Merged
Conversation
zmb3
force-pushed
the
zmb3/role-parser-capitalization
branch
from
65356ab to
8f2ae19
Compare
zmb3
force-pushed
the
zmb3/role-parser-capitalization
branch
from
8f2ae19 to
43bca0f
Compare
smallinsky
approved these changes
Jan 13, 2022
| RoleTrustedCluster, LegacyClusterTokenType, | ||
| RoleSignup, RoleProxy, RoleNop, RoleKube, RoleWindowsDesktop: | ||
| RoleSignup, RoleProxy, RoleRemoteProxy, | ||
| RoleNop, RoleKube, RoleWindowsDesktop: |
Contributor
There was a problem hiding this comment.
nit: This approach have one main drawback the roleMappings map needs to be updated each time when a new Role is added also with the Check() case
What would you say about something like:
func (r *SystemRole) Check() error {
m := make(map[string]struct{})
for _, v := range roleMappings {
if v == r {
return nil
}
}
return trace.BadParameter("role %v is not registered", *r)
} so only we care about roleMappings
Collaborator
Author
There was a problem hiding this comment.
Good call, take a look at the latest commit. I like this much better.
greedy52
approved these changes
Jan 13, 2022
| "node": RoleNode, | ||
| "proxy": RoleProxy, | ||
| "admin": RoleAdmin, | ||
| "provisiontoken": RoleProvisionToken, |
Contributor
There was a problem hiding this comment.
is provision_token a valid input?
Collaborator
Author
There was a problem hiding this comment.
No, it never has been.
We're a little more tolerant and allow _ separators for things that are commonly typed on the command line, like when generating tokens to allow a kube service or windows desktop service to join the cluster.
Since no one ever needs to generate provision tokens via the CLI, I didn't see a need to make provision_token valid.
In fact, after a quick search, it seems RoleProvisionToken is never used. Maybe we should delete it.
zmb3
force-pushed
the
zmb3/role-parser-capitalization
branch
from
1ea4618 to
017b986
Compare
Our original attempt at canonicalizing roles didn't work for system roles using camelcase, resulting in an awkward user experience. Here we maintain a mapping of allowed inputs to their corresponding system roles, and perform a case-insensitive lookup. This allows us to support camelcase roles, and has the advantage of permitting _ word separators as well. Fixes #9752
Rather than having to list each role here, we rely on the new roleMappings set to validate the role. Additionally, remove the LegacyClusterTokenType role. This change is guaranteed to be backwards compatible because we check for RoleTrustedCluster everywhere we were checking for LegacyClusterTokenType, and our roleMappings will convert the old string that represented LegacyClusterTokenType to RoleTrustedCluster.
zmb3
force-pushed
the
zmb3/role-parser-capitalization
branch
from
017b986 to
7c87c26
Compare
zmb3
added a commit
that referenced
this pull request
Jan 21, 2022
* Add tests for ParseTeleportRoles Updates #9752 * Be more tolerant when parsing system roles. Our original attempt at canonicalizing roles didn't work for system roles using camelcase, resulting in an awkward user experience. Here we maintain a mapping of allowed inputs to their corresponding system roles, and perform a case-insensitive lookup. This allows us to support camelcase roles, and has the advantage of permitting _ word separators as well. Fixes #9752 * Refactor *SystemRole.Check() Rather than having to list each role here, we rely on the new roleMappings set to validate the role. Additionally, remove the LegacyClusterTokenType role. This change is guaranteed to be backwards compatible because we check for RoleTrustedCluster everywhere we were checking for LegacyClusterTokenType, and our roleMappings will convert the old string that represented LegacyClusterTokenType to RoleTrustedCluster.
zmb3
added a commit
that referenced
this pull request
Jan 25, 2022
* Add tests for ParseTeleportRoles Updates #9752 * Be more tolerant when parsing system roles. Our original attempt at canonicalizing roles didn't work for system roles using camelcase, resulting in an awkward user experience. Here we maintain a mapping of allowed inputs to their corresponding system roles, and perform a case-insensitive lookup. This allows us to support camelcase roles, and has the advantage of permitting _ word separators as well. Fixes #9752 * Refactor *SystemRole.Check() Rather than having to list each role here, we rely on the new roleMappings set to validate the role. Additionally, remove the LegacyClusterTokenType role. This change is guaranteed to be backwards compatible because we check for RoleTrustedCluster everywhere we were checking for LegacyClusterTokenType, and our roleMappings will convert the old string that represented LegacyClusterTokenType to RoleTrustedCluster.
zmb3
added a commit
that referenced
this pull request
Jan 25, 2022
* Add tests for ParseTeleportRoles Updates #9752 * Be more tolerant when parsing system roles. Our original attempt at canonicalizing roles didn't work for system roles using camelcase, resulting in an awkward user experience. Here we maintain a mapping of allowed inputs to their corresponding system roles, and perform a case-insensitive lookup. This allows us to support camelcase roles, and has the advantage of permitting _ word separators as well. Fixes #9752 * Refactor *SystemRole.Check() Rather than having to list each role here, we rely on the new roleMappings set to validate the role. Additionally, remove the LegacyClusterTokenType role. This change is guaranteed to be backwards compatible because we check for RoleTrustedCluster everywhere we were checking for LegacyClusterTokenType, and our roleMappings will convert the old string that represented LegacyClusterTokenType to RoleTrustedCluster.
Closed
3 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Be more consistent in what inputs we accept when referring to system roles, such as in the
tctl tokens addcall.Also add missing test coverage for this parser.
Fixes #9752