ui: Implement read-only KV/Session and Intention views based on ACLs #9706
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
added 9 commits
February 4, 2021 17:07
In that you can set it to false on a parent node and all its sub nodes will be disabled. It has an added improvement that you can then separate allow children if you want to disable everything apart from one thing. One caveat here is that it relies on dom twiddling and is therefore disabling a parent is not currently very reactive and will need some MutationObserver work to make it fully reactive.
added 2 commits
February 11, 2021 11:34
johncowen
added a commit
that referenced
this pull request
Feb 19, 2021
…9706) * Adds a {{disabled}} modifier that works similar to fieldset In that you can set it to false on a parent node and all its sub nodes will be disabled. It has an added improvement that you can then separate allow children if you want to disable everything apart from one thing. One caveat here is that it relies on dom twiddling and is therefore disabling a parent is not currently very reactive and will need some MutationObserver work to make it fully reactive. * Reorganize the base ability for reuse and add canWrite * Add a session ability * Make the mock-api authorize endpoint less brittle and more configurable * Tweak intention write ability to include IsEditable * Add authzing beforeModel hook to let us to configure auth 403s centrally * Centrally configure abilities for allowing certain endpoints * Add session inspection and allow easy access of can from permissions * Implement read/write access based views across KV/Sessions + Intentions * Show notification depending on item.Session * Lint * Only look at path when auto creating nspaced routes * Conditionally show view or edit words based on permissions * Add new step so we can control permissions from acceptance tests * Add tests to assert permissions inspection functionality * Lint * Add CONSUL_RESOURCE_*_* to README
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR is a continuation of #9687.
Here we implement read-only views for KVs, Sessions and Intentions based on your ACL Tokens policies.
This means you can assign ACLs to users in the UI giving certain users read only access to areas like KV. This is currently at a global level using something like:
which would give the user with a token with the above policy read only access to all KVs.
Being able to configure this more finely per KV will be added in a further PR.
Further notes:
{{disabled}}modifier f0cc8cb.<fieldset>s have a nice feature that lets you set a<fieldset disabled>on them which means all of the form elements within the fieldset are in a disabled state, meaning you only have to set the disabled-ness in one place. The downside is, if you want everything disabled apart from one form element, there doesn't seem to be a native way to do that. Using a modifier instead means we can add the functionality we want here. This is currently not super reactive (if you add further elements to the parent element after insertion these will not be set to the correct value for disabled). In order to improve this we'll probably require someMutationObserverwork. As and when we need that we can look at that then.Routerin order to create embers routes. This means we can also use this information for other things, for example knowing whether a route is a wildcard route in order to add further url de/encoding logic to the params for this route. These commits further add to this configuration with anabilities: []property. Theabilitiesproperty allows you to useember-cans DSL to specify what abilities a user requires in order to access a route. If the user doesn't have all of the specified abilities then they see a 403 page instead. Using the central configuration means we can add the logic required for this to our Consul specific baseRoute, then its super simple to see all in one place, what routes have additional ability based restrictions.CONSUL_RESOURCE_{singular-resource-name}_{access_type}, so for example setting the cookieCONSUL_RESOURCE_INTENTION_WRITE=falsewill give you readonly intentions.