Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Deprecate User Scopes #2848

Merged
merged 11 commits into from
Mar 22, 2023
Merged

Deprecate User Scopes #2848

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
68dc0a0
WIP Remove FidesUserPermission.scopes column. Users can't be assigne…
pattisdr Mar 16, 2023
148a6a2
Merge branch 'main' into fides_2696_deprecate_user_scopes
pattisdr Mar 20, 2023
327495a
Address some failing tests.
pattisdr Mar 20, 2023
a1cb889
Update docstrings, remove unused fixtures, and remove client scopes o…
pattisdr Mar 20, 2023
8be3ad4
Fix unit tests.
pattisdr Mar 21, 2023
8eae27b
Add test verifying passing in scopes to edit user permissions are ign…
pattisdr Mar 21, 2023
d428b75
Fix copy/paste bug.
pattisdr Mar 21, 2023
7a1537d
Merge branch 'main' into fides_2696_deprecate_user_scopes
pattisdr Mar 21, 2023
5d597b1
Remove user scopes from being returned through the API altogether. Us…
pattisdr Mar 21, 2023
0d6807f
Add roles endpoints (these are just get/update permissions endpoints)…
pattisdr Mar 22, 2023
cfe53ad
Update Changelog.
pattisdr Mar 22, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ The types of changes are:

### Changed
* Improved standard layout for large width screens and polished misc. pages [#2869](https://github.com/ethyca/fides/pull/2869)
* Deprecated adding scopes to users directly; you can only add roles. [#2848](https://github.com/ethyca/fides/pull/2848/files)

## [2.9.1](https://github.com/ethyca/fides/compare/2.9.0...2.9.1)

Expand Down
278 changes: 276 additions & 2 deletions docs/fides/docs/development/postman/Fides.postman_collection.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"info": {
"_postman_id": "03d28ae1-a240-42f8-839e-92a4d43132ed",
"_postman_id": "71013d58-9646-47e3-b47a-f354d33ad35a",
"name": "Fides",
"schema": "https://schema.getpostman.com/json/collection/v2.1.0/collection.json"
},
Expand Down Expand Up @@ -72,7 +72,7 @@
"header": [],
"body": {
"mode": "raw",
"raw": "[\n \"client:create\",\n \"client:update\",\n \"client:read\",\n \"client:delete\",\n \"config:read\",\n \"connection_type:read\",\n \"connection:read\",\n \"connection:create_or_update\",\n \"connection:delete\",\n \"connection:instantiate\",\n \"consent:read\",\n \"dataset:create_or_update\",\n \"dataset:delete\",\n \"dataset:read\",\n \"encryption:exec\",\n \"messaging:create_or_update\",\n \"messaging:read\",\n \"messaging:delete\",\n \"policy:create_or_update\",\n \"policy:read\",\n \"policy:delete\",\n \"privacy-request:read\",\n \"privacy-request:delete\",\n \"privacy-request-notifications:create_or_update\",\n \"privacy-request-notifications:read\",\n \"rule:create_or_update\",\n \"rule:read\",\n \"rule:delete\",\n \"scope:read\",\n \"storage:create_or_update\",\n \"storage:delete\",\n \"storage:read\",\n \"privacy-request:resume\",\n \"webhook:create_or_update\",\n \"webhook:read\",\n \"webhook:delete\",\n \"saas_config:create_or_update\",\n \"saas_config:read\",\n \"saas_config:delete\",\n \"privacy-request:review\",\n \"user:create\",\n \"user:delete\"\n]",
"raw": "[\n \"client:create\",\n \"client:update\",\n \"client:read\",\n \"client:delete\",\n \"config:read\",\n \"connection_type:read\",\n \"connection:read\",\n \"connection:create_or_update\",\n \"connection:delete\",\n \"connection:instantiate\",\n \"consent:read\",\n \"dataset:create_or_update\",\n \"dataset:delete\",\n \"dataset:read\",\n \"encryption:exec\",\n \"messaging:create_or_update\",\n \"messaging:read\",\n \"messaging:delete\",\n \"policy:create_or_update\",\n \"policy:read\",\n \"policy:delete\",\n \"privacy-request:read\",\n \"privacy-request:delete\",\n \"privacy-request-notifications:create_or_update\",\n \"privacy-request-notifications:read\",\n \"rule:create_or_update\",\n \"rule:read\",\n \"rule:delete\",\n \"scope:read\",\n \"storage:create_or_update\",\n \"storage:delete\",\n \"storage:read\",\n \"system_manager:delete\",\n \"system_manager:update\",\n \"system_manager:read\",\n \"privacy-request:resume\",\n \"webhook:create_or_update\",\n \"webhook:read\",\n \"webhook:delete\",\n \"saas_config:create_or_update\",\n \"saas_config:read\",\n \"saas_config:delete\",\n \"privacy-request:review\",\n \"user:create\",\n \"user:delete\",\n \"user-permission:create\",\n \"user-permission:update\"\n]",
"options": {
"raw": {
"language": "json"
Expand Down Expand Up @@ -4840,6 +4840,280 @@
}
}
]
},
{
"name": "Roles",
"item": [
{
"name": "Add role (Create User Permissions - Usually you'll use Update Permissions instead)",
"request": {
"auth": {
"type": "bearer",
"bearer": [
{
"key": "token",
"value": "{{client_token}}",
"type": "string"
}
]
},
"method": "POST",
"header": [],
"body": {
"mode": "raw",
"raw": "{\"roles\": [\"viewer\"]}",
"options": {
"raw": {
"language": "json"
}
}
},
"url": {
"raw": "{{host}}/user/{{user_id}}/permission",
"host": [
"{{host}}"
],
"path": [
"user",
"{{user_id}}",
"permission"
]
}
},
"response": []
},
{
"name": "Update role (Update User Permissions)",
"request": {
"auth": {
"type": "bearer",
"bearer": [
{
"key": "token",
"value": "{{client_token}}",
"type": "string"
}
]
},
"method": "PUT",
"header": [],
"body": {
"mode": "raw",
"raw": "[\"demo_analytics_system\", \"demo_marketing_system\"]",
"options": {
"raw": {
"language": "json"
}
}
},
"url": {
"raw": "{{host}}/user/{{user_id}}/system-manager",
"host": [
"{{host}}"
],
"path": [
"user",
"{{user_id}}",
"system-manager"
]
}
},
"response": []
},
{
"name": "Get Allowed Roles",
"request": {
"auth": {
"type": "bearer",
"bearer": [
{
"key": "token",
"value": "{{client_token}}",
"type": "string"
}
]
},
"method": "GET",
"header": [],
"url": {
"raw": "{{host}}/oauth/role",
"host": [
"{{host}}"
],
"path": [
"oauth",
"role"
]
}
},
"response": []
}
]
},
{
"name": "System Managers",
"item": [
{
"name": "Update Managed Systems",
"request": {
"auth": {
"type": "bearer",
"bearer": [
{
"key": "token",
"value": "{{client_token}}",
"type": "string"
}
]
},
"method": "PUT",
"header": [],
"body": {
"mode": "raw",
"raw": "[\"demo_analytics_system\", \"demo_marketing_system\"]",
"options": {
"raw": {
"language": "json"
}
}
},
"url": {
"raw": "{{host}}/user/{{user_id}}/system-manager",
"host": [
"{{host}}"
],
"path": [
"user",
"{{user_id}}",
"system-manager"
]
}
},
"response": []
},
{
"name": "Get Systems Managed By User",
"protocolProfileBehavior": {
"disableBodyPruning": true
},
"request": {
"auth": {
"type": "bearer",
"bearer": [
{
"key": "token",
"value": "{{client_token}}",
"type": "string"
}
]
},
"method": "GET",
"header": [],
"body": {
"mode": "raw",
"raw": "",
"options": {
"raw": {
"language": "json"
}
}
},
"url": {
"raw": "{{host}}/user/{{user_id}}/system-manager",
"host": [
"{{host}}"
],
"path": [
"user",
"{{user_id}}",
"system-manager"
]
}
},
"response": []
},
{
"name": "Get Single System Managed By User",
"protocolProfileBehavior": {
"disableBodyPruning": true
},
"request": {
"auth": {
"type": "bearer",
"bearer": [
{
"key": "token",
"value": "{{client_token}}",
"type": "string"
}
]
},
"method": "GET",
"header": [],
"body": {
"mode": "raw",
"raw": "",
"options": {
"raw": {
"language": "json"
}
}
},
"url": {
"raw": "{{host}}/user/{{user_id}}/system-manager/demo_marketing_system",
"host": [
"{{host}}"
],
"path": [
"user",
"{{user_id}}",
"system-manager",
"demo_marketing_system"
]
}
},
"response": []
},
{
"name": "Remove User as System Manager",
"request": {
"auth": {
"type": "bearer",
"bearer": [
{
"key": "token",
"value": "{{client_token}}",
"type": "string"
}
]
},
"method": "DELETE",
"header": [],
"body": {
"mode": "raw",
"raw": "",
"options": {
"raw": {
"language": "json"
}
}
},
"url": {
"raw": "{{host}}/user/{{user_id}}/system-manager/demo_marketing_system",
"host": [
"{{host}}"
],
"path": [
"user",
"{{user_id}}",
"system-manager",
"demo_marketing_system"
]
}
},
"response": []
}
]
}
],
"event": [
Expand Down
15 changes: 2 additions & 13 deletions src/fides/api/ctl/database/seed.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,18 +11,14 @@
from fides.api.ctl.database.session import sync_session
from fides.api.ctl.sql_models import sql_model_map # type: ignore[attr-defined]
from fides.api.ctl.utils.errors import AlreadyExistsError, QueryError
from fides.api.ops.api.v1.scope_registry import (
PRIVACY_REQUEST_CREATE,
PRIVACY_REQUEST_READ,
PRIVACY_REQUEST_TRANSFER,
)
from fides.api.ops.models.policy import ActionType, DrpAction, Policy, Rule, RuleTarget
from fides.core.config import CONFIG
from fides.lib.db.base_class import FidesBase
from fides.lib.exceptions import KeyOrNameAlreadyExists
from fides.lib.models.client import ClientDetail
from fides.lib.models.fides_user import FidesUser
from fides.lib.models.fides_user_permissions import FidesUserPermissions
from fides.lib.oauth.roles import OWNER
from fides.lib.utils.text import to_snake_case

from .crud import create_resource, list_resource
Expand Down Expand Up @@ -89,14 +85,7 @@ def create_or_update_parent_user() -> None:
)
FidesUserPermissions.create(
db=db_session,
data={
"user_id": user.id,
"scopes": [
PRIVACY_REQUEST_CREATE,
PRIVACY_REQUEST_READ,
PRIVACY_REQUEST_TRANSFER,
],
},
data={"user_id": user.id, "roles": [OWNER]},
pattisdr marked this conversation as resolved.
Show resolved Hide resolved
)


Expand Down
3 changes: 0 additions & 3 deletions src/fides/api/ctl/migrations/versions/643249f65453_case_insensitive_usernames_delete_.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,9 +9,6 @@
from sqlalchemy.orm.session import Session
from sqlalchemy.sql import text

from fides.lib.models.fides_user import FidesUser
from fides.lib.models.fides_user_permissions import FidesUserPermissions

# revision identifiers, used by Alembic.
revision = "643249f65453"
down_revision = "5d62bab40b71"
Expand Down
46 changes: 46 additions & 0 deletions src/fides/api/ctl/migrations/versions/a0f219697fa0_remove_user_scopes.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
"""remove user scopes

Revision ID: a0f219697fa0
Revises: 54102bba36de
Create Date: 2023-03-15 22:25:09.654149

"""
import sqlalchemy as sa
from alembic import op
from sqlalchemy import text
from sqlalchemy.dialects import postgresql

# revision identifiers, used by Alembic.
revision = "a0f219697fa0"
down_revision = "54102bba36de"
branch_labels = None
depends_on = None


def upgrade():
op.drop_column("fidesuserpermissions", "scopes")
"""One last time - remove scopes from user clients"""
bind = op.get_bind()
bind.execute(
text(
"""
UPDATE client
SET scopes = '{}'
FROM fidesuserpermissions
WHERE fidesuserpermissions.user_id = client.user_id;
"""
)
)


def downgrade():
op.add_column(
"fidesuserpermissions",
sa.Column(
"scopes",
postgresql.ARRAY(sa.VARCHAR()),
server_default=sa.text("'{}'::character varying[]"),
autoincrement=False,
nullable=True,
),
)
Loading