 Compare September 23, 2025 08:53
@ThomasK33 ThomasK33 force-pushed the thomask33/09-19-feat_add_scope_constants_generation branch from 4810c5e to 6d04e1c Compare September 23, 2025 08:53
@ThomasK33 ThomasK33 force-pushed the thomask33/09-22-add_curated_scope_catalog branch 2 times, most recently from b7ba894 to f8099fd Compare September 23, 2025 20:53
@ThomasK33 ThomasK33 force-pushed the thomask33/09-19-feat_add_scope_constants_generation branch from 6d04e1c to 49feb2d Compare September 23, 2025 20:53
@ThomasK33 ThomasK33 force-pushed the thomask33/09-22-add_curated_scope_catalog branch from f8099fd to fbe5b58 Compare September 24, 2025 08:36
@ThomasK33 ThomasK33 mentioned this pull request Sep 24, 2025
Merged
@ThomasK33 ThomasK33 force-pushed the thomask33/09-19-feat_add_scope_constants_generation branch 2 times, most recently from eddb2a7 to ab8574e Compare September 24, 2025 16:07
@ThomasK33 ThomasK33 force-pushed the thomask33/09-22-add_curated_scope_catalog branch from bff79c8 to 62cab0f Compare September 24, 2025 16:07
@ThomasK33 ThomasK33 force-pushed the thomask33/09-19-feat_add_scope_constants_generation branch from ab8574e to cffaa05 Compare September 24, 2025 16:09
@ThomasK33 ThomasK33 force-pushed the thomask33/09-22-add_curated_scope_catalog branch from 62cab0f to 5ede22e Compare September 24, 2025 16:09
@ThomasK33 ThomasK33 force-pushed the thomask33/09-19-feat_add_scope_constants_generation branch from cffaa05 to 84de60e Compare September 24, 2025 16:27
@ThomasK33 ThomasK33 force-pushed the thomask33/09-22-add_curated_scope_catalog branch from 5ede22e to efcde0d Compare September 24, 2025 16:27
@ThomasK33 ThomasK33 changed the base branch from thomask33/09-19-feat_add_scope_constants_generation to graphite-base/19913 September 24, 2025 16:40
@ThomasK33 ThomasK33 force-pushed the thomask33/09-22-add_curated_scope_catalog branch from efcde0d to 7b2678b Compare September 24, 2025 16:40
@graphite-app graphite-app Bot changed the base branch from graphite-base/19913 to main September 24, 2025 16:41
@ThomasK33 ThomasK33 force-pushed the thomask33/09-22-add_curated_scope_catalog branch 5 times, most recently from 8e56891 to 2cddda5 Compare September 25, 2025 15:46
@ThomasK33 ThomasK33 mentioned this pull request Sep 25, 2025
Merged
@ThomasK33 ThomasK33 requested a review from Emyrk September 25, 2025 15:51
@ThomasK33 ThomasK33 force-pushed the thomask33/09-22-add_curated_scope_catalog branch 2 times, most recently from 6258186 to 4f84ffa Compare September 25, 2025 16:05
@ThomasK33 ThomasK33 requested a review from aslilac September 25, 2025 18:32
@ThomasK33 ThomasK33 mentioned this pull request Sep 25, 2025
Merged
Emyrk
Emyrk approved these changes Sep 25, 2025
View reviewed changes
Copy link
Copy Markdown
Member

@Emyrk Emyrk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nothing blocking

Comment thread coderd/rbac/scopes_catalog.go
Comment thread coderd/rbac/scopes_catalog.go
@ThomasK33
feat: add curated public API key scope catalog
6466375 
Add public low-level scope catalog to RBAC system with curated set of
user-requestable scopes. Includes workspace, template, API key, file,
personal user, and user secret scopes. Updates scope checking
documentation to reference new catalog location in rbac package.
@ThomasK33 ThomasK33 force-pushed the thomask33/09-22-add_curated_scope_catalog branch from 4f84ffa to 6466375 Compare September 26, 2025 07:45
@ThomasK33 Graphite App
Copy link
Copy Markdown
Member Author

ThomasK33 commented Sep 26, 2025
edited
Loading

Merge activity

  • Sep 26, 9:30 AM UTC: A user started a stack merge that includes this pull request via Graphite.
  • Sep 26, 9:30 AM UTC: @ThomasK33 merged this pull request with Graphite.

@ThomasK33 ThomasK33 merged commit 47c92ad into main Sep 26, 2025
28 checks passed
@ThomasK33 ThomasK33 deleted the thomask33/09-22-add_curated_scope_catalog branch September 26, 2025 09:30
@github-actions github-actions Bot locked and limited conversation to collaborators Sep 26, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@Emyrk Emyrk Emyrk approved these changes

@aslilac aslilac Awaiting requested review from aslilac

Assignees

@ThomasK33 ThomasK33

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ThomasK33 @Emyrk