10000 Update Apply APIs to authorize Upserts against full label sets by jgraettinger · Pull Request #434 · gazette/core · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

Update Apply APIs to authorize Upserts against full label sets #434

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jun 13, 2025
Merged

Update Apply APIs to authorize Upserts against full label sets #434

merged 1 commit into from
Jun 13, 2025

Conversation

jgraettinger
Copy link
Contributor
@jgraettinger jgraettinger commented Jun 12, 2025
edited
Loading

This change updates both the broker and consumer Apply APIs to handle label selectors differently for Upserts and Deletes:

For Upserts:

  • Authorization now checks against the full label set (including meta-labels)
  • Uses LabelSetExt() to get all labels including "name" (broker) or "id" (consumer)
  • Ensures consistency with how List operations authorize

For Deletes:

  • Maintains backward compatibility with name-only (broker) or id-only (consumer) authorization
  • No change in behavior for delete operations

This change ensures that users with label-based claims can only upsert journals/shards if their claims match all the labels on the resource, not just the name/id. This provides more granular access control.

🤖 Generated with Claude Code

This change is Reviewable

@jgraettinger @claude
Update Apply APIs to authorize Upserts against full label sets
8d63e80 
This change updates both the broker and consumer Apply APIs to handle
label selectors differently for Upserts and Deletes:

For Upserts:
- Authorization now checks against the full label set (including meta-labels)
- Uses LabelSetExt() to get all labels including "name" (broker) or "id" (consumer)
- Ensures consistency with how List operations authorize

For Deletes:
- Maintains backward compatibility with name-only (broker) or id-only (consumer) authorization
- No change in behavior for delete operations

This change ensures that users with label-based claims can only upsert
journals/shards if their claims match all the labels on the resource,
not just the name/id. This provides more granular access control.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
@jgraettinger jgraettinger requested a review from psFried June 12, 2025 07:35
@jgraettinger jgraettinger mentioned this pull request Jun 12, 2025
Merged
psFried
psFried approved these changes Jun 12, 2025
View reviewed changes
Copy link
Contributor
@psFried psFried left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@jgraettinger jgraettinger merged commit add3e3d into master Jun 13, 2025
1 check passed
@jgraettinger jgraettinger deleted the johnny/apply-labels branch June 13, 2025 04:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@psFried psFried psFried approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jgraettinger @psFried
0