Skip to content

Draft: 931 feature add role based access control to running workflows #939

New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom
Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Draft: 931 feature add role based access control to running workflows #939

wants to merge 3 commits into from

Conversation

eenblam
Copy link

@eenblam eenblam commented May 8, 2025

Here's my first pass at adding auth for inputstep per #931.

I'd appreciate feedback on my present approach, but I'd also like to address the following loose ends before merging:

  • Adding tests for how @workflow auth interacts with @inputstep auth and resolving any issues identified in the process.
  • Logging step in which an error was encountered if possible (see TODO in current changes)
  • Ensure UI is either disabled or user is alerted before hitting Resume Workflow if possible. Current changes only address the backend authorization.

Ben Elam added 2 commits May 6, 2025 16:07
Ensure resume_process_endpoint checks workflow auth
b969bc9 
This was already enabled in resume_process, but we weren't passing the
user model in to be checked.
Implement auth for inputstep
5ad4a69
@codspeed-hq CodSpeed HQ
Copy link

codspeed-hq bot commented May 8, 2025
edited
Loading

CodSpeed Performance Report

Merging #939 will not alter performance

Comparing 931-feature-add-role-based-access-control-to-running-workflows (e4a5e3a) with main (9848fef)

Summary

✅ 13 untouched benchmarks

@codecov Codecov
Copy link

codecov bot commented May 8, 2025
edited
Loading

Codecov Report

Attention: Patch coverage is 92.00000% with 2 lines in your changes missing coverage. Please review.

Project coverage is 83.50%. Comparing base (f0677d1) to head (e4a5e3a).
Report is 6 commits behind head on main.

Files with missing lines Patch % Lines
orchestrator/workflow.py 90.47% 1 Missing and 1 partial ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main     #939      +/-   ##
==========================================
+ Coverage   83.49%   83.50%   +0.01%     
==========================================
  Files         205      205              
  Lines       10206    10225      +19     
  Branches     1022     1025       +3     
==========================================
+ Hits         8521     8538      +17     
- Misses       1414     1415       +1     
- Partials      271      272       +1

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

pboers1988
pboers1988 reviewed May 8, 2025
View reviewed changes
orchestrator/workflow.py Outdated
authorize_callback(user_model)
if not authorize_callback(user_model):
logger.error("authorize_user_from_state: FORBIDDEN")
#TODO not sure that step name is available here, but could put it on state?
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It might be available in the StateInputStepFunc object

@eenblam eenblam force-pushed the 931-feature-add-role-based-access-control-to-running-workflows branch from e4a5e3a to 6e33048 Compare May 8, 2025 16:28
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@pboers1988 pboers1988 pboers1988 left review comments

At least 2 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@eenblam @pboers1988