RBAC #1214

tomchop · 2024-12-29T14:15:18Z

No description provided.

udgover

Left some comments while waiting for the final review. Looks really cool!

core/database_arango.py

core/schemas/graph.py

core/web/apiv2/auth.py

udgover

Really nice PR! However, I've added several comments to be sure I've fully understood the inner working.

Besides, I'm wondering how search api endpoints should be handled regarding permissions. For a unique object endpoints (read, write, delete) it's handled with permissions decorator but search endpoints are not decorated. Do you confirm that for search we rely on database_arango.filter to do the job?

core/schemas/dfiq.py

core/schemas/model.py

core/schemas/rbac.py

core/database_arango.py

udgover

LGTM!

tomchop added 5 commits December 29, 2024 14:13

Models

cf9c1c6

db changes

0a0ee93

RBAC schema tests

5af5d75

API changes for Entities

a5a64ad

Add RoleRelationship graph

7b09a4e

tomchop force-pushed the rbac branch from e687342 to 7b09a4e Compare December 31, 2024 14:13

tomchop added 20 commits December 31, 2024 17:36

Add username to filter / neighbor functions

f0d13e2

Merge branch 'main' into rbac

5d409b2

chill out ruff

18eaec7

Add global role

c5c9f0b

Add global writer test

a31edac

Fix test

3466bf5

Config default roles & toggle

28313ba

Only filter when rbac is enabled

71890c2

Global function renaming

ea8684c

Fix test

0344002

Move comment up

b3c838a

Ensure all refs to deleted object are removed from graphs

9928d94

Add helper function to get groups

d41205a

Cleanup / updates

e726214

Return groups when querying user

2e52582

Groups API

3b0ed77

Grand ownership to user creating entity

8240722

Pass in user object instead of username string

5958ace

Admins bypass rbac

bee98e1

Group search

9b45e8a

udgover reviewed Jan 5, 2025

View reviewed changes

core/database_arango.py Show resolved Hide resolved

core/schemas/graph.py Outdated Show resolved Hide resolved

core/web/apiv2/auth.py Show resolved Hide resolved

tomchop added 3 commits January 7, 2025 11:30

Dynamically compute ACLs

3d1bfe4

New group endpoints

d056aff

Fix test

53cfad2

tomchop added 20 commits January 22, 2025 20:37

Remove global role checks when checking for granular perms

0fa4085

Add RBAC endpoints

d0ac3ab

Remove RBAC logic from groups API

c7f1fe3

Move role patching to its own endpoint

819f6be

Fix tests

d599da7

Fix more tests

eabcc0e

bugfix

298810d

Don't overwrite ACLs

10e0094

Add endpoint to actually delete a RoleRelationship

2a08223

Serialize IDs in relationships

c9e7f64

Test that relationships are actually deleted

13f581c

Add uniq indexes on groups and users

fd2e0a3

use a set_acls that also handles default permissions

7af7fa4

fix DFIQ ACL setting

2e8f02c

Fix tests

6dbc0eb

account for multiple potential key aggregations

d3faca1

optinally skip setting default acls

b51f2ce

add ACL to graph

af5d343

typo

0c588ce

Add RBAC to content of system call

ed21f97

tomchop marked this pull request as ready for review January 28, 2025 16:07

Add mirgation

49da684

tomchop requested a review from udgover January 28, 2025 16:09

Add users to groups upon creation

e398bde

udgover reviewed Jan 29, 2025

View reviewed changes

tomchop added 2 commits January 29, 2025 09:32

add WITH statement for ACL checks

9604b99

Fix WITH statement generation

aab3c27

udgover approved these changes Jan 29, 2025

View reviewed changes

tomchop merged commit 7974c09 into main Jan 29, 2025
2 checks passed

tomchop deleted the rbac branch January 29, 2025 09:59

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

RBAC #1214

RBAC #1214

tomchop commented Dec 29, 2024

udgover left a comment

udgover left a comment

udgover left a comment

RBAC #1214

RBAC #1214

Conversation

tomchop commented Dec 29, 2024

udgover left a comment

Choose a reason for hiding this comment

udgover left a comment

Choose a reason for hiding this comment

udgover left a comment

Choose a reason for hiding this comment