UI/database cg read role #12111
Merged
UI/database cg read role #12111
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Monkeychip
reviewed
Jul 16, 2021
| if (id) { | ||
| return { | ||
| ...resp, | ||
| type: 'dynamic', |
There was a problem hiding this comment.
smart move on adding a type.
Monkeychip
approved these changes
Jul 16, 2021
hashishaw
added a commit
that referenced
this pull request
Jul 21, 2021
* Add type param to secret show, handle CG in database role show * If roleType is passed to credential, only make one creds API call * Clean up db role adapter and serializer * url param roleType passed to credentials call * Role list capabilities check for static and dynamic separately * Add changelog * Consistent adapter response for single or double call * Prioritize dynamic response if control group on role/creds
hashishaw
added a commit
that referenced
this pull request
Jul 21, 2021
* Add type param to secret show, handle CG in database role show * If roleType is passed to credential, only make one creds API call * Clean up db role adapter and serializer * url param roleType passed to credentials call * Role list capabilities check for static and dynamic separately * Add changelog * Consistent adapter response for single or double call * Prioritize dynamic response if control group on role/creds
hashishaw
added a commit
that referenced
this pull request
Jul 21, 2021
* Add type param to secret show, handle CG in database role show * If roleType is passed to credential, only make one creds API call * Clean up db role adapter and serializer * url param roleType passed to credentials call * Role list capabilities check for static and dynamic separately * Add changelog * Consistent adapter response for single or double call * Prioritize dynamic response if control group on role/creds
hashishaw
added a commit
that referenced
this pull request
Jul 21, 2021
* UI/database cg read role (#12111) * Add type param to secret show, handle CG in database role show * If roleType is passed to credential, only make one creds API call * Clean up db role adapter and serializer * url param roleType passed to credentials call * Role list capabilities check for static and dynamic separately * Add changelog * Consistent adapter response for single or double call * Prioritize dynamic response if control group on role/creds * UI/database cg read role (#12111) * Add type param to secret show, handle CG in database role show * If roleType is passed to credential, only make one creds API call * Clean up db role adapter and serializer * url param roleType passed to credentials call * Role list capabilities check for static and dynamic separately * Add changelog * Consistent adapter response for single or double call * Prioritize dynamic response if control group on role/creds
hashishaw
added a commit
that referenced
this pull request
Jul 21, 2021
* Add type param to secret show, handle CG in database role show * If roleType is passed to credential, only make one creds API call * Clean up db role adapter and serializer * url param roleType passed to credentials call * Role list capabilities check for static and dynamic separately * Add changelog * Consistent adapter response for single or double call * Prioritize dynamic response if control group on role/creds
# for free
to join this conversation on GitHub.
Already have an account?
# to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Since database roles are coming from two different endpoints, we were doing non-typical things with the ajax request that circumvented our typical control group logic. This makes a few changes that make it easier to take advantage of default behavior, and put in control group checks otherwise:
Example Scenario where
educationis a static type role, andreadonlyis a dynamic type role.BEFORE Control groups on both roles. Notice that I clicked on a static type role, which should have had control group access for
database/static-roles/educationAFTER Viewing and credentials on role both work correctly when control groups active on those paths
AFTER Known behavior: when a developer only has CG read access for both credential paths as wildcards, or just
creds/*:The dynamic role will work as expected but the static role does not.
Workaround options:
readaccess on/database/static-rolesso the developer can traverse to the correct path/database/creds/readonly) rather than wildcardsroleTypeparam (eg.https://my-vault.dev/ui/vault/secrets/database/credentials/education?roleType=static(example below)