## About the changes
`getUserRootRoles` should also consider custom root roles
This introduces test cases that unveiled a dependency between stores
(this happens actually at the DB layer having access-service access
tables from two different stores but skipping the store layer).
https://linear.app/unleash/issue/2-1161/a-user-with-custom-root-role-and-permission-to-create-client-api
---------
Co-authored-by: Nuno Góis <github@nunogois.com>
## What
As part of the move to enable custom-root-roles, our permissions model
was found to not be granular enough to allow service accounts to only be
allowed to create read-only tokens (client, frontend), but not be
allowed to create admin tokens to avoid opening up a path for privilege
escalation.
## How
This PR adds 12 new roles, a CRUD set for each of the three token types
(admin, client, frontend). To access the `/api/admin/api-tokens`
endpoints you will still need the existing permission (CREATE_API_TOKEN,
DELETE_API_TOKEN, READ_API_TOKEN, UPDATE_API_TOKEN). Once this PR has
been merged the token type you're modifying will also be checked, so if
you're trying to create a CLIENT api-token, you will need
`CREATE_API_TOKEN` and `CREATE_CLIENT_API_TOKEN` permissions. If the
user performing the create call does not have these two permissions or
the `ADMIN` permission, the creation will be rejected with a `403 -
FORBIDDEN` status.
### Discussion points
The test suite tests all operations using a token with
operation_CLIENT_API_TOKEN permission and verifies that it fails trying
to do any of the operations against FRONTEND and ADMIN tokens. During
development the operation_FRONTEND_API_TOKEN and
operation_ADMIN_API_TOKEN permission has also been tested in the same
way. I wonder if it's worth it to re-add these tests in order to verify
that the permission checker works for all operations, or if this is
enough. Since we're running them using e2e tests, I've removed them for
now, to avoid hogging too much processing time.
## About the changes
Implements custom root roles, encompassing a lot of different areas of
the project, and slightly refactoring the current roles logic. It
includes quite a clean up.
This feature itself is behind a flag: `customRootRoles`
This feature covers root roles in:
- Users;
- Service Accounts;
- Groups;
Apologies in advance. I may have gotten a bit carried away 🙈
### Roles
We now have a new admin tab called "Roles" where we can see all root
roles and manage custom ones. We are not allowed to edit or remove
*predefined* roles.
This meant slightly pushing away the existing roles to `project-roles`
instead. One idea we want to explore in the future is to unify both
types of roles in the UI instead of having 2 separate tabs. This
includes modernizing project roles to fit more into our current design
and decisions.
Hovering the permissions cell expands detailed information about the
role:
### Create and edit role
Here's how the role form looks like (create / edit):
Here I categorized permissions so it's easier to visualize and manage
from a UX perspective.
I'm using the same endpoint as before. I tried to unify the logic and
get rid of the `projectRole` specific hooks. What distinguishes custom
root roles from custom project roles is the extra `root-custom` type we
see on the payload. By default we assume `custom` (custom project role)
instead, which should help in terms of backwards compatibility.
### Delete role
When we delete a custom role we try to help the end user make an
informed decision by listing all the entities which currently use this
custom root role:
~~As mentioned in the screenshot, when deleting a custom role, we demote
all entities associated with it to the predefined `Viewer` role.~~
**EDIT**: Apparently we currently block this from the API
(access-service deleteRole) with a message:
What should the correct behavior be?
### Role selector
I added a new easy-to-use role selector component that is present in:
- Users
- Service Accounts
- Groups
### Role description
I also added a new role description component that you can see below the
dropdown in the selector component, but it's also used to better
describe each role in the respective tables:
I'm not listing all the permissions of predefined roles. Those simply
show the description in the tooltip:
### Role badge
Groups is a bit different, since it uses a list of cards, so I added yet
another component - Role badge:
I'm using this same component on the profile tab:
## Discussion points
- Are we being defensive enough with the use of the flag? Should we
cover more?
- Are we breaking backwards compatibility in any way?
- What should we do when removing a role? Block or demote?
- Maybe some existing permission-related issues will surface with this
change: Are we being specific enough with our permissions? A lot of
places are simply checking for `ADMIN`;
- We may want to get rid of the API roles coupling we have with the
users and SAs and instead use the new hooks (e.g. `useRoles`)
explicitly;
- We should update the docs;
- Maybe we could allow the user to add a custom role directly from the
role selector component;
---------
Co-authored-by: Gastón Fournier <gaston@getunleash.io>
Previously we hard deleted the users, but due to change requests and
possibly other features in future, we really want to hard-link user
table and have meaningful relationships.
But this means, when user is deleted, all linked data is also deleted.
**Workaround is to soft delete users and just clear users data and keep
the relationships alive for audit logs.**
This PR implements this feature.
* Implement user grouping feature for permissions
Co-authored-by: Thomas Heartman <thomas@getunleash.ai>
Co-authored-by: Jaanus Sellin <sellinjaanus@gmail.com>
Co-authored-by: Nuno Góis <github@nunogois.com>
Co-authored-by: Thomas Heartman <thomas@getunleash.ai>
* refactor: add schemas to user admin controller
* refactor: remove unused SessionService
* refactor: fix search query type confusion
* refactor: add schemas to user controller (#1693)
* refactor: add schemas to user controller
* refactor: fix getAllUserSplashes method name
* refactor: name and email should not be required on create
* refactor: only some user fields may be updated
* refactor: should not require any fields on user update (#1730)
* refactor: send 400 instead of 500 on missing username and email
* refactor: should not require any fields for user update
* refactor: note that earlier versions required name or email
* refactor: merge roleDescriptionSchema and roleSchema
* fix: Does not delete api_tokens on drop-Import
* feat: Cleans unused apiTokens on environment import
* refactor: Moves ALL_PROJECTS and ALL_ENVIRONMENTS to constants
* refactor: Renames migration 20220528143630 for a more precise name
* refactor: Removes unecessary console.log
* fix: Adds correct down-script for migration 20220528143630
* wip: environment for permissions
* fix: add migration for roles
* fix: connect environment with access service
* feat: add tests
* chore: Implement scaffolding for new rbac
* fix: add fake store
* feat: Add api endpoints for roles and permissions list
* feat: Add ability to provide permissions when creating a role and rename environmentName to name in the list permissions datastructure
* fix: Make project roles resolve correctly against new environments permissions structure
* fix: Patch migration to also populate permission names
* fix: Make permissions actually work with new environments
* fix: Add back to get permissions working for editor role
* fix: Removed ability to set role type through api during creation - it's now always custom
* feat: Return permissions on get role endpoint
* feat: Add in support for updating roles
* fix: Get a bunch of tests working and delete a few that make no sense anymore
* chore: A few small cleanups - remove logging and restore default on dev server config
* chore: Refactor role/access stores into more logical domains
* feat: Add in validation for roles
* feat: Patch db migration to handle old stucture
* fix: migration for project roles
* fix: patch a few broken tests
* fix: add permissions to editor
* fix: update test name
* fix: update user permission mapping
* fix: create new user
* fix: update root role test
* fix: update tests
* feat: Validation now works when updating a role
* fix: Add in very barebones down migration for rbac so that tests work
* fix: Improve responses from role resolution - getting a non existant role will throw a NotFound error
* fix: remove unused permissions
* fix: add test for connecting roles and deleting project
* fix: add test for adding a project member with a custom role
* fix: add test for changing user role
* fix: add guard for deleting role if the role is in use
* fix: alter migration
* chore: Minor code cleanups
* chore: Small code cleanups
* chore: More minor cleanups of code
* chore: Trim some dead code to make the linter happy
* feat: Schema validation for roles
* fix: setup permission for variant
* fix: remove unused import
* feat: Add cascading delete for role_permissions when deleting a role
* feat: add configuration option for disabling legacy api
* chore: update frontend to beta version
* 4.6.0-beta.0
* fix: export default project constant
* fix: update snapshot
* fix: module pattern ../../lib
* fix: move DEFAULT_PROJECT to types
* fix: remove debug logging
* fix: remove debug log state
* fix: Change permission descriptions
* fix: roles should have unique name
* fix: root roles should be connected to the default project
* fix: typo in role-schema.ts
* fix: Role permission empty string for non environment type
* feat: new permission for moving project
* fix: add event for changeProject
* fix: Removing a user from a project will now check to see if that project has an owner, rather than checking if any project has an owner
* fix: add tests for move project
* fix: Add in missing create/delete tag permissions
* fix: Removed duplicate impl caused by multiple good samaritans putting it back in!
* fix: Trim out add tag permissions, for now at least
* chore: Trim out new add and delete tag permissions - we're going with update feature instead
* chore: update frontend
* 4.6.0-beta.1
* feat: Prevent editing of built in roles
* fix: Patch an issue where permissions for variants/environments didn't match the front end
* fix: lint
Co-authored-by: Ivar Conradi Østhus <ivarconr@gmail.com>
Co-authored-by: Fredrik Oseberg <fredrik.no@gmail.com>
feat: options are now typed
- This makes it easier to know what to send to unleash.start / unleash.create
- Using a Partial to instantiate the config, then melding it with defaults to get a config object with all fields set either to their defaults or to whatever is passed in.
Co-authored-by: Fredrik Strand Oseberg <fredrik.no@gmail.com>
Co-authored-by: Ivar Conradi Østhus <ivarconr@gmail.com>
This PR Introduces first steps towards RBAC according to our specifications. Rbac will assume users to exist in the Unleash user table with a unique id. This is required to make correct mappings between users and roles.
