What can user do

[jhadvig]

Created a new AuthorizationService to determine actions that user can/can't do.
The new service consists from two main methods:

• reviewUserRules
  • which serves for reviewing multiple resource/verb pairs (namespaced and also non-namespaced)
  • resource/verb pair combinations are listed in the $scope.canI variable which should be set in each controller which will call this method.
  • obtained rules will be cached, until refreshing the page,changing projects, when 3 minute interval passes
• canI
  • lightweight version of the first method (response only takes info if user is allowed to perform action on the ressource)
  • servers for reviewing single resource/verb pair (namespaced and also non-namespaced)
  • does not need $scope.canI variable, will create one if not present in controller and adds the result of the resource/verb review to it.

@jwforres PTAL

Implements https://trello.com/c/UQEUgVrY

[spadgett]

Does this work (here and below)?

_.includes(rule.resources, resource)

[jhadvig]

will add bindata after review :)

[jwforres]

I suspect @liggitt will be interested in this one

[jwforres]

So first, keep your existing changes in a side branch since you have them working ...
But I'd like you to try something else since I would prefer to see no changes to the controllers. Here is what I am thinking:

1. Add a filter that passes through to AuthorizationService.canI (similar to what we do with the navigate filters), AuthorizationService.canI should just return false if a rules review has not yet been performed. Views should call the canI filter for the individual actions.
2. To determine whether to show the Actions dropdown menu, you'll want to add a filter which is canIDoAny that accepts an array of actions it wants to check and will return true as soon as it determines the user can perform any of the actions.
3. Instead of having all the controllers for namespace scoped pages requesting to have a rules review performed, we should request a rules review as part of ProjectsService.getProject

I've at least run this by @spadgett and @benjaminapetersen and we agree in theory

[liggitt]

should this be more specific regarding api group, kind, and resource?

[spadgett]

I know we do this in other places, but we shouldn't pass scope to services. Services shouldn't know anything about a controller's scope.

[spadgett]

Related to https://bugzilla.redhat.com/show_bug.cgi?id=1293791

[jhadvig]

@jwforres I've updated the PR(not final) to get additional feedback.
Things I want to ask:

1. I've add the AuthorizationService.getProjectRules call to the projects.js service, but not sure if that s the right place, since at the settings page im experiancing that the $digest is not triggered when the $http get call response with the selfsubjectrulesreviews.
2. Whats you opinion on showing the 'missing health check' notification, specifically the links to 'Add Health Check'. Also for metrics, as QA asked in the card https://trello.com/c/UQEUgVrY/661-3-only-show-users-actions-they-have-authority-to-perform

[benjaminapetersen]

You can probably just return _.contains(rules[resource], verb) here since underscore will return true or false for you.

[jwforres]

create on builds/clone isnt the right check for cancel build, copy/paste error i'm guessing, same thing on line 42 below. Should just be checking update on builds i think.

[jwforres]

Can you go ahead and add this to otherResources.js so that it will only put things in the dropdown that can actually be listed by the user:

   // for context, goes underneath the .then
    ProjectsService
      .get($routeParams.project)
      .then(_.spread(function(project, context
...
...
       // add this
        $scope.kinds = _.filter($scope.kinds, function(kind){
          var resource = APIService.kindToResource(kind.kind);
          return AuthorizationService.canI("list", kind.group ? kind.group + "/" + resource : resource, $scope.projectName);
        });

You'll also need to include AuthorizationService in the list of deps at the top of the service. You'll know its working if you can't see PetSets.

Then in constants.js please remove

      "LocalResourceAccessReview",
      "LocalSubjectAccessReview",
      "ResourceAccessReview",
      "SubjectAccessReview",
      "ReplicationControllerDummy",

from the blacklist, they'll now be cleanly removed from the list because the List verb isn't allowed on them. You need to leave DeploymentConfigRollback for now.

[liggitt]

checking if it contains / is fine, but I'd rather not use endsWith... we should have an explicit list (or hash) of resources we don't care about for this

[jwforres]

also remove ReplicaSet, PodTemplate, and ThirdPartyResource from the blacklist

[jwforres]

There is another View Log link that needs a canI check here https://github.com/openshift/origin-web-console/pull/82/files#diff-d40b418167447e1277db88f1163bb5d9L117

[jwforres]

this should be pods/exec

[jhadvig]

@jwforres @benjaminapetersen @liggitt I've update the PR based on your comments, expect the one that suggests to return the rules together with the project and context, since we have canI, canIDoAny, canIScale, canIAddToProject filters that take care of any users actions they have authority to perform

[benjaminapetersen]

Cool, I'm good with that.

[jwforres]

why is this not returning true?

[jwforres]

ignore this comment, i'd rather see https://github.com/openshift/origin-web-console/pull/82/files#r70297639 happen

[jwforres]

[merge]

[jwforres]

looks like it might have just been a flake [merge]

[jwforres]

failed on the same test, @jhadvig can you run grunt test-integration locally and see if its passing

[jwforres]

[merge] will let it go one more time, but i suspect this may be related to additional delay before the delete action is being shown

[openshift-bot]

Origin Web Console Merge Results: SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pull_requests_origin_web_console/104/)

[jwforres]

[merge]

[openshift-bot]

Evaluated for origin web console merge up to 332bffe