COST-4764 Set lower level rbac roles when only top level are set for OpenShift cluster/node/project #5020
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
lcouzens
added
the
smoke-tests
Codecov Report
Additional details and impacted files@@ Coverage Diff @@
## main #5020 +/- ##
=======================================
- Coverage 94.1% 94.1% -0.0%
=======================================
Files 377 377
Lines 31230 31237 +7
Branches 3709 3713 +4
=======================================
+ Hits 29390 29393 +3
- Misses 1171 1174 +3
- Partials 669 670 +1 |
|
What is being fixed? Should we be allowing partial matching when filtering? I don't think we should because this was explicitly disallowed with this issue: |
lcouzens
force-pushed
the
COST-4764-fix-rbac-filtering
branch
from
cf26bfd to
27ae496
Compare
lcouzens
changed the title
bacciotti
previously approved these changes
Apr 8, 2024
maskarb
reviewed
Apr 8, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Jira Ticket
COST-4764
Description
This change will fix partial matching for things like project/node filtering with a higher level rbac roles such as cluster by explicitly implying the correct lower level role accordingly.
Example:
If you restrict to a single cluster this change will set node and project role to * (Access all items beneath that cluster)
Testing
python koku/manage.py shellfrom koku.rbac import _apply_access_apply_access({'openshift.cluster': [{'operation': 'read', 'resources': ['test_cluster']}]})*for node/projectAdditional testing:
Try various access settings such as node and project levels:
_apply_access({'openshift.cluster': [{'operation': 'read', 'resources': ['test_cluster']}], 'openshift.node': [{'operation': 'read', 'resources': ['test_node']}]})_apply_access({'openshift.cluster': [{'operation': 'read', 'resources': ['test_cluster']}], 'openshift.node': [{'operation': 'read', 'resources': ['test_node']}], 'openshift.project': [{'operation': 'read', 'resources': ['test_project']}]})really adventurous you can try these too
'openshift.node': [{'operation': 'read', 'resources': ['test_node']}]result:
'openshift.cluster': {'read': []},
'openshift.node': {'read': ['test_node]},
'openshift.project': {'read': ['*']},
'openshift.project': [{'operation': 'read', 'resources': ['test_project']}]result:
'openshift.cluster': {'read': []},
'openshift.node': {'read': []},
'openshift.project': {'read': ['test_project']},
Release Notes