-
Notifications
You must be signed in to change notification settings - Fork 118
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[WIP] Introduce Role-Based Authentication for Repository Management #1060
base: main
Are you sure you want to change the base?
Conversation
Motivation To ensure smooth compatibility with line#1060, the `PerRolePermissions` and `RepositoryMetadata` structure need an update to support changes. Modifications: - Enhanced the `PerRolePermissions` and `RepositoryMetadata` deserializers to accept both an array or permissions and a permission. - Added `REPO_ADMIN` `Permission`. - Removed `MetadataApiService.updateSpecificUserPermission` and `updateSpecificTokenPermission`. - They are not used in the UI and we don't even have test cases for that. - Will add those APIs later when we need it. Result: - The `PerRolePermissions` and `RepositoryMetadata` structures now support the upcoming changes in line#1060.
@RequiresRole(roles = { ProjectRole.OWNER, ProjectRole.MEMBER }) | ||
public CompletableFuture<ProjectMetadata> getProjectMetadata( | ||
@Param String projectName, | ||
@Param("checkPermissionOnly") @Default("false") boolean isCheckPermissionOnly) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This parameter was introduced here but has not been used anywhere. Let me just remove that.
// } | ||
// } | ||
// } | ||
final JsonPointer path = JsonPointer.compile("/repos" + encodeSegment(repoName) + "/roles/projects"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I understand that this code will be applied after the migration is complete.
// } | ||
// "tokens": { | ||
// "my-token": "WRITE" | ||
// } |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
// } | |
// "tokens": { | |
// "my-token": "WRITE" | |
// } | |
// }, | |
// "tokens": { | |
// "my-token": "WRITE" | |
// }, |
// } | ||
// } | ||
// } | ||
final JsonPointer path = JsonPointer.compile("/repos" + encodeSegment(repoName) + "/roles/projects"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Note: It would be nice to have a DSL/builder to build a JSON pointer type-safely. Let's consider it later.
JsonPointers
.meta()
.repos(repoName)
.roles()
.projects()
.compile();
JsonPointers
.meta()
.members(repoName)
.compile();
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's a good suggestion. By the way, this PR is in WIP and I forgot to tell you about it.
Would you mind reviewing #1064, beforehand?
return repositoryMetadata.perRolePermissions().guest(); | ||
@Nullable | ||
private static RepositoryRole repositoryRole(Roles roles, @Nullable RepositoryRole repositoryRole, | ||
@Nullable ProjectRole projectRole) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
projectRole
seems not null always in the current usage.
@Nullable ProjectRole projectRole) { | |
ProjectRole projectRole) { |
if (memberOrGuestRole == null) { | ||
return repositoryRole; | ||
} | ||
if (memberOrGuestRole == RepositoryRole.WRITE || repositoryRole == RepositoryRole.WRITE) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's say a-member-user
is granted to READ
role and projects.member
is granted to WRITE
. Is WRITE
given for a-member-user
?
{
"repos": {
"my-repo": {
"name": "my-repo",
"roles": {
"users": {
"a-member-user": "READ"
}
"projects": {
"member": "WRITE",
...
}
}
}
}
}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is WRITE given for a-member-user?
That is correct, as similar to how GitHub handles it.
The role with the highest authority will take precedence.
|
||
@Override | ||
public String toString() { | ||
return MoreObjects.toStringHelper(this).omitNullValues() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit:
return MoreObjects.toStringHelper(this).omitNullValues() | |
return MoreObjects.toStringHelper(this) |
Motivation:
To address the migration of mirroring configurations from projects to repositories and to simplify access management,
we decided to:
RepositoryRole
(READ
,WRITE
,ADMIN
). TheADMIN
role has access to the configurations.This change resolves the issue where users with
WRITE
permission for the meta repository were limited to creating mirroring configurations.With
RepositoryRole
, access becomes more structured and extensible for future enhancements (e.g., introducing custom roles). While permission-based authentication is replaced here, this does not preclude the future coexistence of role-based and permission-based systems.Modifications:
RepositoryRole
with hierarchical roles (READ
,WRITE
,ADMIN
).RequiresPermission
annotations withRequiresRepositoryRole
.RequiresRole
toRequiresProjectRole
.ProjectRole
, utilizing the hierarchical model to avoid redundant role specifications.Result:
To-do:
Migration plan: