Include requiresRequest flag for searchAsRoles requests by avatus · Pull Request #40328 · gravitational/teleport

avatus · 2024-04-08T17:39:35Z

This PR is the start of a series that will allow users to make access requests directly from the resources page in the web UI.

The purpose of this PR is to add a flag to differentiate between resources being returned due to static access, and resources returned during an "extended" auth context (for a searchAsRoles) request.

The second part of this series will be appending this RequiresRequest value to all of the makeResource methods for the resources returned to the web UI. I decided to leave that out of this PR so the focus could be on the method I'm proposing to differentiate between the two types of access.

changelog: Audit events for AccessRequestResourceSearch are no longer emitted.

github-actions · 2024-04-08T17:40:13Z

The PR changelog entry failed validation: Changelog entry not found in the PR body. Please add a "no-changelog" label to the PR, or changelog lines starting with changelog: followed by the changelog entries for the PR.

avatus · 2024-04-23T20:18:42Z

After fiddling with this a bit, I think instead of checking if searchAsRoles exists in the request, I'll have to add a new field like includeRequestable. This will help with backward compatibility and also allow us to do something like "get searchAsRoles, get only have access, or both".

If a new web client calls an old proxy with searchAsRoles, it will receive all the resources (including requestable) but without the distinction between which is which, the new web client will display all as "has access". However, if we add the new field, then the old proxy will essentially ignore it and will only receive has access resources. I believe for backward compatible in this case, NOT seeing requestable resources is better than seeing resources that you think you have access to (during the upgrade).

Also, if an old web client hits a new proxy, it won't send the new param anyway and everything will be as expected.

I will update the PR with this new field and then address the current feedback (that doesn't care about the param name)

nklaassen

Looks pretty good to me, I would approve but I don't see any tests for this, will you be adding some?

avatus · 2024-04-29T00:18:44Z

will you be adding some?

Yup, just added. thanks for the detailed feedback!

rosstimothy · 2024-04-29T12:55:38Z

Only populated ..... ?

rosstimothy · 2024-04-29T12:57:52Z

add a comment to this field too?

github-actions Bot requested review from EdwardDowling and espadolini April 8, 2024 17:40

github-actions Bot added the size/sm label Apr 8, 2024

avatus commented Apr 8, 2024

View reviewed changes

Comment thread lib/auth/auth_with_roles.go

avatus requested review from nklaassen and rosstimothy and removed request for EdwardDowling April 8, 2024 17:41

avatus added the no-changelog Indicates that a PR does not require a changelog entry label Apr 8, 2024

nklaassen reviewed Apr 8, 2024

View reviewed changes

Comment thread api/proto/teleport/legacy/client/proto/authservice.proto Outdated

Comment thread lib/auth/auth_with_roles.go Outdated

Comment thread lib/auth/auth_with_roles_test.go

avatus removed the no-changelog Indicates that a PR does not require a changelog entry label Apr 8, 2024

nklaassen reviewed Apr 8, 2024

View reviewed changes

Comment thread lib/auth/auth_with_roles.go Outdated

Comment thread lib/auth/auth_with_roles.go Outdated

rosstimothy reviewed Apr 10, 2024

View reviewed changes

Comment thread api/client/client.go Outdated

Comment thread lib/auth/auth_with_roles.go Outdated

Comment thread lib/services/unified_resource.go Outdated

avatus force-pushed the avatus/search_as_roles branch 2 times, most recently from 2190190 to ec99805 Compare April 10, 2024 17:32

avatus requested review from nklaassen and rosstimothy April 27, 2024 02:11

nklaassen reviewed Apr 27, 2024

View reviewed changes

rosstimothy approved these changes Apr 29, 2024

View reviewed changes

Include requiresRequest flag for searchAsRoles requests

282bf78

avatus force-pushed the avatus/search_as_roles branch from f085fdc to 282bf78 Compare April 29, 2024 17:05

avatus enabled auto-merge April 29, 2024 17:05

avatus requested a review from nklaassen April 29, 2024 17:07

nklaassen approved these changes Apr 29, 2024

View reviewed changes

public-teleport-github-review-bot Bot removed the request for review from espadolini April 29, 2024 17:10

avatus added this pull request to the merge queue Apr 29, 2024

Merged via the queue into master with commit d129b1d Apr 29, 2024

avatus deleted the avatus/search_as_roles branch April 29, 2024 17:40

This was referenced Apr 30, 2024

Add ShowResources to UIConfig #41064

Merged

Add requiresRequest field to unified resources #41075

Merged

Conversation

avatus commented Apr 8, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

github-actions Bot commented Apr 8, 2024

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

avatus commented Apr 23, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

nklaassen left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

avatus commented Apr 29, 2024

Uh oh!

rosstimothy Apr 29, 2024

Choose a reason for hiding this comment

Uh oh!

rosstimothy Apr 29, 2024

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

avatus commented Apr 8, 2024 •

edited

Loading

avatus commented Apr 23, 2024 •

edited

Loading