feat(coderd): gate org-member workspace elevation behind experiment#26027
Open
Emyrk wants to merge 1 commit into
Open
feat(coderd): gate org-member workspace elevation behind experiment#26027Emyrk wants to merge 1 commit into
Emyrk wants to merge 1 commit into
Conversation
Member
Author
|
Warning This pull request is not mergeable via GitHub because a downstack PR is open. Once all requirements are satisfied, merge this PR as a stack on Graphite.
This stack of pull requests is managed by Graphite. Learn more about stacking. |
This was referenced Jun 3, 2026
2bb6939 to
c91e381
Compare
c91e381 to
d1ee7c9
Compare
3bf0cd9 to
4347bf4
Compare
d1ee7c9 to
7813b1a
Compare
4347bf4 to
e4356f7
Compare
210be86 to
34ec9ef
Compare
00b5c1f to
0988f35
Compare
8e1cf4c to
d46be0c
Compare
0988f35 to
27102b3
Compare
d46be0c to
0e1c45b
Compare
27102b3 to
e3705f7
Compare
Adds RoleOptions.MinimumImplicitMember. When the minimum-implicit-member experiment is on, OrgMemberPermissions and OrgServiceAccountPermissions omit the workspace-ops elevation (OrgWorkspaceAccessMemberPerms). Members of the org then only have the floor unless granted organization-workspace-access via default_org_member_roles or direct assignment. Read once at startup from coderd.New. Flip the experiment, then restart coderd. Refs #25936.
e3705f7 to
6c14675
Compare
0e1c45b to
b78d140
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Refs #25936. Stacks on #26003.
Gates the workspace-ops elevation on
organization-memberandorganization-service-accountbehind theminimum-implicit-memberexperiment.organization-workspace-access.organization-workspace-accessfrom an org'sdefault_org_member_rolesactually removes workspace access from that org's members.Implementation notes
RoleOptions.MinimumImplicitMembermirrored into a package-levelatomic.Boolincoderd/rbac/object.go(same pattern asworkspaceACLDisabled/chatACLDisabled).OrgMemberPermissionsandOrgServiceAccountPermissionsare called from rolestore without access to api instance state, so the global is the existing escape hatch.ReloadBuiltinRolesstores the value.OrgMemberPermissionsandOrgServiceAccountPermissionsread it viaMinimumImplicitMember().coderd.Newreads the experiment viaexperiments.Enabled(codersdk.ExperimentMinimumImplicitMember)and passes it through.ReadExperiments(...)moved up so it's available before theReloadBuiltinRolescall.ReloadBuiltinRoleswidened to include the experiment, otherwise the option would never reach the rbac package on deployments that have noDisable*flags set.Coder Agents on behalf of @Emyrk.