Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add platform-viewer role #2186

Closed
wants to merge 7 commits into from
Closed

Add platform-viewer role #2186

wants to merge 7 commits into from

Conversation

shreddedbacon
Copy link
Member

Checklist

  • Affected Issues have been mentioned in the Closing issues section
  • Documentation has been written/updated
  • PR title is ready for changelog and subsystem label(s) applied

This adds a new role to keycloak called platform-viewer.
The role has only the ability to:

  • view logs in elasticsearch
  • view projects in lagoon and associated
    • environments
    • deployments
    • tasks
    • backups
    • facts
    • problems
  • view notifications
  • view groups
  • view ssh keys

Closing issues

Put closes #XXXX in your comment to auto-close the issue that your PR fixes (if such).

@shreddedbacon shreddedbacon added the 1-api-auth API & Authentication subsystem label Sep 4, 2020
rocketeerbkw
rocketeerbkw requested changes Sep 14, 2020
View reviewed changes
services/keycloak/start.sh
@@ -139,6 +139,8 @@ function configure_api_client {
# Setup platform wide roles.
/opt/jboss/keycloak/bin/kcadm.sh create roles --config $CONFIG_PATH -r ${KEYCLOAK_REALM:-master} -s name=platform-owner
/opt/jboss/keycloak/bin/kcadm.sh add-roles --config $CONFIG_PATH -r ${KEYCLOAK_REALM:-master} --rname admin --rolename platform-owner
/opt/jboss/keycloak/bin/kcadm.sh create roles --config $CONFIG_PATH -r ${KEYCLOAK_REALM:-master} -s name=platform-viewer
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This script runs on every keycloak startup and needs to be idempotent. It also has to handle both use cases of installing a fresh keycloak (new cluster, CI, etc) and updating existing ones (e.g, prod). For those reasons, every function in here is designed to be run only once per keycloak install. And the order of functions is handled in the main configure_keycloak function.

The update mechanism is handled by first checking if some data exists that would've been created by the function and bailing if it is. It works kind of like drupal update_N functions but without the nice hook_install that can give you a nice fresh start DX. So your changes to configure_api_client won't get made to a production keycloak because of this check.

All your changes here need to get moved to a new function, check that it will only be run once, and called from configure_keycloak. Any changes that are additions, you can just copy/paste, but anytime you modify an existing resource, you'll have to figure out how to do an edit in place (like changing the policies on the View Task permission). You can check the other functions for examples for editing resources.

Also, this is not the first time this has come up, so maybe you can add a comment at the top of this file, or in configure_keycloak that explains it to save someone else (I also thought I did that, or suggested that already, but can't find any evidence so 🤷).

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ahh, did not know this about the startup script.
I'll adjust accordingly. Thanks!

@tobybellwood tobybellwood added lagoon-one and removed 1-api-auth API & Authentication subsystem labels May 24, 2021
@tobybellwood tobybellwood modified the milestone: v3.0.0 May 24, 2021
@tobybellwood tobybellwood mentioned this pull request May 25, 2021
Closed
25 tasks
@shreddedbacon
Copy link
Member Author

Closing this one off, we can re-evaluate this later on if required.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tobybellwood tobybellwood tobybellwood left review comments

@rocketeerbkw rocketeerbkw rocketeerbkw requested changes

Assignees
No one assigned
Labels
lagoon-one
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@shreddedbacon @rocketeerbkw @tobybellwood