-
Notifications
You must be signed in to change notification settings - Fork 3
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add option to list (import) roles from provider #55
Comments
How would this work without external cache if guardian is running in multiple pods on k8s ? How are you planning to keep the cache updated in all the pods on a provider roles fetch call? |
@bsushmith adding TTL to the cached data might help keep the roles synced between pods and with the provider (with some delay based on the TTL). one reason for not storing it in DB was to avoid updating the provider config without the user's consent/input. |
@rahmatrhd why not use just * in roles to import all roles. Instead of complicating config with import roles etc. A combination of include and exclude can also be used in case user want to omit very specific roles. Also even if we are going towards toggle etc. better would be to restructure roles key to something like this.
|
@ravisuhag Need to separate imported roles and custom roles (existing # custom role
roles:
- id: my-role-id
permissions:
- roles/viewer
- roles/owner
- roles/x
- ...
# mapped imported role
- id: roles/viewer
permissions:
- roles/viewer
- id: roles/owner
permissions:
- roles/owner
... additionally, filter (include & exclude) will only relevant for imported roles
agree with this, existing role config better be restructured to accommodate import, but IMO below example is more preferred if breaking changes wants to be avoided resource_config:
...
roles: []Role # keep this field for backward compatibility
role_config: # new roles config
import: true
filter: Expression
custom_options: []Role |
How about maybe providing a migration script/command from old resource config to new to handle breaking change, but atleast thinking this appropriately would make config more readable. |
@ravisuhag migration script can always be added, but replacing the existing |
Summary
Project-level (or org-level) access in GCP already comes with many predefined roles plus the custom role that the user can create themselves, and it would be tedious to list all of those manually in
ResourceConfig.Roles
guardian/domain/provider.go
Line 59 in 7966278
Would be easier if this can be automatically populated from the provider (similar way with resources being imported from provider)
Proposed solution
A new option
ImportRoles
is introduced within theResourceConfig
to indicate that the roles listing will be coming from the provider instead of the oldRoles
listHandle new config during provider create and edit
During create/edit, the following logic applies:
Roles
is required ifImportRoles
is empty/not specified vice versaProvider roles listing
The following logic will be updated to support retrieving the roles from the cached data instead of from
ResourceConfig.Roles
in the case of providers with ImportRoles option enabledguardian/plugins/providers/gcloudiam/provider.go
Lines 149 to 155 in 7966278
The text was updated successfully, but these errors were encountered: