-
Notifications
You must be signed in to change notification settings - Fork 39
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix "project" (silo) IP pool view perms for non-admins #5887
Conversation
// But what we really want to say is that any authenticated user has | ||
// actual Read permission on any IP pool linked to their silo. | ||
.fetch_for(authz::Action::CreateChild) | ||
.await?; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🤔
const PROJECT_NAME: &str = "myproj"; | ||
create_project(client, PROJECT_NAME).await; | ||
let silo_url = format!("/v1/system/silos/{}", cptestctx.silo_name); | ||
let silo: Silo = object_get(client, &silo_url).await; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
None of this is particularly interesting — I'm just setting up a silo with a non-admin user and hitting IP pool list and view.
let pool = NexusRequest::object_get(client, &url) | ||
.authn_as(AuthnMode::SiloUser(user.id)) | ||
.execute_and_parse_unwrap::<SiloIpPool>() | ||
.await; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This fails due to 404 without the fix in the app code.
Closes #5883
Authz for IP pools is undercooked. Every user has
CreateChild
on them so they can allocate IPs, but they generally don't haveRead
on them unless they're a fleet viewer. Ideally, we'd be able to say "you haveRead
on an IP pool if it is linked to your silo", but I don't know how to express that relationship with polar (plus it requires a join to the silo-pool links table to tell).Update: after discussing this with @davepacheco in chat, we agreed on a direction but also agreed it might be fairly complicated. Based on that, I think it would be most expedient to