Skip to content

Add boolean fleet_viewer and silo_admin to /v1/me response #8861

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
david-crespo merged 2 commits into from
Aug 20, 2025
Merged

Add boolean fleet_viewer and silo_admin to /v1/me response #8861

david-crespo merged 2 commits into from
Aug 20, 2025

Conversation

@david-crespo
Copy link
Contributor

@david-crespo david-crespo commented Aug 19, 2025
edited
Loading

Dramatically simpler alternative to #8515. Rather than doing the rigmarole required to get the actual specific role on the fleet and silo, we just do little authz checks to get the specific things we care about. The web console is the only consumer that cares about this endpoint so it feels fine to do it that way.

@david-crespo david-crespo mentioned this pull request Aug 19, 2025
Closed
jmpesp
jmpesp reviewed Aug 19, 2025
View reviewed changes
nexus/src/external_api/http_entrypoints.rs Outdated
Comment on lines 7158 to 7165
fleet_viewer: opctx
.authorize(authz::Action::Read, &authz::FLEET)
.await
.is_ok(),
silo_admin: opctx
.authorize(authz::Action::Modify, &authz_silo)
.await
.is_ok(),
Copy link
Contributor

@jmpesp jmpesp Aug 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What about a separate field (or array) for each action type? will clients ever need more information, like "what if this user has read but not modify on a silo?"

Copy link
Contributor Author

@david-crespo david-crespo Aug 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Currently everyone has silo viewer on their silo. The distinction between silo collaborator and silo admin could be come relevant (or fleet viewer and fleet admin), but I can't think of a case in the client where we need to know that yet. I am inclined to not bother until we need it.

jmpesp
jmpesp approved these changes Aug 19, 2025
View reviewed changes
Copy link
Contributor

@jmpesp jmpesp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I really like the simplicity of this 🚀

@david-crespo david-crespo merged commit c52ed36 into main Aug 20, 2025
17 checks passed
@david-crespo david-crespo deleted the add-perms-session-me branch August 20, 2025 02:59
@david-crespo david-crespo mentioned this pull request Aug 20, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jmpesp jmpesp jmpesp approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@david-crespo @jmpesp