Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enhancement: Unified Roles Management #9727

Merged
merged 10 commits into from
Aug 27, 2024
Merged

Enhancement: Unified Roles Management #9727

merged 10 commits into from
Aug 27, 2024

Conversation

fschade
Copy link
Contributor

@fschade fschade commented Aug 4, 2024
edited
Loading

Description

Improved management of unified roles with the introduction of default enabled/disabled states and a new command for listing available roles.

It is important to note that a disabled role does not lose previously assigned permissions;
it only means that the role is not available for new assignments.

The following roles are now enabled by default:

  • UnifiedRoleViewerID
  • UnifiedRoleSpaceViewer
  • UnifiedRoleEditor
  • UnifiedRoleSpaceEditor
  • UnifiedRoleFileEditor
  • UnifiedRoleEditorLite
  • UnifiedRoleManager

The following roles are now disabled by default:

  • UnifiedRoleSecureViewer

To enable the UnifiedRoleSecureViewer role, you must provide a list of all available roles through one of the following methods:

  • Using the UNIFIED_ROLES_AVAILABLE_ROLES environment variable.
  • Setting the available_roles configuration value.

To enable a role, include the UID of the role in the list of available roles.

A new command has been introduced to simplify the process of finding out which UID belongs to which role. The command is:

$ ocis graph list-unified-roles

The output of this command includes the following information for each role:

  • uid: The unique identifier of the role.
  • Description: A short description of the role.
  • Enabled: Whether the role is enabled or not.
+--------------------------------------+----------+--------------------------------+--------------------------------+------------------------------------------+
|                 UID                  | ENABLED  |          DESCRIPTION           |           CONDITION            |         ALLOWED RESOURCE ACTIONS         |
+--------------------------------------+----------+--------------------------------+--------------------------------+------------------------------------------+
| b1e2218d-eef8-4d4c-b82d-0f1a1b48f3b5 | enabled  | View and download.             | exists @Resource.File          | libre.graph/driveItem/path/read          |
|                                      |          |                                |                                | libre.graph/driveItem/quota/read         |
|                                      |          |                                |                                | libre.graph/driveItem/content/read       |
|                                      |          |                                |                                | libre.graph/driveItem/children/read      |
|                                      |          |                                |                                | libre.graph/driveItem/deleted/read       |
|                                      |          |                                |                                | libre.graph/driveItem/basic/read         |
+                                      +----------+--------------------------------+--------------------------------+------------------------------------------+
|                                      | enabled  | View and download.             | exists @Resource.Folder        | libre.graph/driveItem/path/read          |
|                                      |          |                                |                                | libre.graph/driveItem/quota/read         |
|                                      |          |                                |                                | libre.graph/driveItem/content/read       |
|                                      |          |                                |                                | libre.graph/driveItem/children/read      |
|                                      |          |                                |                                | libre.graph/driveItem/deleted/read       |
|                                      |          |                                |                                | libre.graph/driveItem/basic/read         |
+                                      +----------+--------------------------------+--------------------------------+------------------------------------------+
|                                      | enabled  | View and download.             | exists @Resource.File &&       | libre.graph/driveItem/path/read          |
|                                      |          |                                | @Subject.UserType=="Federated" | libre.graph/driveItem/quota/read         |
|                                      |          |                                |                                | libre.graph/driveItem/content/read       |
|                                      |          |                                |                                | libre.graph/driveItem/children/read      |
|                                      |          |                                |                                | libre.graph/driveItem/deleted/read       |
|                                      |          |                                |                                | libre.graph/driveItem/basic/read         |
+                                      +----------+--------------------------------+--------------------------------+------------------------------------------+
|                                      | enabled  | View and download.             | exists @Resource.Folder &&     | libre.graph/driveItem/path/read          |
|                                      |          |                                | @Subject.UserType=="Federated" | libre.graph/driveItem/quota/read         |
|                                      |          |                                |                                | libre.graph/driveItem/content/read       |
|                                      |          |                                |                                | libre.graph/driveItem/children/read      |
|                                      |          |                                |                                | libre.graph/driveItem/deleted/read       |
|                                      |          |                                |                                | libre.graph/driveItem/basic/read         |
+--------------------------------------+----------+--------------------------------+--------------------------------+------------------------------------------+
| a8d5fe5e-96e3-418d-825b-534dbdf22b99 | enabled  | View and download.             | exists @Resource.Root          | libre.graph/driveItem/path/read          |
|                                      |          |                                |                                | libre.graph/driveItem/quota/read         |
|                                      |          |                                |                                | libre.graph/driveItem/content/read       |
|                                      |          |                                |                                | libre.graph/driveItem/permissions/read   |
|                                      |          |                                |                                | libre.graph/driveItem/children/read      |
|                                      |          |                                |                                | libre.graph/driveItem/deleted/read       |
|                                      |          |                                |                                | libre.graph/driveItem/basic/read         |
+--------------------------------------+----------+--------------------------------+--------------------------------+------------------------------------------+
| fb6c3e19-e378-47e5-b277-9732f9de6e21 | enabled  | View, download, upload, edit,  | exists @Resource.Folder        | libre.graph/driveItem/children/create    |
|                                      |          | add and delete.                |                                | libre.graph/driveItem/standard/delete    |
|                                      |          |                                |                                | libre.graph/driveItem/path/read          |
|                                      |          |                                |                                | libre.graph/driveItem/quota/read         |
|                                      |          |                                |                                | libre.graph/driveItem/content/read       |
|                                      |          |                                |                                | libre.graph/driveItem/upload/create      |
|                                      |          |                                |                                | libre.graph/driveItem/children/read      |
|                                      |          |                                |                                | libre.graph/driveItem/deleted/read       |
|                                      |          |                                |                                | libre.graph/driveItem/path/update        |
|                                      |          |                                |                                | libre.graph/driveItem/deleted/update     |
|                                      |          |                                |                                | libre.graph/driveItem/basic/read         |
+                                      +----------+--------------------------------+--------------------------------+------------------------------------------+
|                                      | enabled  | View, download, upload, edit,  | exists @Resource.Folder &&     | libre.graph/driveItem/children/create    |
|                                      |          | add and delete.                | @Subject.UserType=="Federated" | libre.graph/driveItem/standard/delete    |
|                                      |          |                                |                                | libre.graph/driveItem/path/read          |
|                                      |          |                                |                                | libre.graph/driveItem/quota/read         |
|                                      |          |                                |                                | libre.graph/driveItem/content/read       |
|                                      |          |                                |                                | libre.graph/driveItem/upload/create      |
|                                      |          |                                |                                | libre.graph/driveItem/children/read      |
|                                      |          |                                |                                | libre.graph/driveItem/deleted/read       |
|                                      |          |                                |                                | libre.graph/driveItem/path/update        |
|                                      |          |                                |                                | libre.graph/driveItem/deleted/update     |
|                                      |          |                                |                                | libre.graph/driveItem/basic/read         |
+--------------------------------------+----------+--------------------------------+--------------------------------+------------------------------------------+
| 58c63c02-1d89-4572-916a-870abc5a1b7d | enabled  | View, download, upload, edit,  | exists @Resource.Root          | libre.graph/driveItem/children/create    |
|                                      |          | add and delete.                |                                | libre.graph/driveItem/standard/delete    |
|                                      |          |                                |                                | libre.graph/driveItem/path/read          |
|                                      |          |                                |                                | libre.graph/driveItem/quota/read         |
|                                      |          |                                |                                | libre.graph/driveItem/content/read       |
|                                      |          |                                |                                | libre.graph/driveItem/upload/create      |
|                                      |          |                                |                                | libre.graph/driveItem/permissions/read   |
|                                      |          |                                |                                | libre.graph/driveItem/children/read      |
|                                      |          |                                |                                | libre.graph/driveItem/versions/read      |
|                                      |          |                                |                                | libre.graph/driveItem/deleted/read       |
|                                      |          |                                |                                | libre.graph/driveItem/path/update        |
|                                      |          |                                |                                | libre.graph/driveItem/versions/update    |
|                                      |          |                                |                                | libre.graph/driveItem/deleted/update     |
|                                      |          |                                |                                | libre.graph/driveItem/basic/read         |
+--------------------------------------+----------+--------------------------------+--------------------------------+------------------------------------------+
| 2d00ce52-1fc2-4dbc-8b95-a73b73395f5a | enabled  | View, download and edit.       | exists @Resource.File          | libre.graph/driveItem/path/read          |
|                                      |          |                                |                                | libre.graph/driveItem/quota/read         |
|                                      |          |                                |                                | libre.graph/driveItem/content/read       |
|                                      |          |                                |                                | libre.graph/driveItem/upload/create      |
|                                      |          |                                |                                | libre.graph/driveItem/children/read      |
|                                      |          |                                |                                | libre.graph/driveItem/deleted/read       |
|                                      |          |                                |                                | libre.graph/driveItem/deleted/update     |
|                                      |          |                                |                                | libre.graph/driveItem/basic/read         |
+                                      +----------+--------------------------------+--------------------------------+------------------------------------------+
|                                      | enabled  | View, download and edit.       | exists @Resource.File &&       | libre.graph/driveItem/path/read          |
|                                      |          |                                | @Subject.UserType=="Federated" | libre.graph/driveItem/quota/read         |
|                                      |          |                                |                                | libre.graph/driveItem/content/read       |
|                                      |          |                                |                                | libre.graph/driveItem/upload/create      |
|                                      |          |                                |                                | libre.graph/driveItem/children/read      |
|                                      |          |                                |                                | libre.graph/driveItem/deleted/read       |
|                                      |          |                                |                                | libre.graph/driveItem/deleted/update     |
|                                      |          |                                |                                | libre.graph/driveItem/basic/read         |
+--------------------------------------+----------+--------------------------------+--------------------------------+------------------------------------------+
| 1c996275-f1c9-4e71-abdf-a42f6495e960 | enabled  | View, download and upload.     | exists @Resource.Folder        | libre.graph/driveItem/children/create    |
|                                      |          |                                |                                | libre.graph/driveItem/path/read          |
|                                      |          |                                |                                | libre.graph/driveItem/content/read       |
|                                      |          |                                |                                | libre.graph/driveItem/upload/create      |
|                                      |          |                                |                                | libre.graph/driveItem/children/read      |
|                                      |          |                                |                                | libre.graph/driveItem/path/update        |
|                                      |          |                                |                                | libre.graph/driveItem/basic/read         |
+--------------------------------------+----------+--------------------------------+--------------------------------+------------------------------------------+
| 312c0871-5ef7-4b3a-85b6-0e4074c64049 | enabled  | View, download, upload,        | exists @Resource.Root          | libre.graph/driveItem/permissions/create |
|                                      |          | edit, add, delete and manage   |                                | libre.graph/driveItem/children/create    |
|                                      |          | members.                       |                                | libre.graph/driveItem/standard/delete    |
|                                      |          |                                |                                | libre.graph/driveItem/path/read          |
|                                      |          |                                |                                | libre.graph/driveItem/quota/read         |
|                                      |          |                                |                                | libre.graph/driveItem/content/read       |
|                                      |          |                                |                                | libre.graph/driveItem/upload/create      |
|                                      |          |                                |                                | libre.graph/driveItem/permissions/read   |
|                                      |          |                                |                                | libre.graph/driveItem/children/read      |
|                                      |          |                                |                                | libre.graph/driveItem/versions/read      |
|                                      |          |                                |                                | libre.graph/driveItem/deleted/read       |
|                                      |          |                                |                                | libre.graph/driveItem/path/update        |
|                                      |          |                                |                                | libre.graph/driveItem/permissions/delete |
|                                      |          |                                |                                | libre.graph/driveItem/deleted/delete     |
|                                      |          |                                |                                | libre.graph/driveItem/versions/update    |
|                                      |          |                                |                                | libre.graph/driveItem/deleted/update     |
|                                      |          |                                |                                | libre.graph/driveItem/basic/read         |
|                                      |          |                                |                                | libre.graph/driveItem/permissions/update |
|                                      |          |                                |                                | libre.graph/driveItem/permissions/deny   |
+--------------------------------------+----------+--------------------------------+--------------------------------+------------------------------------------+
| aa97fe03-7980-45ac-9e50-b325749fd7e6 | disabled | View only documents, images    | exists @Resource.File          | libre.graph/driveItem/path/read          |
|                                      |          | and PDFs. Watermarks will be   |                                | libre.graph/driveItem/children/read      |
|                                      |          | applied.                       |                                | libre.graph/driveItem/basic/read         |
+                                      +----------+--------------------------------+--------------------------------+------------------------------------------+
|                                      | disabled | View only documents, images    | exists @Resource.Folder        | libre.graph/driveItem/path/read          |
|                                      |          | and PDFs. Watermarks will be   |                                | libre.graph/driveItem/children/read      |
|                                      |          | applied.                       |                                | libre.graph/driveItem/basic/read         |
+--------------------------------------+----------+--------------------------------+--------------------------------+------------------------------------------+

Caveats:

Role disabling 1

Let's imagine the following scenario:

  • The instance is used by a group of users.
  • User UA shares resource RA with user UB as editor.
  • After a while, the editor role is disabled by the administrator.

which leads to the following consequences:

  • The editor role is no longer available for new assignments.
  • The old share is still valid, and user UB can still edit resource RA.
  • The ui needs to show an indicator that the current role of resource RA is disabled.

we need to answer the following questions:

  • Is it ok that the old resource permissions stay intact after a role is disabled? (we should mention this in the documentation)
  • What should the ui display when a role is disabled? Should we list anything or is a "ROLE DISABLED" label enough?

ideas:

  • we could build a cli to remove disabled roles from shares and assign the next lower available role

screenshots:

  • role enabled:
    • enabled
  • role disabled:
    • disabled

Role disabling 2

With the current implementation, a disabled role is ignored in the system, like if it doesn't exist (the role, not the permissions).

This means that if a role is disabled, it is not possible to assign it, and it is not possible to check if that role is assigned.

It is also important to know that a disabled role won't be part of ANY api response, so if a share has a role assigned and that role is disabled, the user will not see that role in the response.

the same applies to requests (e.g. POST, PUT, ...), the role is considered not existing,
the validation fails if such a role is part of the request.

I talked to alex about this, and he said that he would prefer:

  • the role is still part of the @libre.graph.permissions.roles.allowedValues list (which is used by web to display the role dropdown), but is marked as disabled.

I'm not against that, its fairly simple change, but I'm not sure if it is the best approach because:

  • it will be confusing for the user to see a disabled role listed in the @libre.graph.permissions.roles.allowedValues list.
  • I think (not confirmed) it's harder to handle a disabled role compared to not handle a not existing role.

Tasks:

  • Add CLI to obtain available roles
  • Add CLI to identify enabled//disabled roles
  • Add Config to enable roles
  • Add Config validation for: unknown roles
  • Add Unit tests
  • FixMe comments, need to bring some light into the dark
  • API: do not accept "invite" calls with role ids which are not configured
  • Enable "Secure Viewer" in the CI ENV
  • Answer Caveats
  • Add Documentation and raise ticket

Related Issue

How Has This Been Tested?

  • unit tests
  • acceptance tests

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Technical debt
  • Tests only (no source changes)

@update-docs Update Docs
Copy link

update-docs bot commented Aug 4, 2024

Thanks for opening this pull request! The maintainers of this repository would appreciate it if you would create a changelog item based on your changes.

@fschade fschade changed the title enhancement: unified-role management Enhancement: Unified Roles Management Aug 4, 2024
@fschade fschade force-pushed the toggle-unified-roles branch 6 times, most recently from c158848 to 03dc9c3 Compare August 8, 2024 10:18
@butonic butonic mentioned this pull request Aug 8, 2024
Merged
@fschade
Copy link
Contributor Author

fschade commented Aug 8, 2024
edited
Loading

@AlexAndBear, @JammingBen, @kulmann, @butonic, @tbsbdr FYI:

the task could lead to some side-effects, please read my description above, specially the caveats (role disabling 1 & 2).
The PR is still in draft state, even if the ci is green we need to answer the questions first.

I'm on vacation tomorrow, i will be back on Monday, happy to get some feedback.

@JammingBen
Copy link
Contributor

JammingBen commented Aug 9, 2024
edited
Loading

the role is still part of the @libre.graph.permissions.roles.allowedValues list (which is used by web to display the role dropdown), but is marked as disabled.

I don't like that. The sole purpose if this field is to indicate which roles can be used for sharing. Since a disabled role can't be used though, it would be very confusing.

Still, we need to somehow inform the user about the permissions of a disabled role. Simply naming it "Disabled role" won't be enough I think. Is there a way to get this kind of information? Web is querying all graph permissions globally via /graph/v1beta1/roleManagement/permissions/roleDefinitions. Maybe change that endpoint to deliver all roles (activated & deactivated) and include a new property deactivated? Then Web could simply check against that list if the role of a given share is disabled or not.

In general, how I would expect the API: The server always provides a role for an existing share, no matter if enabled or disabled. It also provides all roles via the global roleDefinitions. The allowedValues property however does only include, well, allowed roles = no disabled roles. This would guarantee that disabled roles can't be used for creating/editing shares, but existing roles can still be displayed with all necessary information.

Also, note that #9765 adds to more role definitions for OCM. I guess those will be deactivated by default? In this case we need to add this to the OCM documentation. And we need to think about the case when OCM is enabled without the OCM roles. Which basically means that no OCM shares can be created.

@fschade
Copy link
Contributor Author

fschade commented Aug 12, 2024
edited
Loading

i talked to @butonic today, and we came to the point that a role is nothing more than a set of permissions.
The role name and id is just syntactic sugar for the user to understand what the role is about.

Therefore, it makes little sense to list a disabled role via /graph/v1beta1/roleManagement/permissions/roleDefinitions.

Right after that, @tbsbdr , @JammingBen and I had a discussion what we should do with the roles that are not enabled anymore (e.g., the role permissions).

We came to the solution that we list permissions in the sharing dialog if there is no matching role (that only applies to orphaned role-permissions).

Jannik and myself pair on it tomorrow and make it happen.

@JammingBen JammingBen mentioned this pull request Aug 12, 2024
Merged
7 tasks
@fschade fschade force-pushed the toggle-unified-roles branch 3 times, most recently from 84e8931 to a559fed Compare August 13, 2024 08:51
@fschade fschade mentioned this pull request Aug 16, 2024
Closed
9 tasks
@fschade
enhancement: do not enable all roles by default.
56537e9 
from now on, not all unified roles are enabled by default, instead the available roles are hand-picked in the default setup.

For advanced use-cases, the administrator is capable to enable the desired set of available roles.

Picking roles is not easy since the uid is NOT humanly readable, therefore a cli is contained which lists the available, disabled and enabled roles.
@fschade
enhancement: add allowed role validation to the go-playground validator
4638280
@fschade
enhancement: add unified roles filters
196c988
@fschade
enhancement: only use allowed roles for the graph service
e348ac2
@fschade
enhancement: add role condition and allowed resource actions to the r…
9b0c8eb 
…ole-list cli
@fschade
fix: cherry pick unified-role federation changes
4f26783
@fschade fschade marked this pull request as ready for review August 21, 2024 12:15
@fschade
enhancement: show permission actions if no role is set when convertin…
43ba951 
…g space permissions to libregraph permissions
@fschade fschade mentioned this pull request Aug 22, 2024
Merged
7 tasks
kobergj
kobergj requested changes Aug 23, 2024
View reviewed changes
Copy link
Collaborator

@kobergj kobergj left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Needs a section in the graph readme. If you just copy your changelog you already have 90% imo.

cc @mmattel

services/graph/pkg/config/unified_roles.go Outdated Show resolved Hide resolved
services/graph/pkg/validate/libregraph.go Outdated Show resolved Hide resolved
services/graph/pkg/unifiedrole/roles.go Show resolved Hide resolved
@fschade fschade requested a review from kobergj August 23, 2024 09:58
kobergj
kobergj approved these changes Aug 23, 2024
View reviewed changes
Copy link
Collaborator

@kobergj kobergj left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good codewise but please talk to @mmattel if and how we need to document this.

@JammingBen JammingBen reopened this Aug 23, 2024
@JammingBen
Copy link
Contributor

Sorry for the accidental close - merging owncloud/web#11387 caused this because of the GitHub "fixes" keyword.

@mmattel
Copy link
Contributor

mmattel commented Aug 23, 2024
edited
Loading

@fschade with regards to documentation:

  • There is an ocis page this fits for documenting CLI stuff and can be found in ocis/REAMDE.md. This page contains all CLI commands that are not part of a service. Pls start adding CLI related content in that readme.
    In admin docs, we have a page that collects all CLI maintenance commands, gives a brief overview and either references the respective service for details or directs to an own page describing the command if not part of a service.
  • As role management is as far I have read part of the graph service, start documenting the functionality in the services/graph/README.md.

I will of course help you and when set take care for the admin docs part as usual 😄

@fschade fschade enabled auto-merge August 27, 2024 07:42
@2403905 2403905 mentioned this pull request Aug 27, 2024
Closed
16 tasks
@fschade fschade disabled auto-merge August 27, 2024 15:44
@sonarcloud SonarCloud
Copy link

sonarcloud bot commented Aug 27, 2024

Quality Gate Passed Quality Gate passed

Issues
4 New issues
0 Accepted issues

Measures
0 Security Hotspots
82.0% Coverage on New Code
0.1% Duplication on New Code

See analysis details on SonarCloud

@fschade fschade merged commit cbf1478 into owncloud:master Aug 27, 2024
4 checks passed
ownclouders pushed a commit that referenced this pull request Aug 27, 2024
@fschade
Merge pull request #9727 from fschade/toggle-unified-roles
b9ba94c 
Enhancement: Unified Roles Management
@saw-jan saw-jan mentioned this pull request Aug 28, 2024
Closed
@mmattel mmattel mentioned this pull request Sep 2, 2024
Closed
@micbar micbar mentioned this pull request Sep 12, 2024
Closed
18 tasks
@mmattel mmattel mentioned this pull request Sep 17, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@2403905 2403905 2403905 approved these changes

@kobergj kobergj kobergj approved these changes

@wkloucek wkloucek Awaiting requested review from wkloucek wkloucek is a code owner

@micbar micbar Awaiting requested review from micbar micbar is a code owner

@phil-davis phil-davis Awaiting requested review from phil-davis phil-davis is a code owner

@individual-it individual-it Awaiting requested review from individual-it individual-it is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[oCIS] Make the list of Unified Roles configurable
5 participants
@fschade @JammingBen @mmattel @2403905 @kobergj