-
Notifications
You must be signed in to change notification settings - Fork 210
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[CHEF-1685] WIP - allow org-admins to modify organizations #3927
base: main
Are you sure you want to change the base?
Conversation
👷 Deploy Preview for chef-server processing.
|
5fc71b4
to
ffc2925
Compare
@@ -441,7 +443,23 @@ is_authorized(Req, State, Extractor) -> | |||
end; | |||
{false, ReqOther, StateOther} -> | |||
%% FIXME: the supported version is determined by the chef_authn application | |||
%% also, see: https://wiki.corp.chef.io/display/CORP/RFC+Authentication+Version+Negotiation |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
^ removed because this link is dead, and I can find no replacement for it in the new wiki.
In addition to give org-admins permissions to CRUD organizations, this removes the requirement that in order to modify an organization, the actor must be a member of the organization. However, they must still have appropriate permissions to perform any CRUD action related to an organization. This supports the multi-tenancy case where a customer has many organizations to manage but does not necessarily need to admins to be a part of those organizations. The primary use case is SaaS offering , in which customers have full control over a chef server installation but do not have local/chef-server-ctl access, and must keep the pivotal key locked down for security purposes. This functionality is already available using the pivotal/superuser key, but the pivotal key should not be widely distributed. This functionality was also originally intended to be available to org-admins but the completion of that work was never prioritized. Signed-off-by: Marc A. Paradise <marc.paradise@progress.com>
ffc2925
to
172b8d0
Compare
Quality Gate passedIssues Measures |
Quality Gate passedIssues Measures |
In addition to give org-admins permissions to CRUD organizations, this removes the requirement that in order to modify an organization, the actor must be a member of the organization.
However, they must still have appropriate permissions to perform any CRUD action related to an organization.
This supports the multi-tenancy case where a customer has many organizations to manage but does not necessarily need to admins to be a part of those organizations. The primary use case is SaaS offering , in which customers have full control over a chef server installation but do not have local/chef-server-ctl access, and must keep the pivotal key locked down for security purposes.
This functionality is already available using the pivotal/superuser key, but the pivotal key should not be widely distributed. This functionality was also originally intended to be available to org-admins but the completion of that work was never prioritized.