Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Global roles propagated to tenants #395

Merged
merged 45 commits into from
Jul 30, 2024
Merged

Global roles propagated to tenants #395

merged 45 commits into from
Jul 30, 2024

Conversation

byewokko
Copy link
Collaborator

@byewokko byewokko commented Jun 24, 2024
edited
Loading

closes #357

Summary

  • Introduce global roles that can be assigned within each tenant individually.

Compatibility

Propagated global roles

  • Propagated global roles are global roles created with attribute propagated=true.
  • They are propagated into all tenants and can be assigned and unassigned in each tenant independently.
  • The propagated roles look like regular tenant roles, apart from having a ~ after the slash in their ID. E.g. a global role called */reader is propagated as mytenant/~reader, yourtenant/~reader etc.
  • Modifying these roles requires superuser privileges (as with regular global roles). The propagated flag is not editable after role creation. Changes to the global role propagate immediately to its propagated tenant roles.
  • Modifying the propagated tenant roles is not possible.

Tech details

  • Role service uses three types of RoleView class - global, global propagated and tenant - for listing, searching and getting the three different types of roles.
  • Introduced SessionContext, a context variable that holds the auth session of the request.

@byewokko byewokko added the enhancement New feature or request label Jun 24, 2024
@byewokko byewokko self-assigned this Jun 24, 2024
@byewokko byewokko changed the title Shared roles (Globally defined roles scoped for individual tenants) Shared roles - Globally defined roles scoped to individual tenants Jun 24, 2024
@byewokko byewokko changed the title Shared roles - Globally defined roles scoped to individual tenants Globally defined roles scoped to individual tenants Jul 9, 2024
@byewokko byewokko changed the title Globally defined roles scoped to individual tenants Globally defined tenant roles Jul 9, 2024
@byewokko byewokko changed the title Globally defined tenant roles Global roles propagated to tenants Jul 17, 2024
@byewokko byewokko requested a review from ateska July 23, 2024 12:24
@byewokko byewokko marked this pull request as ready for review July 23, 2024 12:30
ateska
ateska requested changes Jul 30, 2024
View reviewed changes
Copy link
Contributor

@ateska ateska left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Remark to naming, otherwise mergeable.

seacatauth/authz/role/view/global_propagated_role.py Outdated Show resolved Hide resolved
@byewokko byewokko merged commit f069222 into main Jul 30, 2024
5 checks passed
@byewokko byewokko deleted the feature/shared-roles branch July 30, 2024 12:16
@byewokko byewokko mentioned this pull request Oct 23, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ateska ateska ateska requested changes

Assignees

@byewokko byewokko

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Propagate global roles as tenant roles
2 participants
@byewokko @ateska