Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update roles and rolesmapping handling to match Lagoon permission logic #161

Merged
merged 2 commits into from
Jan 20, 2025
Merged

Update roles and rolesmapping handling to match Lagoon permission logic #161

merged 2 commits into from
Jan 20, 2025

Conversation

smlx
Copy link
Member

@smlx smlx commented Jan 17, 2025
edited
Loading

Previously lagoon-opensearch-sync was creating project roles and rolesmapping by iterating over groups, including for project groups. This logic was based on the incorrect assumption that projects and project groups (AKA project default groups) are a 1:1 mapping.

In reality, project groups can have multiple project "members". So the new logic ignores the project groups and just uses project IDs and names for roles and rolesmapping. This matches the logic used in the custom Keycloak mapper Lagoon uses to grant roles to Opensearch users.

Closes: #151

@smlx smlx changed the title multi project project default groups Support project groups with multiple projects Jan 17, 2025
smlx added 2 commits January 17, 2025 20:16
@smlx
chore: update roles test
164bb8e 
Add tests to ensure that roles are now created based on the project ID
and name only, ignoring groups.
@smlx
fix: create roles and rolesmapping based on project IDs and names only
c205f15 
Previously lagoon-opensearch-sync was creating project roles and
rolesmapping by iterating over groups, including for project groups.
This logic was based on the incorrect assumption that projects and
project groups (AKA project default groups) are a 1:1 mapping.

In reality, project groups can have multiple project "members". So
the new logic ignores the project groups and just uses project IDs and
names for roles and rolesmapping. This matches the logic used in the
custom Keycloak mapper Lagoon uses to grant roles to Opensearch users.
@smlx smlx force-pushed the multi-project-project-default-groups branch from 66187bf to c205f15 Compare January 17, 2025 12:24
@smlx smlx changed the title Support project groups with multiple projects Refactor roles and rolesmapping handling to match Lagoon permission logic Jan 17, 2025
@smlx smlx changed the title Refactor roles and rolesmapping handling to match Lagoon permission logic Update roles and rolesmapping handling to match Lagoon permission logic Jan 17, 2025
@smlx smlx marked this pull request as ready for review January 17, 2025 12:40
shreddedbacon
shreddedbacon reviewed Jan 19, 2025
View reviewed changes
Copy link
Member

@shreddedbacon shreddedbacon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, this makes sense to do rather than using project-default-groups. This way it also ensures that there will always be the correct p${id} backendrole and index pattern for every project.

@smlx smlx merged commit 48b5a49 into main Jan 20, 2025
10 checks passed
@smlx smlx deleted the multi-project-project-default-groups branch January 20, 2025 07:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@shreddedbacon shreddedbacon shreddedbacon approved these changes

@tobybellwood tobybellwood Awaiting requested review from tobybellwood

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

role creation for projects doesn't handle multiple projects in default project group
2 participants
@smlx @shreddedbacon