General improvement of user permissions validations on the web console
Summary
Currently, the web console implements user permission validations in a high-level manner, in the sense that if any action is not allowed on a CRD for a given user, the buttons or methods to execute such actions are not rendered on the frontend.
That said, there's still plenty of room for improvement. Cases like the GET requests sent to the API even when the user might have no permissions to do so (see #1622 (closed)) or even blocking access to paths which the user could not be able to access directly, are some of the areas in which further validations should be implemented.
Possible Solution
The way the web console handles the user permissions should map the RBAC rules according to the verbs
information related to it coming from the /can-i
endpoint.
Resource | Verbs |
---|---|
sgclusters | get, list, create, update, patch, delete |
sgpgconfigs | get, list, create, update, patch, delete |
sginstanceprofiles | get, list, create, update, patch, delete |
sgbackups | get, list, create, update, patch, delete |
sgbackupconfigs | get, list, create, update, patch, delete |
sgdistributedlogs | get, list, create, update, patch, delete |
sgpoolconfigs | get, list, create, update, patch, delete |
customresourcedefinitions | get, list |
namespaces | get, list |
pods | get, list |
secrets | get, list |
storageclasses | get, list |
Environment
- StackGres version:
1.1.0
Edited by Luis Garcia