Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[CHEF-1685] WIP - allow org-admins to modify organizations #3927

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

marcparadise
Copy link
Member

In addition to give org-admins permissions to CRUD organizations, this removes the requirement that in order to modify an organization, the actor must be a member of the organization.

However, they must still have appropriate permissions to perform any CRUD action related to an organization.

This supports the multi-tenancy case where a customer has many organizations to manage but does not necessarily need to admins to be a part of those organizations. The primary use case is SaaS offering , in which customers have full control over a chef server installation but do not have local/chef-server-ctl access, and must keep the pivotal key locked down for security purposes.

This functionality is already available using the pivotal/superuser key, but the pivotal key should not be widely distributed. This functionality was also originally intended to be available to org-admins but the completion of that work was never prioritized.

@marcparadise marcparadise requested review from a team as code owners October 17, 2024 21:30
Copy link

netlify bot commented Oct 17, 2024

👷 Deploy Preview for chef-server processing.

Name Link
🔨 Latest commit 172b8d0
🔍 Latest deploy log https://app.netlify.com/sites/chef-server/deploys/671184faa2b3c7000892745e

@marcparadise marcparadise force-pushed the CHEF-1685/expand-server-admins-capabilities branch 2 times, most recently from 5fc71b4 to ffc2925 Compare October 17, 2024 21:40
@@ -441,7 +443,23 @@ is_authorized(Req, State, Extractor) ->
end;
{false, ReqOther, StateOther} ->
%% FIXME: the supported version is determined by the chef_authn application
%% also, see: https://wiki.corp.chef.io/display/CORP/RFC+Authentication+Version+Negotiation
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

^ removed because this link is dead, and I can find no replacement for it in the new wiki.

In addition to give org-admins permissions to CRUD organizations,
this removes the requirement that in order to modify an organization,
the actor must be a member of the organization.

However, they must still have appropriate permissions to perform any CRUD action
related to an organization.

This supports the multi-tenancy case where a customer has many organizations to manage
but does not necessarily need to admins to be a part of those organizations. The primary
use case is SaaS offering , in which customers have full control over a chef
server installation but do not have local/chef-server-ctl access, and
must keep the pivotal key locked down for security purposes.

This functionality is already available using the pivotal/superuser key, but the
pivotal key should not be widely distributed. This functionality was also originally
intended to be available to org-admins but the completion of that work was never
prioritized.

Signed-off-by: Marc A. Paradise <[email protected]>
@marcparadise marcparadise force-pushed the CHEF-1685/expand-server-admins-capabilities branch from ffc2925 to 172b8d0 Compare October 17, 2024 21:43
Copy link

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant