Update AccessList Proto, AccessList & AccessListMember types, add Hierarchy utils #47828
Conversation
kiosion
added
the
no-changelog
|
This pull request is automatically being deployed by Amplify Hosting (learn more). |
kiosion
force-pushed
the
maxim/nested-acl-protos
branch
from
48a0366
to
aac30cf
Compare
This comment was marked as outdated.
This comment was marked as outdated.
kiosion
force-pushed
the
maxim/nested-acl-protos
branch
from
aac30cf
to
9f961ba
Compare
kiosion
force-pushed
the
maxim/nested-acl-protos
branch
from
9f961ba
to
e2eafd8
Compare
|
🤖 Vercel preview here: https://docs-b8sev9aux-goteleport.vercel.app/docs/ver/preview |
kiosion
force-pushed
the
maxim/nested-acl-protos
branch
from
e2eafd8
to
d31db51
Compare
|
🤖 Vercel preview here: https://docs-8mejpmy5t-goteleport.vercel.app/docs/ver/preview |
kiosion
force-pushed
the
maxim/nested-acl-protos
branch
from
d31db51
to
3acb03d
Compare
|
🤖 Vercel preview here: https://docs-ia3ox80t5-goteleport.vercel.app/docs/ver/preview |
github-actions
bot
requested review from
bernardjkim,
hugoShaka,
marcoandredinis,
mmcallister,
ptgott,
r0mant,
tigrato,
xinding33 and
zmb3
|
@kiosion - this PR will require admin approval to merge due to its size. Consider breaking it up into a series smaller changes. |
|
🤖 Vercel preview here: https://docs-kpk92pprv-goteleport.vercel.app/docs/ver/preview |
r0mant
requested review from
smallinsky and
fspmarshall
and removed request for
marcoandredinis,
mmcallister,
bernardjkim,
hugoShaka,
xinding33,
ptgott and
tigrato
| @@ -71,6 +71,12 @@ message AccessListSpec { | |||
|
|
|||
| // owner_grants describes the access granted by owners to this Access List. | |||
| AccessListGrants owner_grants = 11; | |||
|
|
|||
| // owner_of describes Access Lists that this Access List is an explicit owner of. | |||
| repeated string owner_of = 12; | |||
There was a problem hiding this comment.
Do we need to keep track of this information for every access list?
There was a problem hiding this comment.
My concern here is that AL being imported by sync utils will have to preserve these fields when they grant access to Teleport access lists.
If we don't need to specify these here and can compute them when needed, it would be much better.
There was a problem hiding this comment.
yes, these need to be tracked for every list. I don't love either option... computing when needed is what was initially implemented, but it was much more expensive and required passing around all existing access lists for checks
There was a problem hiding this comment.
Can we store it under different keys if the goal is to keep it internal?
Or move it to the status field
There was a problem hiding this comment.
Status aren't meant to be edited by users and you can always keep the state there. We can probably keep some logic to keep it when reconcilers run
There was a problem hiding this comment.
Is the status field persisted?
There was a problem hiding this comment.
Yes, we persist status fields and the operator/terraform skips them IIRC
There was a problem hiding this comment.
No objections from me to moving these fields to status as users aren't supposed to set them.
There was a problem hiding this comment.
Moved them into status, it wasn't persisted previously so I named the json/yaml field as status and set the member/nested list count fields within it to -. LMK if it looks good
docs/pages/reference/operator-resources/resources.teleport.dev_accesslists.mdx
Outdated
Show resolved
Hide resolved
kiosion
force-pushed
the
maxim/nested-acl-protos
branch
from
4d5bd8a
to
111c516
Compare
|
🤖 Vercel preview here: https://docs-971v2tura-goteleport.vercel.app/docs/ver/preview |
api/types/accesslist/accesslist.go
Outdated
| if a.Spec.OwnerOf == nil { | ||
| a.Spec.OwnerOf = []string{} | ||
| } | ||
|
|
||
| if a.Spec.MemberOf == nil { | ||
| a.Spec.MemberOf = []string{} | ||
| } |
There was a problem hiding this comment.
Why the code flow distinguish between nil and []string{} array ?
| // membership_kind describes the type of membership, either | ||
| // `MEMBERSHIP_KIND_USER` or `MEMBERSHIP_KIND_LIST`. | ||
| MembershipKind membership_kind = 9; |
There was a problem hiding this comment.
Seems like according to proto field order it should field nr. 8
| // membership_kind describes the type of membership, either | |
| // `MEMBERSHIP_KIND_USER` or `MEMBERSHIP_KIND_LIST`. | |
| MembershipKind membership_kind = 9; | |
| // membership_kind describes the type of membership, either | |
| // `MEMBERSHIP_KIND_USER` or `MEMBERSHIP_KIND_LIST`. | |
| MembershipKind membership_kind = 8; |
There was a problem hiding this comment.
iirc there was a reason it was set to field 9, let me see if I can find it..
| if len(a.Spec.Grants.Roles) == 0 && len(a.Spec.Grants.Traits) == 0 { | ||
| return trace.BadParameter("grants must specify at least one role or trait") | ||
| } |
There was a problem hiding this comment.
Does this validation change is intended ?
This change will allow to create a access list without any grants role and traits role.
There was a problem hiding this comment.
Yes, creating a list without any roles or traits was part of the initial RFD
- Add Hierarchy utils for nested AccessList validation and handling - Update AccessList Protos with new fields - Update AccessList and AccessListMember types and converters with new fields
kiosion
force-pushed
the
maxim/nested-acl-protos
branch
from
111c516
to
a07fb04
Compare
|
🤖 Vercel preview here: https://docs-om8ctwyn8-goteleport.vercel.app/docs/ver/preview |
| @@ -268,6 +287,12 @@ message ReviewChanges { | |||
|
|
|||
| // AccessListStatus contains dynamic fields calculated during retrieval. | |||
| message AccessListStatus { | |||
| // member_count is the number of members in the in the Access List. | |||
| // member_count is the number of members in the Access List. | |||
| optional uint32 member_count = 1; | |||
There was a problem hiding this comment.
is this the total number of users including users that have access to it through nested access lists or just direct access list memberships?
There was a problem hiding this comment.
just direct memberships.
public-teleport-github-review-bot
bot
removed the request for review
from zmb3
Split from #38738.