fix: pipeline rbac fixes #4976
fix: pipeline rbac fixes #4976
Conversation
WalkthroughThe pull request introduces modifications primarily in the Changes
Assessment against linked issues
Possibly related PRs
Suggested labels
Suggested reviewers
Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media? 🪧 TipsChatThere are 3 ways to chat with CodeRabbit:
Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments. CodeRabbit Commands (Invoked using PR comments)
Other keywords and placeholders
CodeRabbit Configuration File (
|
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 2
🧹 Outside diff range and nitpick comments (2)
src/common/infra/ofga.rs (1)
198-208: Consider batching pipeline migrations for better performance.The current implementation fetches all pipelines for each organization at once. For organizations with many pipelines, this could lead to memory pressure.
Consider implementing batch processing:
- Fetch pipelines in chunks
- Process each chunk before fetching the next
- Add progress logging
Would you like me to provide an example implementation with batching?
src/common/utils/auth.rs (1)
343-347: LGTM! Consider adding a clarifying comment.The exclusion of streams and pipelines from the PUT method condition correctly fixes the RBAC permission logic. This change ensures proper authorization checks for pipeline operations.
Consider adding a comment to explain why streams and pipelines require different handling:
} else if method.eq("PUT") + // Streams and pipelines have special handling for PUT operations + // as they require different permission checks && path_columns[1] != "streams" && path_columns[1] != "pipelines" || method.eq("DELETE")
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
📒 Files selected for processing (3)
src/common/infra/ofga.rs(4 hunks)src/common/utils/auth.rs(1 hunks)src/handler/http/request/pipeline.rs(2 hunks)
🧰 Additional context used
📓 Path-based instructions (3)
src/common/infra/ofga.rs (1)
Pattern **/*.rs: You are a smart rustlang pull request reviewer.
You are going to review all the rustlang files.
Be concise, and add a brief explanation to your suggestions
Make sure the responses are not too verbose and keep the suggestions to the point i.e. actionable.
src/common/utils/auth.rs (1)
Pattern **/*.rs: You are a smart rustlang pull request reviewer.
You are going to review all the rustlang files.
Be concise, and add a brief explanation to your suggestions
Make sure the responses are not too verbose and keep the suggestions to the point i.e. actionable.
src/handler/http/request/pipeline.rs (1)
Pattern **/*.rs: You are a smart rustlang pull request reviewer.
You are going to review all the rustlang files.
Be concise, and add a brief explanation to your suggestions
Make sure the responses are not too verbose and keep the suggestions to the point i.e. actionable.
🔇 Additional comments (4)
src/handler/http/request/pipeline.rs (3)
21-21: LGTM: Import statement is correctly placed and used.
Line range hint 38-199: Consider implementing consistent RBAC across all pipeline endpoints.
While the RBAC improvements in list_pipelines are good, other endpoints (save_pipeline, delete_pipeline, update_pipeline, enable_pipeline) might benefit from similar permission model checks for consistency.
#!/bin/bash
# Check if other endpoints have RBAC checks
rg -A 5 "list_objects_for_user.*pipeline" 83-85: Verify pipeline model registration in OFGA_MODELS.
The change from hardcoded "logs" to dynamic model lookup is an improvement. However, let's verify that "pipelines" is properly registered in OFGA_MODELS to avoid always falling back to the default.
src/common/infra/ofga.rs (1)
18-18: LGTM: Import changes are appropriate.
The new imports support the pipeline migration functionality.
Also applies to: 25-26
There was a problem hiding this comment.
Actionable comments posted: 0
🧹 Outside diff range and nitpick comments (1)
web/src/components/iam/roles/EditRole.vue (1)
1437-1447: Consider enhancing error handling and type safety.The implementation follows the established pattern and correctly integrates with the pipeline service. However, consider these improvements:
- Add error handling to catch and properly handle API failures
- Add TypeScript type annotations for better code maintainability
-const getPipelines = async () => { +const getPipelines = async (): Promise<void> => { try { const pipelines = await pipelineService.getPipelines( store.state.selectedOrganization.identifier ); updateResourceEntities("pipeline", ["name"], [...pipelines.data.list]); } catch (error) { + console.error('Failed to fetch pipelines:', error); + throw error; } - return new Promise((resolve) => { - resolve(true); - }); };
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
📒 Files selected for processing (1)
web/src/components/iam/roles/EditRole.vue(3 hunks)
🔇 Additional comments (1)
web/src/components/iam/roles/EditRole.vue (1)
329-329: LGTM: Pipeline service import added correctly.
The import statement is properly placed alongside other service imports and aligns with the PR's objective to implement pipeline RBAC fixes.
There was a problem hiding this comment.
Actionable comments posted: 1
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
📒 Files selected for processing (1)
src/common/infra/ofga.rs(4 hunks)
🧰 Additional context used
📓 Path-based instructions (1)
src/common/infra/ofga.rs (1)
Pattern **/*.rs: You are a smart rustlang pull request reviewer.
You are going to review all the rustlang files.
Be concise, and add a brief explanation to your suggestions
Make sure the responses are not too verbose and keep the suggestions to the point i.e. actionable.
🔇 Additional comments (2)
src/common/infra/ofga.rs (2)
24-25: LGTM!
The import changes are clean and well-organized.
48-48: LGTM!
The pipeline migration flag follows the established pattern.
Subhra264
force-pushed
the
fix/rbac-pipeline
branch
from
729085e to
e4e190e
Compare
There was a problem hiding this comment.
Actionable comments posted: 0
🧹 Outside diff range and nitpick comments (1)
src/common/infra/ofga.rs (1)
201-216: Consider transaction safety for pipeline migrationWhile the error handling is robust, the pipeline migration process might leave the system in an inconsistent state if it fails partway through. Consider:
- Collecting all tuples first
- Performing the update in a single transaction
Here's a suggested approach:
if need_pipeline_migration { + let mut pipeline_tuples = Vec::new(); match db::pipeline::list_by_org(org_name).await { Ok(pipelines) => { for pipeline in pipelines { - add_tuple_for_pipeline(org_name, &pipeline.name, &mut tuples); + add_tuple_for_pipeline(org_name, &pipeline.name, &mut pipeline_tuples); } + // Add all pipeline tuples at once + tuples.extend(pipeline_tuples); } Err(e) => { log::error!( "Failed to migrate RBAC for org {} pipelines: {}", org_name, e ); } } }
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
📒 Files selected for processing (1)
src/common/infra/ofga.rs(4 hunks)
🧰 Additional context used
📓 Path-based instructions (1)
src/common/infra/ofga.rs (1)
Pattern **/*.rs: You are a smart rustlang pull request reviewer.
You are going to review all the rustlang files.
Be concise, and add a brief explanation to your suggestions
Make sure the responses are not too verbose and keep the suggestions to the point i.e. actionable.
There was a problem hiding this comment.
Actionable comments posted: 0
🧹 Outside diff range and nitpick comments (1)
web/src/components/iam/roles/EditRole.vue (1)
1437-1447: Consider adding error handling for pipeline fetching.The implementation follows the established pattern and correctly integrates with the existing resource entity management. However, consider adding error handling to match the robustness of a production system.
const getPipelines = async () => { - const pipelines = await pipelineService.getPipelines( - store.state.selectedOrganization.identifier - ); + try { + const pipelines = await pipelineService.getPipelines( + store.state.selectedOrganization.identifier + ); - updateResourceEntities("pipeline", ["name"], [...pipelines.data.list]); + updateResourceEntities("pipeline", ["name"], [...pipelines.data.list]); - return new Promise((resolve) => { - resolve(true); - }); + return Promise.resolve(true); + } catch (error) { + console.error('Failed to fetch pipelines:', error); + return Promise.reject(error); + } };
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
📒 Files selected for processing (4)
src/common/infra/ofga.rs(4 hunks)src/common/utils/auth.rs(1 hunks)src/handler/http/request/pipeline.rs(1 hunks)web/src/components/iam/roles/EditRole.vue(3 hunks)
🚧 Files skipped from review as they are similar to previous changes (3)
- src/common/infra/ofga.rs
- src/common/utils/auth.rs
- src/handler/http/request/pipeline.rs
🔇 Additional comments (1)
web/src/components/iam/roles/EditRole.vue (1)
329-329: LGTM: Pipeline service import added correctly.
The import follows the established pattern and is properly placed with other service imports.
taimingl
force-pushed
the
fix/rbac-pipeline
branch
from
7b01f08 to
71bea66
Compare
There was a problem hiding this comment.
Actionable comments posted: 0
🧹 Outside diff range and nitpick comments (1)
web/src/components/iam/roles/EditRole.vue (1)
1437-1447: Add error handling to getPipelines function.While the implementation follows the established pattern and correctly integrates with the existing entity loading system, consider adding error handling for robustness.
Apply this diff to improve error handling:
const getPipelines = async () => { - const pipelines = await pipelineService.getPipelines( - store.state.selectedOrganization.identifier - ); + try { + const pipelines = await pipelineService.getPipelines( + store.state.selectedOrganization.identifier + ); - updateResourceEntities("pipeline", ["name"], [...pipelines.data.list]); + updateResourceEntities("pipeline", ["name"], [...pipelines.data.list]); - return new Promise((resolve) => { - resolve(true); - }); + return true; + } catch (error) { + console.error('Failed to fetch pipelines:', error); + throw error; + } };
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
📒 Files selected for processing (5)
src/common/infra/ofga.rs(4 hunks)src/common/utils/auth.rs(1 hunks)src/handler/http/request/pipeline.rs(1 hunks)src/service/pipeline/mod.rs(1 hunks)web/src/components/iam/roles/EditRole.vue(3 hunks)
🚧 Files skipped from review as they are similar to previous changes (3)
- src/common/infra/ofga.rs
- src/common/utils/auth.rs
- src/handler/http/request/pipeline.rs
🧰 Additional context used
📓 Path-based instructions (1)
src/service/pipeline/mod.rs (1)
Pattern **/*.rs: You are a smart rustlang pull request reviewer.
You are going to review all the rustlang files.
Be concise, and add a brief explanation to your suggestions
Make sure the responses are not too verbose and keep the suggestions to the point i.e. actionable.
🔇 Additional comments (3)
src/service/pipeline/mod.rs (2)
176-176: LGTM! Verify permission format changes across the codebase.
The permission format changes from plural pipelines:* to singular pipeline:* look good and align with standardizing the RBAC permission logic.
Let's verify that this permission format change is consistent across the codebase:
Also applies to: 180-180
✅ Verification successful
Let me gather more information about the permission format usage across the codebase.
Let me check for any old permission format usage to ensure completeness.
Based on the gathered information, I can now provide a final response:
Permission format change is correctly implemented and consistent
The changes to use singular pipeline: format instead of plural pipelines: are correctly implemented in the permission checks. The search results confirm:
- The new format
pipeline:{id}andpipeline:_all_{org_id}is used consistently in permission checks - No instances of the old
pipelines:format were found in permission-related code - The only occurrences of "pipelines" are in variable names and type definitions, not in permission strings
🏁 Scripts executed
The following scripts were executed for the analysis:
Script:
#!/bin/bash
# Description: Check for any remaining instances of the old permission format
# and verify the new format is used consistently.
echo "Checking for old permission format 'pipelines:'"
rg -l 'pipelines:[^/]' || echo "No files contain old format"
echo -e "\nChecking usage of new permission format 'pipeline:'"
rg -l 'pipeline:[^/]'
Length of output: 302834
Script:
#!/bin/bash
# Check for permission format usage in Rust files
echo "Checking permission format in Rust files:"
rg -A 2 'pipeline:' src/service/pipeline/
Length of output: 3991
Script:
#!/bin/bash
# Check for old permission format 'pipelines:' in the codebase
echo "Checking for old permission format:"
rg -A 2 'pipelines:' src/
# Check for permission validation/checking logic
echo -e "\nChecking permission validation logic:"
rg -A 5 'fn.*permission' src/service/pipeline/
Length of output: 2214
Line range hint 173-186: Verify SSO user permissions for pipeline visibility.
Given issue #4982 about SSO users not seeing root-created pipelines, please verify that:
- SSO users receive the correct permissions in the
permittedparameter - The permission format change doesn't affect SSO user access
Let's check the permission handling for SSO users:
web/src/components/iam/roles/EditRole.vue (1)
329-329: LGTM: Pipeline service import added correctly.
The import statement follows the established pattern and is appropriately placed with other service imports.
Fixes #4982
Summary by CodeRabbit
New Features
list_pipelinesfunction, allowing for dynamic model retrieval.Bug Fixes
Documentation