[bugfix, ui] Allow running jobs from a namespace-limited token #13659
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
philrenaud
requested review from
DingoEatingFuzz,
lgfa29,
mikenomitch and
ChaiWithJai
Ember Asset Size actionAs of fce54f9 Files that got Bigger 🚨:
Files that stayed the same size 🤷:
|
ChaiWithJai
approved these changes
Jul 8, 2022
philrenaud
commented
Jul 8, 2022
ui/app/controllers/jobs/run.js
Outdated
| return availableNamespaces; | ||
| } | ||
|
|
||
| setFacetQueryParam(queryParam, selection) { |
There was a problem hiding this comment.
Forgive the naming conventions (qpNamespace, queryParam, etc.) - will revise. Was pullig from jobs/volumes routes.
Ember Test Audit comparison
|
lgfa29
added
backport/1.1.x
lgfa29
pushed a commit
that referenced
this pull request
Jul 11, 2022
* Allow running jobs from a namespace-limited token * qpNamespace cleanup * Looks like parse can deal with a * namespace * A little diff cleanup * Defensive destructuring * Removing accidental friendly-fire on can-scale * Testfix: Job run buttons from jobs index * Testfix: activeRegion job adapter string * Testfix: unit tests for job abilities correctly reflect the any-namespace rule * Testfix: job editor test looks for requests with namespace applied on plan
lgfa29
pushed a commit
that referenced
this pull request
Jul 11, 2022
* Allow running jobs from a namespace-limited token * qpNamespace cleanup * Looks like parse can deal with a * namespace * A little diff cleanup * Defensive destructuring * Removing accidental friendly-fire on can-scale * Testfix: Job run buttons from jobs index * Testfix: activeRegion job adapter string * Testfix: unit tests for job abilities correctly reflect the any-namespace rule * Testfix: job editor test looks for requests with namespace applied on plan
lgfa29
pushed a commit
that referenced
this pull request
Jul 11, 2022
… (#13687) * Allow running jobs from a namespace-limited token * qpNamespace cleanup * Looks like parse can deal with a * namespace * A little diff cleanup * Defensive destructuring * Removing accidental friendly-fire on can-scale * Testfix: Job run buttons from jobs index * Testfix: activeRegion job adapter string * Testfix: unit tests for job abilities correctly reflect the any-namespace rule * Testfix: job editor test looks for requests with namespace applied on plan Co-authored-by: Phil Renaud <[email protected]>
lgfa29
added a commit
that referenced
this pull request
Jul 11, 2022
lgfa29
added a commit
that referenced
this pull request
Jul 11, 2022
This was referenced Jul 11, 2022
lgfa29
pushed a commit
that referenced
this pull request
Jul 13, 2022
… (#13688) * Allow running jobs from a namespace-limited token * qpNamespace cleanup * Looks like parse can deal with a * namespace * A little diff cleanup * Defensive destructuring * Removing accidental friendly-fire on can-scale * Testfix: Job run buttons from jobs index * Testfix: activeRegion job adapter string * Testfix: unit tests for job abilities correctly reflect the any-namespace rule * Testfix: job editor test looks for requests with namespace applied on plan Co-authored-by: Phil Renaud <[email protected]>
|
I'm going to lock this pull request because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active contributions. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Currently, there are a few things preventing a user from running a new job via the UI, in an environment where their ACL token has limited namespace abilities:
can runability now looks at all abilities across all namespaces within your policy. This means there's a chance you submit a job for which you don't have write permissions, but good news: it gets caught at several steps along the way upon submission. It's better to not restrict access to this editor and this change reflects that.* { read }andmyNamespace { write }, it would try to parse your job without a namespace and return a 403./parserequest. But now that that parse request is conditional upon the namespace... you get where this is going./parse.^--- great news update: Turns out we don't need to parse the namespace, we just need a namespace. All other things being equal, a
POSTto/parsewill 403 but/parse?namespace=*will 20x.Side-effect: Includes better error messaging for ACL permission errors upon job submission.