[CHEF-1685] WIP - allow org-admins to modify organizations #3927
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
👷 Deploy Preview for chef-server processing.
|
marcparadise
force-pushed
the
CHEF-1685/expand-server-admins-capabilities
branch
2 times, most recently
from
5fc71b4
to
ffc2925
Compare
marcparadise
commented
Oct 17, 2024
| @@ -441,7 +443,23 @@ is_authorized(Req, State, Extractor) -> | |||
| end; | |||
| {false, ReqOther, StateOther} -> | |||
| %% FIXME: the supported version is determined by the chef_authn application | |||
| %% also, see: https://wiki.corp.chef.io/display/CORP/RFC+Authentication+Version+Negotiation | |||
There was a problem hiding this comment.
^ removed because this link is dead, and I can find no replacement for it in the new wiki.
In addition to give org-admins permissions to CRUD organizations, this removes the requirement that in order to modify an organization, the actor must be a member of the organization. However, they must still have appropriate permissions to perform any CRUD action related to an organization. This supports the multi-tenancy case where a customer has many organizations to manage but does not necessarily need to admins to be a part of those organizations. The primary use case is SaaS offering , in which customers have full control over a chef server installation but do not have local/chef-server-ctl access, and must keep the pivotal key locked down for security purposes. This functionality is already available using the pivotal/superuser key, but the pivotal key should not be widely distributed. This functionality was also originally intended to be available to org-admins but the completion of that work was never prioritized. Signed-off-by: Marc A. Paradise <[email protected]>
marcparadise
force-pushed
the
CHEF-1685/expand-server-admins-capabilities
branch
from
ffc2925
to
172b8d0
Compare
|
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
In addition to give org-admins permissions to CRUD organizations, this removes the requirement that in order to modify an organization, the actor must be a member of the organization.
However, they must still have appropriate permissions to perform any CRUD action related to an organization.
This supports the multi-tenancy case where a customer has many organizations to manage but does not necessarily need to admins to be a part of those organizations. The primary use case is SaaS offering , in which customers have full control over a chef server installation but do not have local/chef-server-ctl access, and must keep the pivotal key locked down for security purposes.
This functionality is already available using the pivotal/superuser key, but the pivotal key should not be widely distributed. This functionality was also originally intended to be available to org-admins but the completion of that work was never prioritized.