From 7fa00b43107edaa93b4a45565c5fe8364482e4e7 Mon Sep 17 00:00:00 2001 From: David Kang Date: Fri, 22 Sep 2023 10:34:45 -0700 Subject: [PATCH 1/2] Introduce type and rpc definitions for permission API methods --- proto/lekko/bff/v1beta1/bff.proto | 141 ++++++++++++++++++++++++++++++ 1 file changed, 141 insertions(+) diff --git a/proto/lekko/bff/v1beta1/bff.proto b/proto/lekko/bff/v1beta1/bff.proto index b2950e7e..15e2adb9 100644 --- a/proto/lekko/bff/v1beta1/bff.proto +++ b/proto/lekko/bff/v1beta1/bff.proto @@ -110,6 +110,28 @@ service BFFService { rpc Restore(RestoreRequest) returns (RestoreResponse) {} rpc GetRepositoryLogs(GetRepositoryLogsRequest) returns (GetRepositoryLogsResponse) {} rpc GetRollout(GetRolloutRequest) returns (GetRolloutResponse) {} + + // User role and permission management + + rpc GetTeamRoles(GetTeamRolesRequest) returns (GetTeamRolesResponse) {} + rpc UpsertTeamRole(UpsertTeamRoleRequest) returns (UpsertTeamRoleResponse) {} + rpc DeleteTeamRole(DeleteTeamRoleRequest) returns (DeleteTeamRoleResponse) {} + + rpc GetUserRoles(GetUserRolesRequest) returns (GetUserRolesResponse) {} + + rpc GetRoleUsers(GetRoleUsersRequest) returns (GetRoleUsersResponse) {} + // Creates and deletes role assignments accordingly given a list of usernames + rpc UpdateRoleUsers(UpdateRoleUsersRequest) returns (UpdateRoleUsersResponse) {} + + rpc GetRolePermissions(GetRolePermissionsRequest) returns (GetRolePermissionsResponse) {} + rpc UpsertRolePermission(UpsertRolePermissionRequest) returns (UpsertRolePermissionResponse) {} + rpc DeleteRolePermission(DeleteRolePermissionRequest) returns (DeleteRolePermissionResponse) {} + + // Query "merged" permissions a user through all of their roles + rpc GetUserPermissions(GetUserPermissionsRequest) returns (GetUserPermissionsResponse) {} + + // Query which roles have what level of access on a specific resource + rpc GetResourcePermissions(GetResourcePermissionsRequest) returns (GetResourcePermissionsResponse) {} } message GetUserGitHubReposRequest { @@ -949,3 +971,122 @@ message Rollout { message GetRolloutResponse { Rollout rollout = 1; } + +message Role { + string name = 1; + string team_name = 2; + string description = 3; +} + +enum PermissionLevel { + PERMISSION_LEVEL_UNSPECIFIED = 0; + PERMISSION_LEVEL_READ = 1; + PERMISSION_LEVEL_UPDATE = 2; + PERMISSION_LEVEL_MANAGE = 3; + PERMISSION_LEVEL_ADMIN = 4; +} + +message Permission { + string resource_path = 1; + string role_name = 2; + PermissionLevel level = 3; +} + +message GetTeamRolesRequest { + string team_name = 1; +} + +message GetTeamRolesResponse { + repeated Role roles = 1; +} + +message UpsertTeamRoleRequest { + string team_name = 1; + string role_name = 2; + Role updated_role = 3; +} + +message UpsertTeamRoleResponse { + Role role = 1; +} + +message DeleteTeamRoleRequest { + string team_name = 1; + string role_name = 2; +} + +message DeleteTeamRoleResponse {} + +message GetUserRolesRequest { + string username = 1; + string team_name = 2; +} + +message GetUserRolesResponse { + repeated Role roles = 1; +} + +message GetRoleUsersRequest { + string team_name = 1; + string role_name = 2; +} + +message GetRoleUsersResponse { + repeated string usernames = 1; +} + +message UpdateRoleUsersRequest { + string team_name = 1; + string role_name = 2; + repeated string usernames = 3; +} + +message UpdateRoleUsersResponse {} + +message GetRolePermissionsRequest { + string team_name = 1; + string role_name = 2; +} + +message GetRolePermissionsResponse { + repeated Permission permissions = 1; +} + +message UpsertRolePermissionRequest { + string team_name = 1; + string role_name = 2; + string resource_path = 3; + PermissionLevel permission_level = 4; +} + +message UpsertRolePermissionResponse { + Permission permission = 1; +} + +message DeleteRolePermissionRequest { + string team_name = 1; + string role_name = 2; + string resource_path = 3; +} + +message DeleteRolePermissionResponse {} + +message GetUserPermissionsRequest { + string username = 1; + string team_name = 2; +} + +message GetUserPermissionsResponse { + repeated Permission permissions = 1; +} + +message GetResourcePermissionsRequest { + string resource_path = 1; + string team_name = 2; +} + +message GetResourcePermissionsResponse { + // If resource path does not match the one provided in the request, + // it means that the role has transitive access via the returned path. + repeated Permission permissions = 1; +} From 5fcda533bcc9721c2b0955aed58a287a894abc84 Mon Sep 17 00:00:00 2001 From: David Kang Date: Fri, 6 Oct 2023 10:35:22 -0700 Subject: [PATCH 2/2] Update batch role assignment addition/removal methods --- proto/lekko/bff/v1beta1/bff.proto | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/proto/lekko/bff/v1beta1/bff.proto b/proto/lekko/bff/v1beta1/bff.proto index 15e2adb9..7516c84e 100644 --- a/proto/lekko/bff/v1beta1/bff.proto +++ b/proto/lekko/bff/v1beta1/bff.proto @@ -121,7 +121,8 @@ service BFFService { rpc GetRoleUsers(GetRoleUsersRequest) returns (GetRoleUsersResponse) {} // Creates and deletes role assignments accordingly given a list of usernames - rpc UpdateRoleUsers(UpdateRoleUsersRequest) returns (UpdateRoleUsersResponse) {} + rpc AddUsersToRole(AddUsersToRoleRequest) returns (AddUsersToRoleResponse) {} + rpc RemoveUsersFromRole(RemoveUsersFromRoleRequest) returns (RemoveUsersFromRoleResponse) {} rpc GetRolePermissions(GetRolePermissionsRequest) returns (GetRolePermissionsResponse) {} rpc UpsertRolePermission(UpsertRolePermissionRequest) returns (UpsertRolePermissionResponse) {} @@ -1002,7 +1003,11 @@ message GetTeamRolesResponse { message UpsertTeamRoleRequest { string team_name = 1; + // Role name to identify current role or create new role with if one does not exist. string role_name = 2; + // Can contain an updated role name. + // If inserting, role_name and name of updated_role should match. + // Team name in this object will be ignored. Role updated_role = 3; } @@ -1035,13 +1040,21 @@ message GetRoleUsersResponse { repeated string usernames = 1; } -message UpdateRoleUsersRequest { +message AddUsersToRoleRequest { string team_name = 1; string role_name = 2; repeated string usernames = 3; } -message UpdateRoleUsersResponse {} +message AddUsersToRoleResponse {} + +message RemoveUsersFromRoleRequest { + string team_name = 1; + string role_name = 2; + repeated string usernames = 3; +} + +message RemoveUsersFromRoleResponse {} message GetRolePermissionsRequest { string team_name = 1;