feat: Add api to list user roles on project#639
feat: Add api to list user roles on project#639konac-hamza wants to merge 2 commits intoopenstack-experimental:mainfrom
Conversation
| ) -> Result<(), AssignmentProviderError>; | ||
|
|
||
| // List user roles on project | ||
| async fn list_user_roles_on_project( |
There was a problem hiding this comment.
It is definitely not going to be efficient to build a dedicated function for every possible request combination. The provider already accepts a structure supporting a variety of queries that should be used for calls like this.
There was a problem hiding this comment.
you are right but I have tried to prevent unnecessary iteration. Respect of the official document this api should return role list instead of assignment list. In order to achieve that response of the role_assignment method, we need to iterate all assignments and convert them to role. The implemented new method idea is prevent this inefficient iteration.
|
|
||
| let roles: Vec<Role> = state | ||
| .provider | ||
| .get_assignment_provider() |
There was a problem hiding this comment.
Here you should call existing list assignments with the proper query params
There was a problem hiding this comment.
Should I convert assignments to roles in here?
|
|
||
| allow if { | ||
| "reader" in input.credentials.roles | ||
| assignment.project_user_role_domain_matches |
There was a problem hiding this comment.
this will not work and was designed for the different case:
- there is no role known, so the condition is most likely always going to be false
- we should not give possibility for any "reader" to list roles of any other user - in this particular case the domain manager should be allowed, as well as the user itself
| test_allowed if { | ||
| list.allow with input as {"credentials": {"roles": ["admin"]}} | ||
| list.allow with input as {"credentials": {"roles": ["reader"], "scope": "system"}} | ||
| list.allow with input as {"credentials": {"roles": ["reader"], "domain_id": "foo"}, "target": {"user": {"domain_id": "foo"}, "project": {"domain_id": "foo"}, "role": {"domain_id": null}}} |
There was a problem hiding this comment.
all tests are correspondingly wrong - you want to list roles that the user has - there can't be a role present in the policy data.
3 participants
No description provided.