-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
API RoleSet #6759
Comments
Guys, because of 2 methods below, we are vendoring > 500 files. This also forces us to enable
@justinas @r0mant I wonder if there is something we can do now? For example, we can we create a package |
As for CGO, for now I stubbed out the only module that requires it. This at least makes it build again https://github.com/gravitational/cloud/pull/616/commits/711ffced08b41e4485770ebd49737305a4f62517 I am not too fresh on workings of Go modules, but |
When you import a go module, I think you indirectly import it's entire dependency graph. That's why we split off It doesn't seem too difficult to detangle the Edit: it turns out that you only import/vendor packages that are actually used. You do however add the entire modules dependency graph (go.sum). |
@justinas @klizhentas @alex-kovoy I'm missing some context here: why do you need to import Teleport's server-side authorization logic? If this is about code reuse, does it make sense to create a new Go module with a reusable authorization engine? Or maybe it's more reasonable to copy-paste the few helper types/functions you use? If this is about keeping the authz logic in sync with Teleport, can you elaborate your use case? |
@awly we are trying to use Teleport roles for managing access to the Sales Center (SC) https://github.com/gravitational/cloud/issues/594 SC will fetch Teleport roles and then use AccessChecker to see if a user has access to a SC resource. The idea is to reuse Teleport code to work with the roles: we can revendor this code or make it part of Teleport Client. @klizhentas Another option is to turn an |
thanks for the context @alex-kovoy Authz logic does not belong in the Teleport client module IMO, it's not useful for anyone building clients against the Teleport API. |
Actually, @rueey seems to be working on something very similar to an AccessChecker API: https://github.com/gravitational/teleport/pull/6818/files |
Closing due to inactivity. |
@Joerger @justinas @r0mant a couple of observations and lessons learned based on
https://github.com/gravitational/cloud/pull/616
We need a higher level api.RoleSet that uses the client, watches the roles using watcher and keeps cache. We have all this machinery implemented in teleport core, but need to port it to simplify developer's integration efforts.
The text was updated successfully, but these errors were encountered: