Groups: share workspaces and registries with groups (native + OIDC) by tylerpotts · Pull Request #346 · nebari-dev/nebi

tylerpotts · 2026-05-11T22:26:17Z

Summary

Closes #293.
Closes #72

New Group primitive with native (admin-managed) and OIDC-synced sources.
Workspace share, registry access, and the admin role can now be granted to groups.
Casbin matcher switched from r.sub == p.sub to g(r.sub, p.sub) so existing direct policies still match and group memberships resolve transitively. Regression test included.
OIDC groups claim drives JIT membership reconciliation on every login. Refuses to merge claims into existing native groups to prevent permanent untracked grants (regression test included).
Admin Groups page, ShareDialog gains a User/Group tabbed selector, user-management shows each user's groups.
Full Swagger godoc on the new handlers; ui.md and server-setup.md updated.

Deviations from the issue

Matcher rewrite is required (issue claimed it wasn't). Backward compatible because Casbin treats g(x, x) as true.
DB + Casbin writes are sequential, not transactional (mirrors existing per-user pattern at `workspace_permissions.go:73`).
Group-as-admin policy uses (\"admin\", \"admin\") to match existing admin scheme (issue said `"*"`).
Collaborators API returns a flat list with kind discriminator instead of separate `users[]`/`groups[]`.
OIDC claims do not merge into native groups — silently joining an admin-managed native group via an IdP claim would create permanent untracked grants (phase-2 reconcile only considers `source=oidc`).

Bugs caught during manual walkthrough (already fixed in this branch)

`WorkspaceService.List` did not consider group-mediated permissions — workspaces shared with a group did not appear in members' workspace lists. Fixed in `081cace`.
ShareDialog group picker hid all groups from admins not in those groups. Fixed by using the existing `useIsAdmin` hook to source from `/admin/groups` for admins, `/groups/me` for non-admins (`2ffc541`).

Test plan

`make test` passes (`./internal/...` only — `cmd/nebi` E2E failures are pre-existing pixi-on-macOS-arm64 issues).
`cd frontend && npm run test && npm run lint && npx tsc -b` passes (146/146 tests).
Manual: native group sharing flow — group creation, member add/remove, share workspace with group, member sees workspace, remove share.
Manual: admin-bypass — admin can share with groups they're not in.
Manual: non-admin owner can only share with groups they're a member of.
Manual: OIDC sync — login with `groups` claim creates groups + memberships; subsequent login without a claim removes the membership; group row preserved.
Manual: OIDC claim naming an existing native group does NOT add the user to the native group (server logs warn).
Manual: `/admin/users` shows the new Groups column with native/OIDC badge styling.

Known follow-ups (not blocking)

Extract a `CollaboratorRow` subcomponent in ShareDialog (currently a ~55-line inline ternary).
Add a happy-path test for the group-share submit flow in `ShareDialog.test.tsx`.
Collaborators tab (`WorkspaceDetail.tsx` line ~691) currently only renders user collaborators — could render groups inline as well.

🤖 Implemented with Claude Code

…pPolicies

…heck asserts

…pSvc param

…signature

…ail scope

…Management

…il counts

WorkspaceService.List() was only querying the per-user permissions table, so workspaces shared with a group never appeared in the user's listing even though Casbin's CanReadWorkspace correctly returned true. Now also unions in workspaces whose group_permissions row references any group the user belongs to (resolved via Casbin grouping rules).

…on User)

netlify · 2026-05-11T22:26:23Z

✅ Deploy Preview for nebi-docs ready!

Name	Link
🔨 Latest commit	`13e4713`
🔍 Latest deploy log	https://app.netlify.com/projects/nebi-docs/deploys/6a1d23551a729e0009d9a9d1
😎 Deploy Preview	https://deploy-preview-346--nebi-docs.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.
🤖 Make changes	Run an agent on this branch

To edit notification comments on pull requests, go to your Netlify project configuration.

Task 9 instrumented HandleCallback (browser OAuth) and ExchangeIDToken (device flow), but missed the proxy-cookie flow used by gateway-proxied deployments — SessionFromProxy and the Middleware fallback path. Those call findOrCreateProxyUser + syncRolesFromGroups but never reconciled group memberships, so OIDC groups in the ID token were silently dropped on the wire. Caught during in-cluster testing against tyler-hetzner-dev.

The unique index on groups.name doesn't honour gorm.DeletedAt — a soft-deleted row keeps the name reserved at the DB level. The OIDC sync's create-after-delete path hit ERROR: duplicate key value violates unique constraint "idx_groups_name" whenever an admin deleted a native group that an IdP claim later re-introduced. DeleteGroup already hard-removes group_members and Casbin rules; the group row was the only soft-deleted leftover and served no purpose given the cascade. Switched to Unscoped() for the final delete. Also unscoped the GroupPermission delete for consistency (same unique-constraint risk if a future schema adds one). Updated TestDeleteGroup_HardRemovesCasbinRules and added TestDeleteGroup_FreesNameForRecreate as a regression test for the OIDC sync's create-after-delete sequence.

The 'switches to group mode' test passed when the picker source was /groups/me but broke after commit 2ffc541 switched the admin code path to /admin/groups (via useIsAdmin). The default test handlers expose a working /admin/users endpoint so useIsAdmin returns true in tests, and the dialog correctly queries /admin/groups — which was unmocked. Added a default /admin/groups handler returning [] (silences MSW unhandled-request warnings across the suite) and updated the test to mock both endpoints so it works regardless of which one the dialog ends up calling.

aktech · 2026-05-26T14:19:24Z

I am going to review this.

- rbac: drop redundant enforcer.SavePolicy() from all group functions; the GORM adapter has AutoSave so per-row mutations already persist. Capture previously-ignored RemovePolicy errors in revoke paths. - auth: audit-log OIDC group creation, membership add, and stale membership removal during SyncOIDCGroups (origin: oidc). - service: GrantGroupAdmin rejects OIDC-synced groups with a ConflictError. - docs: remove the groups-rbac plan file.

tylerpotts added 30 commits May 11, 2026 14:37

docs: add groups RBAC implementation plan

2895f68

rbac: add Casbin group helpers and switch matcher to g(r.sub, p.sub)

b66e776

test(rbac): use t.Cleanup and verify registry revoke in RemoveAllGrou…

5e475bf

…pPolicies

models: add Group, GroupMember, GroupPermission with AutoMigrate

ca6d0c3

models: align GroupMember primary-key tag with codebase convention

ddb08d9

service: add GroupService with native CRUD and member ops

70b11bd

test(groups): lock OIDC rejection invariant with audit-log and type-c…

4bcda92

…heck asserts

service: share workspaces with groups and surface them in collaborators

e30455d

service: use pointer UUIDs in CollaboratorResult and drop unused grou…

3e7242e

…pSvc param

service: admin grants for group admin role and registry access

63ec817

api: handlers for /admin/groups and /groups/me

da7480b

test(group_handlers): drop no-op t.Cleanup placeholder

643eb30

plan: add Swagger godoc sweep step to Task 16

b23f8ca

api: handlers for share-group, registry-group grants, and group-as-admin

d668f5c

plan: fix Task 7.2 registry handler snippet to valid gin.HandlerFunc …

9a65b0e

…signature

api: wire group, share-group, and group-as-admin routes

36192f7

auth: OIDC group sync on login (JIT upsert + stale reconcile)

1e7d7ed

auth(groups): refuse OIDC merge into native groups; tighten test

7b52697

plan: fix server→serve typo and note Task 10 smoke result

839b5c2

frontend: add Group types and API client; narrow Collaborator consumers

455f6b4

plan(task-13): include stale collaborator count fixes in WorkspaceDet…

3908a86

…ail scope

frontend: admin Groups page with CRUD and member management

d6dbc98

ui(groups): add title tooltips to action buttons for parity with User…

2ab9bab

…Management

frontend: ShareDialog supports sharing with groups; fix WorkspaceDeta…

c30ae2c

…il counts

plan(task-16): note deferred Task 13 polish items

352bf8a

admin: surface user's groups in admin user-management

271c896

task-14 nits: hierarchical query key and drop dead test line

50a30cc

docs: document Groups admin UI and OIDC group sync

2f5f876

docs(swagger): annotate new Groups handlers and regenerate

b2dfcda

plan: config.yaml is positional, not a --config flag

c93bfb9

tylerpotts added 4 commits May 11, 2026 16:55

ui(workspace): show group shares in overview sidebar

2a986a1

ui(share-dialog): admins see all groups; non-admins see only their own

80088e1

fix(share-dialog): detect admin via useIsAdmin hook (is_admin is not …

2ffc541

…on User)

tylerpotts added 4 commits May 12, 2026 09:04

Merge branch 'main' into feature/groups-rbac

779836b

tylerpotts marked this pull request as ready for review May 15, 2026 02:22

kcpevey requested review from Adam-D-Lewis and aktech May 20, 2026 17:35

aktech reviewed May 28, 2026

View reviewed changes

Comment thread internal/rbac/rbac.go Outdated

aktech mentioned this pull request May 28, 2026

fix(rbac): drop redundant enforcer.SavePolicy() after grant/revoke #357

Merged

Merge branch 'main' into feature/groups-rbac

c7bd5db