This repository was archived by the owner on Sep 30, 2024. It is now read-only.
rbac: add dotcom-only roles and productsubscription roles#60795
Merged
Conversation
Member
Author
This stack of pull requests is managed by Graphite. Learn more about stacking. Join @bobheadxi and the rest of your teammates on |
4bfe7f4 to
d398418
Compare
evict
approved these changes
Mar 4, 2024
19ba930 to
93561ac
Compare
eseliger
approved these changes
Mar 4, 2024
eseliger
left a comment
Member
There was a problem hiding this comment.
Could we agree on the naming for the role here, so that I can make https://github.com/sourcegraph/sourcegraph/pull/60014 stack on top of this?
The goal of that PR is to decouple license mgmt from site admin for UI access, but it seems similar enough to what you're doing here :)
Member
Author
I would vote for "product subscriptions" and write == "can manage licenses". I think I'd like to make sure we help people remember that subscriptions as an entity exists, especially with longer-lived "subscription" traits like CG rate limits. WDYT? |
Member
|
Makes sense to me, resembles the entity name as well. Thanks for entertaining me :) |
rafax
approved these changes
Mar 5, 2024
unknwon
approved these changes
Mar 6, 2024
bobheadxi
added a commit
that referenced
this pull request
Mar 11, 2024
Currently, listing roles associated with a user on dotcom fails with the error `roles are not available on sourcegraph.com`. However, roles _are_ available on dotcom and you can configure them for users (e.g. Entitler, #60795), but there's no way to check what roles a user has with the current guard. This relaxes the restriction to allow site admins to view a user's roles. ## Test plan Test case
bobheadxi
referenced
this pull request
Mar 12, 2024
…lags (#60796) Removes the feature flag service account stuff, replacing it with "real RBAC" on permissions introduced in https://github.com/sourcegraph/sourcegraph/pull/60795. Cody Gateway SAs will need to use roles with these permissions. This change does **not** migrate all product-subscriptions-related CRUD to check for the new roles - it only updates the helper used by Cody Gateway related functionality. This _could_ be used with Security team's "Entitler" service to help CEs manage subscriptions and licenses if we expand the RBAC checks, at least until [RFC 885](https://docs.google.com/document/d/1tiaW1IVKm_YSSYhH-z7Q8sv4HSO_YJ_Uu6eYDjX7uU4/edit#heading=h.tdaxc5h34u7q), which is still some time away. The new roles have been rolled out: https://github.com/sourcegraph/sourcegraph/pull/60796#issuecomment-1989842548
bobheadxi
referenced
this pull request
in sourcegraph/handbook
Mar 13, 2024
Documents https://github.com/sourcegraph/sourcegraph/pull/60796 and https://github.com/sourcegraph/sourcegraph/pull/60795. I rolled this out yesterday without issue.
bobheadxi
referenced
this pull request
Apr 15, 2024
…otcom-mode (#61893) See https://sourcegraph.slack.com/archives/C06TEEJLAET/p1712838707915619 (INC-292) - this should have been included as part of https://github.com/sourcegraph/sourcegraph/pull/60795 ## Test plan New integration test on `TestUpdatePermissions` for dotcom scenario to assert user perms in dotcom mode.
jtibshirani
referenced
this pull request
Apr 15, 2024
…otcom-mode (#61893) See https://sourcegraph.slack.com/archives/C06TEEJLAET/p1712838707915619 (INC-292) - this should have been included as part of https://github.com/sourcegraph/sourcegraph/pull/60795 ## Test plan New integration test on `TestUpdatePermissions` for dotcom scenario to assert user perms in dotcom mode.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
6 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds productsubscription RBAC roles (read and write), with the intent of replacing "cody gateway feature flag service account": https://github.com/sourcegraph/sourcegraph/pull/60796
This could be used with Security team's "Entitler" service to help CEs manage subscriptions and licenses, at least until RFC 885
Test plan
CI tests - the real fun is in https://github.com/sourcegraph/sourcegraph/pull/60796